ISMS Physical Security Policy

1. Purpose, Scope and User

This policy defines VSHN’s rules regarding physical access to VSHN’s premises.

All employees of VSHN AG must adhere to this policy.

2. Physical Security

2.1. Physical Security Perimeters

  • The office in Neugasse 10 in Zürich is considered a security perimeter.

  • Data centers of third party providers where VSHN’s hardware is running, are considered a security perimeter.

Not considered as security perimeter are the VSHNtower in Neugasse 6, Zürich, and the shared offices in VSHN Canada, 422 Richards St, Suite 170 Vancouver.

2.2. Physical Security Monitoring

VSHN can monitor access to secure spaces using video surveillance and other technical appliances.

Exceptions of this rule can be found in Annex - Exceptions Physical Security in our wiki.

2.3. Cable Security

Cabling for peripherals and networks must be regularly inspected and monitored. This is done according operational checks in Überwachung, Messung, Analyse und Bewertung.

3. Access Rights

3.1. VSHN Office

  • All VSHNeers have access and have their own key.

  • VSHNeers can grant accompanied access to guests if a visitor log was filled.

  • People Operations controls who has an office key with the corresponding ticket ISMS-198.

3.2. Access to Hardware Servers

Access can be ordered via the management or the CISO. A ticket must exist in VSHN’s ticket system with the work to be done.

Access to VSHN servers at third party providers is only possible for VSHN employees after prior coordination. Access control is handled by the data center provider.

4. Visitor Logs

Each visitor must fill out one of the visitor log forms provided in the coffee room.

If visitors are working for a longer period with us, an NDA must be signed and the visitor log isn’t needed after that.

4.1. VSHNeers' Responsibility

VSHNeers inviting guests are responsible that:

  • Visitor log form is filled out.

  • Visitor does not walk around in the office unsupervised.

  • Visitor log is placed in the visitors log "mail box".

4.2. Back-Office Responsibility

  • PeopleOps checks visitor log forms regularly and files them in a physical ad-hoc folder.

  • Visitor logs older than a year are destroyed.

  • The CISO conducts regular spot checks.

4.3. Exceptions

Exceptions to this rule can be found in Annex - Exceptions Physical Security in our wiki.

5. VSHNeers' Duties

  • Ensure the two entry doors on the first (European floor numbering system) floor leading to the coffee room and the one leading to the hallway are always closed.

  • Ensure visitors are never left alone.

  • Ensure all windows are closed when the work day is finished.

  • Ensure no confidential paper is lying around.

  • Regularly check the physical connections of your keyboard and mouse, ensuring they are directly connected to the docking station to prevent threats like keyloggers.

  • Keep VSHNtower clean; this means you are not allowed to leave sensitive data there or leave your devices unsupervised.

6. Events

  • Events can take place in VSHNtower as it is considered a public space.

  • Events should not take place in the VSHN office. If this is not possible, check with CISO and checklist on file server.

7. Reference Documents

ISO 27001:2022 ISO 27001:2013 Control

A.7.1

A.11.1.1

Physical security perimeters

A.7.2

A.11.1.2

Physical entry

A.7.3

A.11.1.3

Securing offices, rooms and facilities

A.7.4

N/A

Physical security monitoring

A.7.5

A.11.1.4

Protecting against physical and environmental threats

A.7.6

A.11.1.5

Working in secure areas

A.7.8

A.11.2.1

Equipment siting and protection

A.7.11

A.11.2.2

Supporting utilities

A.7.12

A.11.2.3

Cabling security



This policy is tracked and approved by the CISO with ticket ISMS-557

Approval date

2024-12-20

Approved with

ISMS-1218 in MR 867 and MR 870

Last reviewed

2024-12-20 with ISMS-1620 and MR 1132

Classification

Public