ISMS Physical Security Policy
1. Purpose, Scope and User
This policy defines VSHN’s rules regarding physical access to VSHN’s premises.
All employees of VSHN AG must adhere to this policy.
2. Physical Security
2.1. Physical Security Perimeters
-
The office in Neugasse 10 in Zürich is considered a security perimeter.
-
Data centers of third party providers where VSHN’s hardware is running, are considered a security perimeter.
Not considered as security perimeter are the VSHNtower in Neugasse 6, Zürich, and the shared offices in VSHN Canada, 422 Richards St, Suite 170 Vancouver.
2.2. Physical Security Monitoring
VSHN can monitor access to secure spaces using video surveillance and other technical appliances.
Exceptions of this rule can be found in Annex - Exceptions Physical Security in our wiki.
2.3. Cable Security
Cabling for peripherals and networks must be regularly inspected and monitored. This is done according operational checks in Überwachung, Messung, Analyse und Bewertung.
3. Access Rights
3.1. VSHN Office
-
All VSHNeers have access and have their own key.
-
VSHNeers can grant accompanied access to guests if a visitor log was filled.
-
People Operations controls who has an office key with the corresponding ticket ISMS-198.
3.2. Access to Hardware Servers
Access can be ordered via the management or the CISO. A ticket must exist in VSHN’s ticket system with the work to be done.
Access to VSHN servers at third party providers is only possible for VSHN employees after prior coordination. Access control is handled by the data center provider.
4. Visitor Logs
Each visitor must fill out one of the visitor log forms provided in the coffee room.
If visitors are working for a longer period with us, an NDA must be signed and the visitor log isn’t needed after that.
4.1. VSHNeers' Responsibility
VSHNeers inviting guests are responsible that:
-
Visitor log form is filled out.
-
Visitor does not walk around in the office unsupervised.
-
Visitor log is placed in the visitors log "mail box".
4.2. Back-Office Responsibility
-
PeopleOps checks visitor log forms regularly and files them in a physical ad-hoc folder.
-
Visitor logs older than a year are destroyed.
-
The CISO conducts regular spot checks.
4.3. Exceptions
Exceptions to this rule can be found in Annex - Exceptions Physical Security in our wiki.
5. VSHNeers' Duties
-
Ensure the two entry doors on the first (European floor numbering system) floor leading to the coffee room and the one leading to the hallway are always closed.
-
Ensure visitors are never left alone.
-
Ensure all windows are closed when the work day is finished.
-
Ensure no confidential paper is lying around.
-
Regularly check the physical connections of your keyboard and mouse, ensuring they are directly connected to the docking station to prevent threats like keyloggers.
-
Keep VSHNtower clean; this means you are not allowed to leave sensitive data there or leave your devices unsupervised.
7. Reference Documents
ISO 27001:2022 | ISO 27001:2013 | Control |
---|---|---|
A.7.1 |
A.11.1.1 |
Physical security perimeters |
A.7.2 |
A.11.1.2 |
Physical entry |
A.7.3 |
A.11.1.3 |
Securing offices, rooms and facilities |
A.7.4 |
N/A |
Physical security monitoring |
A.7.5 |
A.11.1.4 |
Protecting against physical and environmental threats |
A.7.6 |
A.11.1.5 |
Working in secure areas |
A.7.8 |
A.11.2.1 |
Equipment siting and protection |
A.7.11 |
A.11.2.2 |
Supporting utilities |
A.7.12 |
A.11.2.3 |
Cabling security |
Approval date |
2024-12-20 |
---|---|
Approved with |
|
Last reviewed |
|
Classification |
Public |