📄
Content Library
  • Uncanny Software
  • Blog Posts
    • Using 1Password to share local secrets
    • How I Maintain OSS Projects
    • A Style Guide For HTML & CSS
    • The Reddit blackout is a lesson in risk management
  • Developer Documentation
    • Balena Push
    • Card Dealer
    • A Guide to Story Point Estimation
    • Guidelines for Translating Your Project using i18next
  • InfoSec Policies
    • Access Control Policy
    • Information Classification Policy
    • Password Management Policy
    • Physical Security Policy
    • Business Continuity Policy
    • Information Security Policy
    • Data Classification Standard
    • System Change Management Policy
    • Vendor Management Policy
    • Removable Media
    • Mobile Device Policy
    • Vulnerability Scanning Policy
    • Media Disposal Policy
    • System Hardening Policy
    • Encryption Policy
    • Intellectual Property Policy
  • Management
    • finops
    • information-technology
    • Operations
    • People Management
    • Program Scaling
Powered by GitBook
On this page
  • Purpose
  • Scope
  • Policy
  • Access Control
  • Access Control Monitoring
  • Key Cards
  • Visitors
  • Access Review
  • Violations
  • Definitions
  • References
  • Related Documents
  • Revision History
  1. InfoSec Policies

Physical Security Policy

Purpose

This policy defines the requirements for establishing physical access controls at Uncanny Software locations.

Scope

This policy applies to all Uncanny Software facilities, with a target audience of all employees.

Policy

Access Control

Physical Access Control To Sensitive Information - Access to every office, computer room, and work area containing sensitive information must be physically restricted to limit access to those with a need to know.

Access To Computers and Communications Systems - Buildings that house Uncanny Software computers or communications systems must be protected with physical security measures that prevent unauthorized persons from gaining access.

Unauthorized Physical Access Attempts - Workers must not attempt to enter restricted areas in Uncanny Software buildings for which they have not received access authorization.

Terminated Worker Access To Restricted Areas - Whenever a worker terminates his or her working relationship with Uncanny Software, all access rights to Uncanny Software restricted areas must be immediately revoked.

Access Control Monitoring

Physical Access Monitoring - Method - Video cameras or other access control mechanisms that monitor the entry and exit points to the building must be in place. Access to all offices is obtained through physical security badges--no badge, no entry. This system is monitored by the IT members of the InfoSec team.

Physical Access Procedures - Procedures must be developed and implemented that control the issuance, modification, and revocation of Uncanny Software physical access key cards.

Physical Access to Key Card System - Access to the system that controls the Uncanny Software physical access key card system must be limited to only those employees with the responsibility to issue, modify, or revoke physical access badges.

Key Cards

Securing Key Cards - When off Uncanny Software premises, workers must protect their key cards with the same level of protection as their wallets and credit cards.

Controlled Access - Each person must present his or her key card to the badge reader before entering every controlled door within Uncanny Software premises.

Visitors

Visitor Identification - All visitors to Uncanny Software must be questioned about the purpose of their visit, and show a picture identification and prior to gaining access.

Third-Party Physical Access - Visitor or other third-party access to Uncanny Software office, computer facilities, and other work areas containing sensitive information must be controlled by an authorized staff.

Escorting Visitors - Visitors to Uncanny Software office including, but not limited to, customers, former employees, worker family members, equipment repair contractors, package delivery company staff, and police officers, must be escorted at all times by an employee.

Escorts Required For All After-Hour Visitors - Visitors must be escorted by an employee whenever they are in Uncanny Software office or facilities outside of normal business hours.

Third-Party Supervision - Individuals who are neither Uncanny Software employees, nor authorized contractors, nor authorized consultants, must be supervised whenever they are in restricted areas containing sensitive information.

Repair People Who Show Up Without Being Called - Every third party repair person or maintenance person who shows up at Uncanny Software facilities without being called by an employee must be denied access to the facilities. All such incidents must be promptly reported to the Information Security team.

Unescorted Visitors - Whenever a worker notices an unescorted visitor inside Uncanny Software restricted areas, the visitor must be questioned about the purpose for being in restricted areas, then be accompanied to the person they came to see.

Computer Facility Tours - Public tours of Uncanny Software's major computer and communications facilities must never be conducted. These are managed by our cloud provider and they do not allow visitors to their facilities.

Access Review

Server/Network Room Staff Access - A complete list of all workers who are currently authorized to access the server room must be maintained, reviewed, semi-annually.

Violations

Any violation of this policy may result in disciplinary action, up to and including termination of employment. Uncanny Software reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Uncanny Software does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Uncanny Software reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.

Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.

Definitions

Confidential Information (Sensitive Information) – Any Uncanny Software information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form. Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts. Confidential Information also includes any confidential information received by Uncanny Software from a third party under a non-disclosure agreement.

Information Asset – Any Uncanny Software data in any form, and the equipment used to manage, process, or store Uncanny Software data, that is used in the course of executing business. This includes, but is not limited to, corporate, customer, and partner data.

Partner – Any non-employee of Uncanny Software who is contractually bound to provide some form of service to Uncanny Software.

User - Any Uncanny Software employee or partner who has been authorized to access any Uncanny Software electronic information resource.

Visitor - Any person who does not normally work in a Uncanny Software facility or who does not perform regular business functions requiring access to or entry into a Uncanny Software facility.

References

ISO/IEC 27002:2013 -11.1 Secure Areas

Related Documents

No documents listed

Revision History

Last updated 1 year ago

Document history via Github