Physical Security Policy

Background

The Physical Security Policy is applicable to all employees and service providers of Personal Audit System Ltd (PAS), as well as to employees from other organisations who are working in premises occupied by PAS.

Policy Objective

This policy provides clear direction to our employees and other stakeholders, mandating that they implement all requisite physical security measures to safeguard PAS's assets from unauthorized access, damage, and interference, whether malicious or accidental.

Scope and Definition

Physical Security encompasses measures designed to safeguard physical sites, along with the assets, information, and personnel within them.

It is crucial for our business operations to take place in a setting where potential threats (stemming from natural and man-made hazards, terrorism, criminal activity, and insider threats) to PAS's assets, information, and personnel have been recognised, evaluated for risk, and suitably mitigated to avert disruption, damage, or compromise, whether intentional or accidental. This involves securing physical boundaries and implementing access controls to offer balanced protection against natural catastrophes and terrorist acts, as relevant.

Context

This policy outlines a 'layered' approach to physical security, ensuring environments are secure enough for PAS to conduct operations and meet strategic goals. By applying security in layers, the policy aims to protect personnel and PAS Ltd assets, including sensitive materials.

The policy sets a high-level organisational goal for PAS concerning Physical Security, underpinned by behavioral security practices that must be adhered to for compliance. These practices are the minimum required to safeguard PAS's assets, information, and personnel.

Physical Security measures are in place throughout the company, with certain systems managed or provided by third-party services on different premises. Additionally, operations are conducted on sites not owned by PAS , where external landlords or service providers are accountable for implementing necessary security services and equipment.

Responsibilities

All employees, service providers, and employees from other organisations on PAS premises are responsible for their own security, health, and safety, as well as that of their colleagues and the protection of assets.

The office's delegated responsible manager must ensure that physical security risk assessments are reviewed annually and that actions to mitigate risks and maintain business continuity are current. These measures should be communicated, routinely practiced, and enforced.

The management of the office's physical security controls, such as perimeter control, guarding, and site access, is the duty of a contracted provider. The effectiveness of these controls is assessed through Physical Security Reviews conducted by the delegated responsible manager.

The delegated responsible manager is also tasked with ensuring that physical security measures adhere to the latest technical and industry standards. Regular reviews of technology and processes are essential to maintain effective and purposeful security controls, including standards for CCTV, access controls, and other pertinent alarm systems managed by a contracted supplier.

Policy Statements

Physical Security controls will be established in proportion to PAS's risk appetite, complying with the Information Security Policy and Acceptable Use Policy. It is imperative for all employees to stay vigilant, report any suspicious activities, and identify instances of non-compliance. 

Such vigilance is crucial to deter, delay, prevent, or detect unauthorized access or attacks on premises, and to reduce the consequences should they occur.

The designated responsible manager is tasked with ensuring adherence and conducting physical security risk assessments properly, and swiftly executing any action plans that address identified risks.

Compliance

The degree of risk and potential impact on PAS's and its customers' data and assets will dictate the necessary controls and level of assurance. PAS is responsible for maintaining a baseline of physical security measures and must annually verify that these measures are sufficient to protect all occupants and assets, enhancing them as needed.

• Due to the ever-evolving security landscape, Physical Security measures must be regularly reassessed to address new threats and vulnerabilities. This policy and its supporting standards are to be reviewed annually or more often if necessary.
• Not reporting a security incident, whether actual or suspected, may lead to disciplinary action against employees.
• PAS employees will conduct regular compliance assessments of this policy, which may involve inspections of technology systems, designs, processes, personnel, and physical locations. Compliance checks may include technical and physical security control testing. All PAS employees and service providers are expected to facilitate, support, and participate in such inspections as needed, including employees from other organizations located in PAS facilities.