Physical Security Policy
Document owner: Director of Operations, with CISO as co-owner
Version: 3.0
Effective date: January 1, 2026
Last updated: January 15, 2026
Classification: Public — Trust Center
Review cadence: Annual review; updates for facility changes
Company: Acme Cloud, Inc.
Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA
Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com
Definitions and Key Terms
| Term | Definition |
|---|
| Physical Security | Measures designed to protect personnel, hardware, software, networks, and data from physical actions and events that could cause serious loss or damage |
| Access Control | Physical systems and procedures that restrict entry to facilities, areas, or assets to authorized individuals |
| Perimeter Security | Security measures protecting the outermost boundaries of a facility or site |
| Defense in Depth | A layered approach to security using multiple security controls to protect assets |
| Badge Access | Electronic access control using proximity cards, smart cards, or similar credentials |
| Mantrap | A small space with two interlocking doors used to prevent unauthorized entry through tailgating |
| Tailgating | Unauthorized entry gained by following an authorized person through a secured entrance |
| Visitor Management | Procedures for controlling and monitoring non-employee access to facilities |
| Video Surveillance | Use of cameras and recording systems to monitor and record activity in facilities |
| Environmental Controls | Systems that monitor and maintain appropriate environmental conditions (temperature, humidity, etc.) |
| Intrusion Detection System (IDS) | Systems that detect unauthorized entry or breach attempts |
| Clean Desk Policy | Requirements for securing sensitive information and equipment when not in use |
| Secure Disposal | Proper destruction of media and documents containing sensitive information |
| Data Center | A facility housing computer systems and associated components |
| Cabling Security | Protection of network and power cabling from damage, interception, or interference |
| Emergency Response | Procedures for responding to physical security incidents and emergencies |
| Escort Requirement | Requirement that visitors be accompanied by authorized personnel in secure areas |
| Security Zone | An area with defined security requirements and access restrictions |
| Asset Tagging | Assignment of unique identifiers to physical assets for tracking and inventory |
| Biometric Access | Access control using biological characteristics such as fingerprints or facial recognition |
| Key Control | Management of physical keys including issuance, tracking, and recovery |
| Security Guard | Personnel dedicated to protecting facilities and personnel |
| Alarm System | Electronic systems that detect and alert to unauthorized access or environmental hazards |
Scope and Purpose
This Physical Security Policy establishes Acme Cloud, Inc.'s requirements for protecting physical facilities, assets, personnel, and information systems from unauthorized physical access, damage, theft, and environmental hazards. The policy scope encompasses all physical locations where Acme Cloud conducts business, stores assets, or processes information, including corporate offices, shared workspaces, employee home offices (for applicable controls), and cloud infrastructure hosting facilities. The purpose is to provide a safe and secure physical environment that protects employees, visitors, equipment, and information assets while enabling efficient business operations.
Physical Environment Overview
| Location Type | Count | Description | Security Level |
|---|
| Corporate Headquarters | 1 | San Francisco office (co-working space) | Medium |
| European Office | 1 | Dublin office (co-working space) | Medium |
| Employee Home Offices | ~320 | Remote employee workspaces | Variable |
| Cloud Infrastructure | 3 | AWS regions (us-east-1, us-west-2, eu-west-1) | High (AWS managed) |
| No Data Centers | 0 | No company-operated data centers | N/A |
Applicability Matrix
| Control Area | Corporate Office | Co-Working Space | Home Office | Cloud Provider |
|---|
| Facility Access Control | Acme Cloud responsibility | Shared responsibility | Employee responsibility | AWS responsibility |
| Visitor Management | Acme Cloud responsibility | Co-work provider | Employee responsibility | AWS responsibility |
| Video Surveillance | Acme Cloud/Provider | Co-work provider | N/A | AWS responsibility |
