Physical Security Policy

TABLE OF CONTENTS

• Physical Security Policy
  • Purpose
  • Scope
  • Definitions
  • Enforcement
• Physical Security Procedures
  • Purpose
  • Personnel Access
  • Physical Access
  • Proximity Card System Access and Administration
  • Physical Key Access and Administration
  • Emergency Access

 

Physical Security Policy

Purpose

Brado has published this policy to define standards and procedures related to physical security.  This policy and associated procedures are in place to safeguard the confidentiality, integrity, and availability of protected data and other sensitive information.  This is accomplished by controlling physical access to the buildings and facilities housing Brado’s facilities, applications, network infrastructure, and systems in accordance with applicable data privacy and protection laws and regulations.  Specific procedures related to compliance with this policy are detailed below in Brado’s Physical Security Procedures.

Scope

This policy applies to the Brado corporate office in St. Louis, Missouri, and the offices in Park Ridge, Illinois, and Irvine, California, as well as all users of Brado’s resources.

Definitions

Term	Definition
Network Infrastructure	Collection of physical and logical assets that facilitate access to data by users.
Protected Data	May include PII, PHI, Personal Data, Sensitive Personal Data or Confidential Information.  See Data Privacy and Protection Policy for detailed definitions of these categories.
Proximity Card	Opens doors wirelessly based on specifically assigned access rights; also known as a key card or badge.
Restricted Area	Those areas of Brado where protected data is stored or utilized.
Unauthorized Access	Gaining physical access without permission to a location containing an application, data, network, system, or other resource.
Users	Any authorized person who interacts with Brado resources; including Brado employees, contractors, visitors and vendors.

Enforcement

Violations of this policy should be reported to the user’s supervisor or Human Resources (HR).  Brado employees who violate this policy are subject to disciplinary action, up to and including termination.  Visitors, vendors, or contractors in violation of this policy are subject to loss of visitor privileges and/or termination of services from Brado.

Physical Security Procedures

Purpose

To safeguard applications, facilities, network infrastructure, and systems from unauthorized access, tampering, and theft, access to restricted areas (e.g. areas containing protected data) is allowed only to authorized individuals.  Non-authorized individuals may be granted escort access to restricted areas as permitted by this policy and supporting procedures.

The Human Resources Department (HR) is responsible for administration and provides updates to the Director of IT, as appropriate.

Personnel Access

Normal Business Hours Access

Brado’s offices are open to the public during normal business hours.  During these times the public has access to building lobbies, public restrooms, and the office lobbies.

After-hours Access

Access to offices during non-business hours is secured through a proximity card system for the building and Brado’s office suite.  To enter the building, a valid proximity card is needed to unlock the exterior doors.  Once inside the building, a valid proximity card is needed to access Brado’s office suite.

Visitors’ Access

All visitors, during normal business hours and after-hours, must sign in and sign out at the Brado front desk with their name, affiliation and the time.  A visitor is defined as an individual without a Brado issued proximity card.  While on the premises (in the office), visitors must be escorted by an employee or contractor with a Brado issued proximity card.

Physical Access

Exterior entrances to the offices are controlled by a proximity card system during non-business hours.  The proximity card system is managed by the building’s landlord.  Access to the building is granted based on requests from each tenant.  Access requests are reviewed and submitted to the landlord by HR.

Employees or contractors requiring a proximity card to Brado’s office suite are assigned a card during the onboarding process.  Each card will grant access to the building and Brado’s office suite.  Cards with elevated access levels (e.g. server room) may be assigned based on job responsibilities.

Proximity Card System Access and Administration

New Access

New proximity card requests require acceptance of Brado Physical Security Policy & Procedures. New employees or contractors shall also complete any required background checks.  Upon completion of the background check, the appropriate access (as defined by HR) is configured within the proximity card system.

Vendors’ requests for proximity cards shall be evaluated individually based upon specific needs and the terms of the contractual agreement with Brado, which may address bonding or background checks for the vendor’s representatives.

Terminations

Upon notification from HR or the individual’s manager, HR shall have the individual’s proximity card deactivated within the system at the effective time of termination.  The card will be recovered by HR during the termination process.

Lost or Stolen Proximity Card

Upon notification by an individual’s manager, HR will deactivate the lost or stolen proximity card.   A new card will be issued to the individual and recorded in their file.

System Administration and Support

System administrative access to the proximity card system is limited to the building’s landlord.  HR administers rights to add, change, and terminate proximity card access for employees.

An annual review of proximity card access rights is performed by HR in conjunction with the building’s landlord.  Any adjustments to physical access rights are submitted to HR who will update the proximity card system as necessary.   Documentation of the review process is maintained by HR.

Physical Key Access and Administration

New Access

New physical key requests require acceptance of Brado Physical Security Policy & Procedures.  New employees or contractors shall also complete any required background checks.  Upon completion of the background check, the individual will be assigned a physical key by HR.

Vendors’ requests for physical keys shall be evaluated individually based upon specific needs and the terms of the contractual agreement with Brado, which may address bonding or background checks for the vendor’s representatives.

Terminations

HR shall recover the individual’s key during the termination process.

Lost or Stolen Key

Upon notification of an individual’s lost or stolen key, HR will update the list to note the missing key.   A new key will be issued and recorded in the individual’s file.  If the lost or stolen key granted access to a secured area (e.g. Server Room) the lock for that area will be re-keyed.

System Administration and Support

HR maintains a list of employees, vendors, and contractors and which key they have been assigned.  A copy of each key type is maintained in a separate area within Brado’s office.  Senior management have access to this key storage area.

Emergency Access

Brado’s offices do not have a backup power generator to provide electricity during a short-term or long-term power outage.   In the event of a power outage, the proximity card system is disabled.

Physical keys are available to access the exterior entrances to the building in an emergency. The landlord maintains a list of physical keys for emergency access.