Physical Access Policy Template

advertisement
PHYSICAL ACCESS and ENVIRONMENTAL SECURITY POLICY
ACTIFI, INC.
Purpose
The purpose of the Physical Access and Environmental Security Policy is to
establish procedures for protecting the safety of the company’s and its
clients physical assets, documents and information—whether in paper or
electronic form.
Audience
The Physical Access Policy applies to all individuals that are responsible for
the installation and support of Information Resources, individuals charged
with Information Resources Security, and data owners.
Definitions
Information Resources (IR): any and all computer printouts, online
display devices, magnetic storage media, and all computer-related activities
involving any device capable of receiving email, browsing Web sites, or
otherwise capable of receiving, storing, managing, or transmitting electronic
data including, but not limited to servers, personal computers, notebook
computers, hand-held computers, personal digital assistant (PDA), pagers,
telecommunication resources, network environments, telephones, fax
machines and printers. Additionally, it is the procedures, equipment,
facilities, software, and data that are designed, built, operated, and
maintained to create, collect, record, process, store, retrieve, display, and
transmit information.
Information Technology (IT): The name of the department responsible for
computers, networking and data management.
Physical Access
Policy
The following policy relates to the company’s assets, documents and
electronic files that are located at its headquarters in Plymouth, MN or that
are in the possession of its employees or independent contractors. The
information and equipment that resides with external cloud computing
facilities are the subject of a separate policy.

The outside doors of the company’s headquarters building are kept
locked during non-business hours. Access to the building is controlled
through the use of pass cards. Such cards are issued to ActiFi
employees by the company’s HR department or CFO.

The doors to the company’s office are also kept locked during nonbusiness hours. Keys to outside locks will be issued to ActiFi
employees and contractors with a need for access by the company’s HR
department or CFO.

The company’s office will be monitored by a burglar alarm system
during non-business hours. Procedures will be maintained by the
Company’s CFO to determine who gets contacted in the event of a
break-in. Passwords to the burglar alarm are assigned to employees and
maintained by Stephanie Thompson.

All physical security systems must comply with all applicable
regulations such as, but not limited to, building codes and fire
prevention codes.

The computer room will be locked at all times. The company CFO will
determine who has access to the room and who has keys to it. At the
present time the CFO, the Director of IT and the accounting supervisor
are the only ones with access to the room. A motion detector/video
recorder system is in place which records a video of anyone who has
entered the computer room. The director of IT is responsible for
reviewing the video of anyone who has entered the room. If some one
enters the computer room a text message is sent to the Director of IT.

Important company documents such as contracts, stock option
agreements, insurance policies and corporate records will be kept in the
fire proof safe in the computer room. Such safe will be kept locked
when not in us. The CFO and accounting supervisor are the only
employees who are allowed access to the safe and who have keys to it.

Less critical records such payroll, insurance, and other confidential
information, etc. are kept in a locked file cabinet at an outside storage
facility. The CFO and accounting supervisor are the only employees
who are allowed access to the file cabinet and who have keys to it.
Non-confidential information such as accounts payable files and things
of that nature are kept in storage boxes in the locked storage facility, but
are not kept in a locked storage cabinet. Jen Pierce is also allowed
access to this information. Access to the facility is controlled by a
passcard and a key to the actual storage room. Bob Nicholson has
custody of the passcard and key.

All current HR, Insurance and payroll records are kept locked in file
cabinets located in the CFO’s and accounting supervisor’s office or
cubicle. Current accounts payable files and certain other less critical
files kept in the desk of the staff accountant. Such desk is required to be
locked when not in use. Accounts payable files from recent years are
required to be kept locked in a file cabinet in the hallway of the ActiFi
office.

Lost or stolen access cards and/or keys must be reported to the CFO or
Accounting Supervisor.

Cards and/or keys must not have identifying information other than a
return mail address.

Security awareness of personnel must be continually emphasized,
reinforced, updated and validated.

All personnel are responsible for managing their use of IR and are
accountable for their actions relating to IR security. Personnel are also
equally responsible for reporting any suspected or confirmed violations
of this policy to the appropriate management.

Access to, change to, and use of IR must be strictly secured. Information
access authority for each user must be reviewed on a regular basis, as
well as each job status change such as: a transfer, promotion, demotion,
or termination of service.

All computer software programs, applications, source code, object code,
documentation and data shall be guarded and protected against loss.

On termination of employment users must surrender all property and IR
in their possession. All security policies for IR apply and remain in
force in the event of a terminated relationship until such surrender is
made. Further, this policy survives the terminated relationship.

The IT Department must provide adequate access controls in order to
monitor systems to protect data and programs from misuse in
accordance with the needs defined by owner departments. Access must
be properly documented, authorized and controlled.

IR computer systems and/or associated equipment used for Company
business that is conducted and managed outside of Company control
must meet contractual requirements and be subject to monitoring.

The fixed asset ledger of the company must have a classification for
each individual asset as to the security level of such asset.

All company files for those employees and independent contractors who
work in the ActiFi offices in Plymouth are required to keep ActiFi and
client related files on ActiFi’s network drives. If employees and
independent contractors are working outside the office, they may keep
files on the hard-drives of their lap-top computers, but are required to
download files to the company’s network drives on a periodic basis.
Employees and contractors who live out of state may keep files on the
hard-drives of their lap-top computer, but are required to back up their
computers and these files to the on-line secure storage facilities
network drives. The Director of IT will back up the contents of these
drives at least weekly.
Download