Disclaimer:¶
| Document Information | |
|---|---|
| Version | {{version}} |
| Effective Date | {{effective_date}} |
| Document Owner | {{document_owner}} |
| Next Review | {{next_review_date}} |
| Approved By | {{approved_by}} |
Purpose¶
The purpose of this policy is to establish guidelines for ensuring the secure operation of {{company_name}}, hereafter referred to as "the company", information systems and networks, protecting the confidentiality, integrity, and availability of our data.
The intent of this policy is to establish the direction and principles for the protection of the {{company_name}}'s IT assets against cyber threats and enable continuous improvement of security capability and resilience to emerging and evolving security threats.
Scope¶
This policy applies to all employees, interns, contractors, and third parties who have access to the company\'s information systems and networks.
Asset {{management_team}}¶
The Physical Asset & Environment Security Policy is to ensure the security of all physical assets, including mobile devices, PCs, laptops, and office equipment. This is essential to protecting the organization\'s data, ensuring the continuity of business operations, and preventing theft or damage to assets.
-
Asset {{management_team}}: All physical assets should be tracked using an asset management system. This includes recording the details of each asset, such as its type, model, serial number, location, and assigned user.
-
Secure Storage: All physical assets should be stored securely when not in use. This includes locking devices in secure cabinets or rooms and using security measures such as cable locks for laptops and PCs.
-
Access Control: Access to physical assets should be controlled based on the principle of least privilege. Only authorized individuals should have access to these assets, and access should be revoked when no longer needed.
-
Asset Disposal: When physical assets are no longer needed, they should be disposed of securely. This includes wiping all data from devices and disposing of them in a way that prevents the recovery of data.
The {{it_provider}} is responsible for implementing and maintaining the physical asset and environment security measures outlined in this policy. All users are responsible for handling physical assets in accordance with this policy and for reporting any suspected security incidents.
Environment Security¶
Environment security is to protect the physical environment in which assets are stored and used. This is essential to preventing unauthorized access to assets, protecting assets from environmental threats, and ensuring the safety and productivity of staff.
-
Access Control: Access to areas where assets are stored and used should be controlled. This includes using physical security measures such as locks, access cards, and security guards. Only authorized individuals should have access to these areas, and access should be revoked when no longer needed.
-
Monitoring: Areas where assets are stored and used should be monitored for unauthorized access or suspicious activity. This includes using security measures such as keycard entry logs, CCTV cameras, alarm systems, and security patrols. Any incidents or suspicious activity should be reported and investigated promptly.
-
Environmental Protection: Areas where assets are stored and used should be protected against environmental threats. This includes using measures such as fire suppression systems, flood defences, and climate control systems. Regular inspections and maintenance should be carried out to ensure these measures are functioning correctly.
-
Emergency Preparedness: Plans should be in place for responding to emergencies that could affect the physical environment, such as fires, floods, and security incidents. These plans should be tested regularly and updated as needed.
The {{managing_authority}} is responsible for implementing and maintaining the environment security measures outlined in this policy. All users are responsible for complying with these measures and for reporting any incidents or concerns.
Staff Responsibilities¶
Staff (including interns and contractors) are expected to uphold the expected standards of professional conduct and comply with this policy in its entirety.
All staff must read, understand, and comply with all components of this policy, and all laws, and regulations that apply to their role.
-
Staff should speak up when seeing possible violations of the policies, and legal and regulatory requirements.
-
Be truthful, and cooperate fully in any internal investigations, and not conceal or destroy information.
-
Staff should ensure they complete training on the policies, and attest that they are understand and commit to comply with them.
-
Failing to read or attest to the policies does not excuse staff from these responsibilities.
Review¶
This policy will be reviewed at least annually or as needed based on changes to our business, technology, or regulatory environment.
Enforcement & Waivers¶
These policies are important to us. Violation may result in disciplinary action, up to and including termination of employment. Only by consent of the {{company_name}}'s board of directors a provision of the policies for a staff member may be waivered.
Implementation Check¶
- Who owns this? {{policy_owner}}
- Are we doing it? {{implementation_status}}
- When will we check again? {{next_review_date}}