A physical and access policy is important for Catalina.com to protect hardware, software, and data from internal and external unauthorized access that would harm the organization. Assessing, addressing, and preventing these threats are one of the responsibilities of the IT and Security departments and an access policy is a way to define the standard and procedures for protecting the organization.
Threats are everywhere but an organization can, per InfoSecInstitue.com, “mitigate them as long you dutifully enforce proper planning and implementation of standards, policies, and procedures through a physical security policy.”
Office Suite Access Policy
Building office hours are Monday – Friday 8:00 am to 7:00 pm. Access will only be granted to areas that correspond to the employees’ job responsibilities. Physical access will be restricted, documented, and managed by the appropriate security and IT personnel.
The following systems will be implemented to monitor and control access to Catalina.com:
- Video cameras and CCTV
- Entry gate
- Security Guard
Security will be on duty 24 hours a day and record all visitor arrivals and departures in a log at the security/reception desk. Only authorized personnel will have access to non-public areas. All entries will be recorded. Employees are allowed after-hour access to the facility only with prior authorization from their department supervisor. Security will maintain a daily after-hour log of employee arrival and departure.
Every employee will be issued an access card that must be scanned at the entry gate for building access. Employees are not to loan or give access keys and/or cards. All-access keys and cards are to be surrendered upon demand. If an access key is lost or stolen, it must be reported to the appropriate security personnel immediately.
All visitors must present proper identification upon entry. Visitors must sign in and out in the log located at the security/receptionist desk that includes their arrival time and destination. All visitors will be issued a temporary badge that must be surrendered upon exit. Visitors must always be escorted by authorized personnel when accessing sensitive areas.
Data Center Access Policy
Secured areas and equipment that are critical to business activities will be restricted, monitored, and regulated by Security and IT personnel. Equipment in unsecured areas will be secured to prevent theft, damage, and/or tampering.
The following systems will be implemented to monitor and control access to secured areas Catalina.com:
- Video cameras and CCTV
- Card Readers
- Keys for equipment closet and critical devices
Only authorized employees and visitors will be given access on an as-needed basis. Access hours are Monday – Friday 8:00 am to 7:00 pm. Emergency access will be granted, monitored, and recorded 24 hours a day. Secured areas include (but are not limited to):
- Computer Rooms
- Communication Closets
- Network Rooms
Access to secured areas by employees will be based on business needs and specified employee role. All authorized personnel must always wear their access badge while in critical areas.
All visitors and vendors must be cleared by security to access secured areas and equipment, where a guest pass, and be escorted by a knowledgeable staff member. Visitors, guests, and vendors will be monitored by keystroke logging, video surveillance, and background checks.
Removable Media Policy
Personal removable media devices are prohibited. Company-owned removable media devices are limited to use only on organizational systems and may not be used or installed on personal devices. Employees and visitors are not to use unknown removable media on any organizational system. Removable media includes but is not limited to:
- Thumb drives
- SD cards
- MP3 players
- Removable hard drives
- CD/DVD/Blu-Ray Diskettes
- Floppy disks
The IT department is responsible for the distribution, management, and compliance of all company-owned removable devices. Employees are required to sign in and out all required equipment.
Employees and guests who violate the physical access and hardware policy may be subject to civil and criminal consequences that could include disciplinary actions, employee termination, and/or arrest, depending on the severity of the violation.
Dan, V. (2014, December 2). A Physical Security Policy Can Save Your Company Thousands of Dollars. Infosec Resources. https://resources.infosecinstitute.com/physical-security-policy-can-save-company-thousands-dollars/