Physical Security Policy
Version: 4.2.1 | Effective Date: June 1, 2021
- Document Created: May 17, 2021
- Last Reviewed: November 15, 2024
- Next Review Date: November 2025
- Approved By: Chief Technology Officer
- Policy Owner: Security Officer
14.1 Purpose
This Physical Security Policy establishes requirements for protecting Blue Whale Apps facilities, equipment, personnel, and information assets from physical threats including unauthorized access, theft, vandalism, natural disasters, and environmental hazards.
14.2 Scope
Applies to all Blue Whale Apps facilities including offices, data centers, storage areas, and any location where company assets or information are present.
14.3 Facility Access Control
- Badge Access Systems: Electronic badge readers at entry points, individual badges assigned, access permissions based on role, access logs maintained, lost/stolen badges reported immediately, badges returned upon termination.
- Access Authorization: Access granted based on job requirements, manager approval required, quarterly review, immediate revocation upon termination, contractor access time-limited.
- After-Hours Access: Logged and monitored, justification required for unusual patterns, security alerts for unauthorized entry.
14.4 Visitor Management
- All visitors sign in at reception with photo ID required, host notified, visitor badges issued and worn visibly, escorted in secure areas, access logged, badges returned at departure.
- Vendors require pre-authorization, background checks for regular contractors, escorted access, equipment inspected upon entry/exit, supervised and documented work.
14.5 Secure Areas
- Data Centers and Server Rooms: Restricted access, MFA for entry (badge + PIN or biometric), 24/7 surveillance, environmental monitoring, fire suppression, weekly access log reviews.
- Conference Rooms: Visitor meetings in designated rooms, confidential meetings in soundproofed rooms, whiteboards cleaned after use, documents secured or shredded.
14.6 Surveillance and Monitoring
- Video Surveillance: Cameras at entrances/exits and sensitive areas, continuous recording with 90-day retention, monitored by security personnel, privacy-sensitive areas excluded.
- Alarm Systems: Intrusion detection after hours, 24/7 monitoring, immediate response, regular testing, backup power.
14.7 Equipment Security
- IT equipment in locked climate-controlled rooms, cable locks for laptops, encryption on mobile devices, asset tracking, secure disposal of retired equipment.
- Clean Desk Policy: Sensitive documents locked at end of day, computers locked when unattended, no confidential information left visible, secure disposal of printed materials, USB drives secured.
- Mobile Device Security: Devices registered in inventory, remote wipe enabled, lost/stolen devices reported immediately, device tracking enabled.
14.8 Environmental Controls
- Data Center Protection: Redundant HVAC, humidity control, water detection, raised flooring, regular maintenance.
- Fire Protection: Smoke detectors and alarms, clean agent suppression for data centers, regular extinguisher inspections, evacuation plans posted, emergency lighting and signage.
- Power Protection: UPS for critical systems, backup generators, surge protection, regular testing.
14.9 Emergency Procedures
- Building Evacuation: Routes posted, assembly points designated, drills twice annually, emergency contacts maintained, headcount verification.
- Natural Disasters: Procedures for earthquakes, floods, severe weather, supplies maintained, communication plans, coordination with emergency services.
- Security Incidents: Procedures for intruders or threats, law enforcement protocols, employee safety priority, incident documentation.