| Environmental Controls | Acme Cloud/Provider | Co-work provider | N/A | AWS responsibility |
| Equipment Security | Acme Cloud responsibility | Acme Cloud responsibility | Employee responsibility | AWS responsibility |
| Media Disposal | Acme Cloud responsibility | Acme Cloud responsibility | Acme Cloud guidance | AWS responsibility |
Security Zone Classification
Zone Definitions
| Zone | Description | Access Level | Controls | Examples |
|---|
| Public Zone | Areas accessible to the general public without authentication | Open | Basic surveillance; reception presence | Building lobby; common corridors |
| Reception Zone | Areas where visitors are received and processed | Controlled | Reception desk; visitor sign-in; waiting area | Office reception; meeting room lobbies |
| Workplace Zone | General work areas for employees | Badge access | Badge readers; visitor escort required | Open office areas; break rooms |
| Restricted Zone | Areas with sensitive equipment or information | Enhanced access | Badge access + PIN or biometric; audit logging | Server rooms; executive offices |
| High-Security Zone | Areas requiring maximum protection | Strict access | Multi-factor authentication; mantrap; 24/7 monitoring | N/A for current facilities |
Zone Access Requirements
| Zone | Authentication | Authorization | Monitoring | Escort Policy |
|---|
| Public | None | None | Surveillance | None |
| Reception | Sign-in | Reception approval | Surveillance; reception | Staff presence |
| Workplace | Badge | Employee status | Surveillance; access logs | Required for visitors |
| Restricted | Badge + PIN/biometric | Manager approval + access list | Surveillance; access logs; alerts | Always escorted |
| High-Security | Multi-factor + approval | Explicit authorization per access | 24/7 monitoring; real-time alerts | Continuous escort |
Office Facility Security
San Francisco Headquarters
| Security Control | Implementation | Provider | Verification |
|---|
| Building Access | Key card access to building; doorman during business hours | Building management | Annual assessment |
| Office Suite Access | Badge access system; Acme Cloud administered | Acme Cloud | Monthly access review |
| Video Surveillance | Building common areas; office entry points | Building + Acme Cloud | Weekly review |
| Reception | Staffed during business hours; visitor check-in | Acme Cloud | Daily operation |
| After-Hours Access | Badge access only; logged and monitored | Acme Cloud | Access log review |
| Alarm System | Intrusion detection; after-hours armed | Acme Cloud | Monthly testing |
Dublin European Office
| Security Control | Implementation | Provider | Verification |
|---|
| Building Access | Key card access; security reception | Co-work provider | Annual assessment |
| Office Suite Access | Badge access to dedicated space | Co-work provider | Monthly access review |
| Video Surveillance | Common areas; entry points | Co-work provider | Provider SLA |
| Shared Facilities | Shared meeting rooms; break areas | Co-work provider | Secure asset handling |
| Environmental Controls | HVAC; fire suppression | Co-work provider | Provider compliance |
| Emergency Procedures | Building evacuation plan; assembly points | Co-work provider | Annual drill |
Office Security Metrics
| Metric | San Francisco | Dublin | Target |
|---|
| Access card audits | Quarterly | Quarterly | 100% coverage |
| Terminated employee badge deactivation | <4 hours | <4 hours | <8 hours |
| Visitor log retention | 12 months | 12 months | 12 months |
| Security incident response | <30 minutes | <30 minutes | <1 hour |
| Surveillance footage retention | 90 days | 90 days | 90 days |
Access Control
Badge Access System
| Component | Description | Management |
|---|
| Badge Issuance | Photo ID badges issued upon hire; temporary badges for contractors | HR + Office Manager |
| Badge Programming | Access levels programmed per role and approval | Office Manager |
| Badge Tracking | Central database of all active badges | Office Manager |
| Lost Badge Reporting | Immediate reporting required; badge disabled within 4 hours | Employee + Office Manager |
| Badge Return | Required upon termination; deactivation within 4 hours | HR + Office Manager |
| Badge Expiration | Contractor badges expire on contract end date | Automated |
Access Level Matrix
| Role/Group | Public | Reception | Workplace | Restricted | Hours |
|---|
| Full-Time Employee | Yes | Yes | Yes | As approved | 24/7 |
| Part-Time Employee | Yes | Yes | Yes | As approved | Business hours |
