====== Office Security Policy ====== ===== ACME Evil Anvil Corporation ===== March 2019 Contents - Purpose and Scope - Policy Table 1: Control satisfaction ^Standard ^Controls Satisfied^ |TSC |CC6.4| Table 2: Document history ^Date ^Comment^ |Jun 1 2018 |Initial document| ==== 1 Purpose and Scope ==== - This policy establishes the rules governing controls, monitoring, and removal of physical access to company’s facilities. - This policy applies to all staff, contractors, or third parties who require access to any physical location owned, operated, or otherwise occupied by the company. A separate policy exists for governing access to the company data center. ==== 2 Policy ==== - Management responsibilities - Management shall ensure: - appropriate entry controls are in place for secure areas - security personnel, identification badges, or electronic key cards should be used to validate employee access to facilities - confirm visitor & guest access procedure has been followed by host staff - management periodically reviews list of individuals with physical access to facilities - card access records and visitor logs are kept for a minimum of 90 days and are periodically reviewed for unusual activity - Key access & card systems - The following policies are applied to all facility access cards/keys: - Access cards/keys shall not be shared or loaned to others - Access cards/keys shall not have identifying information other than a return mail address - Access cards/keys shall be returned to Human Resources when they are no longer needed - Lost or stolen access cards/keys shall be reported immediately - If an employee changes to a role that no longer requires physical access or leaves the company, their access cards/keys will be suspended - Human Resources will regularly review physical security privileges and review access logs - Staff & contractor access procedure - Access to physical locations is granted to employees and contractors based on individual job function and will be granted by Human Resources. - Any individual granted access to physical spaces will be issued a physical key or access key card. Key and card issuance is tracked by Human Resources and will be periodically reviewed. - In the case of termination, Human Resources should ensure immediate revocation of access (i.e. collection of keys, access cards, and any other asset used to enter facilities) through the offboarding procedure. - Visitor & guest access procedure - The following policies are applied to identification & authorization of visitors and guests: - All visitors must request and receive written onsite authorization from a staff member. - Visitor access shall be tracked with a sign in/out log. The log shall contain:visitor’s name, firm represented, purpose of visit, and onsite personnel authorizing access - The log shall be retained for a minimum of 90 days - Visitors shall be given a badge or other identification that visibly distinguishes visitors from onsite personnel - Visitor badges shall be surrendered before leaving the facility - Audit controls & management - Documented procedures and evidence of practice should be in place for this policy. Acceptable controls and procedures include: - visitor logs - access control procedures - operational key-card access systems - video surveillance systems (with retrievable data) - ledgers if issuing physical keys - Enforcement - Employees, contractors, or third parties found in violation of this policy (whether intentional or accidental) may be subject to disciplinary action, including: - reprimand - loss of access to premises - termination