Uploaded by comeone012


Reprinted with permission of the eRiskHub® and the author(s).
All rights reserved. Copyright belongs to the author(s).
The following is a template designed to assist in the policy development governing the
protection of company computer systems and assets. As with all templates, this document
provides a basic framework for the broad topics for consideration. Footnotes provide prompts
for other general considerations and points for discussion. Each organization has unique risks
and considerations that necessarily require customization. For more information, contact Ron
Raether or Scot Ganow at (937) 227-3733 or [email protected] and [email protected]
Physical Security Policy (Template)
The purpose of this policy is to provide a safe and secure working environment and promote the
protection of our assets. We must maintain the security of our confidential information (such as
Company Sensitive Information and personally identifiable information (“PII”)), as well as the
information shared with us by our customers and COMPANY Consultants. We strive to maintain
customer-friendly procedures to ensure only authorized employees, administrative consultants,
contractors, and visitors have access to our facilities.
This policy applies to the physical areas where information assets are kept. These areas include
server rooms, telecom closets and certain office areas that may contain Company Sensitive
Information or PII1. These areas must be physically secured to prevent theft, tampering or
tapping, or damage.
Facility Access Control
It is every employee’s responsibility to work toward, maintain and preserve a secure physical
work environment.
As with all information privacy and security-related policies, it is important that protected information be properly
defined at the data element level to ensure consistent, compliant handling throughout the company.
DISCLAIMER: This template is provided as general information for the consideration in drafting a custom policy on the subject
matter described herein. The information is not intended to serve as legal advice nor is there any warranty that use of such a
template will satisfy any legal obligations you or your company may have. This template is provided “as is” without any
representations or warranties, express or implied. Faruki Ireland and Cox P.L.L. makes no representations or warranties in
relation to the legal information in this template. Do not rely on the information in this template as an alternative to legal advice
from your attorney or other legal services provider. If you have any specific questions about any legal matter you should consult
your attorney or other legal services provider.
Supervisors are responsible for ensuring that proper building security practices are
maintained and that their employees follow access control policies and
The Human Resources Department (“Human Resources”)2 will authorize the
issuance of badges (COMPANY photo badge) to new employees granting them
appropriate facility access beginning on the date of hire. Employees shall wear
their issued badges at all time while on COMPANY premises.
The Loss Prevention Department (“Loss Prevention”) is responsible for printing
and activating all badges and providing them to the employees or long-term
contractors. Security officers are responsible for providing visitor badges.
All employees are to enter the building at the facility’s designated employee
At termination, all employees must return their badges to their supervisor.
At termination, it is the supervisor’s responsibility to retrieve the badge from the
terminated employee and return it to Loss Prevention for deactivation and
Loss Prevention develops and maintains procedures to follow when employees
forget or lose their badges.
Loss Prevention develops and maintains a visitor sign-in procedure.
No individual will be permitted to access our facilities beyond the main reception
area without an appropriate badge worn visibly.
Loss Prevention is responsible for developing procedures to control the use and
dissemination of building keys. Lost and stolen keys must be reported to Loss
Prevention immediately.
Effective Building Security
Effective building security is possible through the cooperative efforts of Loss Prevention,
Facilities Management and the building’s occupants. The following rules apply:
Keys and badges are not to be left unattended in plain view or carried in a way
that makes them easy to lose or be stolen.
As with all policies and implementation, all departments should be involved in finalizing any policy to ensure
existing policies are complimentary and that operational compliance is possible.
When employees leave the building after hours, the exterior doors (including
overhead receiving doors and shipping doors) must be locked to prevent
unauthorized access.
If a door does not close or lock properly, notify Loss Prevention immediately.
Loss Prevention must be notified whenever a potential or actual security problem
exists, including unauthorized entry, theft of property, or loss of keys or badges.
Protection of Sensitive and Critical Information
The physical areas where information assets are kept must be protected from unauthorized
access. The following rules apply to physical access:
Employees and administrative contractors must secure their work areas to protect
Company Sensitive Information and PII3.
Workstations shall be placed in locations that protect the confidentiality of data.
All confidential documents and media must be securely stored.
All documents and media containing PII must be discarded carefully.
Documents, DVDs, and CDs containing PII must be shredded. Electronic media
containing PII must be destroyed by Information Technology.
Facilities Management will provide high-level physical and environmental
protection of the technical infrastructure to minimize the risk of unauthorized
access and environmental hazards.
Telecommunication lines and equipment will be protected by locking and
controlling access points to ensure both availability and the confidentiality.
Any movement of information, software media, hardware or other IT physical assets will be
strictly controlled. Only authorized personnel are permitted to take company property offpremises. Computing equipment taken off premises is subject to the Laptop/Mobile Computing
Security Policy.
Physical Security Audits
It is the responsibility of Loss Prevention to conduct periodic physical security audits to ensure
Loss Prevention will conduct an audit of the physical security on the perimeter of
the building to ensure door alarms are working properly.
Protected information should be defined consistently throughout the organization to ensure consistent handling and
Internal Audit will inspect other aspects of this policy to ensure compliance.
Violations of this policy may lead to the suspension or revocation of system privileges and/or
disciplinary action up to and including termination of employment. We reserve the right to
advise appropriate authorities of any violation of law.
All employees, administrative consultants, contractors, and non-employee users are responsible
for the secure handling, processing, transmittal and safeguarding of PII and Company Sensitive
Information. Third parties/vendors are responsible for ensuring that (1) their use and access to us
and our computing resources, whether on their own information assets or through our assets,
meets our security protection procedures, (2) their use of our assets are appropriate and (3) they
follow this Physical Security Policy.
Loss Prevention is responsible for ensuring that this Physical Security Policy is followed.
Internal Audit is responsible for ensuring compliance with the Physical Security Policy and the
controls created to safeguard the COMPANY Network.