| Contractor (onsite) | Yes | Yes | Yes | As approved | Contract hours |
| Visitor (escorted) | Yes | Yes | Escorted | Escorted if approved | Business hours |
| Building Vendor | Yes | Yes | Escorted | No | Scheduled |
| Cleaning Staff | Yes | Yes | Yes | No | After hours |
| Emergency Responders | All | All | All | All | Emergency only |
Access Provisioning Process
| Step | Activity | Owner | Timeline |
|---|
| 1 | Access request submitted via ITSM | Requester | Day 0 |
| 2 | Manager approval for standard access | Manager | Day 0-1 |
| 3 | CISO approval for restricted access | CISO | Day 0-2 |
| 4 | Badge programming | Office Manager | Day 1-2 |
| 5 | Badge issuance with photo | Office Manager | Day 1-3 |
| 6 | Access testing verification | Employee | Day of issuance |
Access Removal Process
| Termination Type | Badge Deactivation | Badge Collection | System Update |
|---|
| Voluntary (planned) | Last day of employment | Final day collection | Same day |
| Involuntary (immediate) | Within 4 hours | Immediate collection | Within 4 hours |
| Contractor End | Contract end date | Contract end date | Same day |
| Leave of Absence | Per security assessment | Retained by employee or collected | Documented |
Visitor Management
Visitor Types and Requirements
| Visitor Type | Pre-Registration | ID Verification | Badge Type | Escort Required | Access Scope |
|---|
| Business Visitor | Required (24h) | Government ID | Visitor badge | Yes | Reception + approved areas |
| Interview Candidate | Required | Government ID | Visitor badge | Yes | Reception + interview rooms |
| Vendor/Contractor | Required | Government ID | Contractor badge | Per area | As contracted |
| Delivery Personnel | Not required | Not required | N/A | Limited to reception | Reception only |
| Emergency Responder | Not required | Uniform/ID | N/A | As needed | All areas |
| Auditor/Inspector | Required | Government ID | Auditor badge | Per area | As authorized |
Visitor Registration Process
| Step | Activity | Responsibility | System |
|---|
| 1 | Employee pre-registers visitor | Employee host | Visitor management system |
| 2 | Visitor receives confirmation | Automated | Email with instructions |
| 3 | Visitor arrives; signs in | Reception | Visitor log |
| 4 | ID verification | Reception | Visual verification |
| 5 | Visitor badge issued | Reception | Badge system |
| 6 | Host notified | Reception/System | Page/notification |
| 7 | Host escorts visitor | Employee host | N/A |
| 8 | Visitor signs out; badge returned | Reception | Visitor log |
Visitor Log Requirements
| Data Element | Collected | Retention | Access |
|---|
| Visitor name | Yes | 12 months | Security + authorized |
| Company/affiliation | Yes | 12 months | Security + authorized |
| Host employee | Yes | 12 months | Security + authorized |
| Time in/out | Yes | 12 months | Security + authorized |
| Areas accessed | Yes | 12 months | Security + authorized |
| Government ID type | Yes | 12 months | Security only |
| Signature | Yes | 12 months | Security only |
Video Surveillance
Surveillance Coverage
| Area | Coverage | Recording | Retention | Access |
|---|
| Building entrances | 24/7 | Continuous | 90 days | Security team |
| Office entry points | 24/7 | Continuous | 90 days | Security team |
| Reception area | Business hours | Continuous | 90 days | Security team |
| Common areas | 24/7 | Continuous | 90 days | Security team |
| Server/network closets | 24/7 | Motion-activated | 90 days | Security team |
| Emergency exits | 24/7 | Motion-activated | 90 days | Security team |
Surveillance System Requirements
| Requirement | Specification | Rationale |
|---|
| Camera Resolution | Minimum 1080p | Clear identification |
| Night Vision | Required for exterior/dark areas | 24-hour coverage |
| Recording Storage | Encrypted; redundant | Data protection |
| Retention Period | Minimum 90 days | Investigation support |
| Access Control | Role-based; logged | Accountability |
| Privacy Signage | Posted at entry points | Legal compliance |
Video Footage Access
| Purpose | Authorization Required | Approval Authority | Documentation |
|---|
| Security investigation | Security team request | CISO or Director of Ops | Incident ticket |
| HR investigation | HR request | CPO or General Counsel | HR case file |
| Law enforcement request | Subpoena/warrant | General Counsel | Legal case file |
| Insurance claim | Insurance request | CFO | Claim documentation |
| Routine review | Scheduled review | Security team lead | Review log |
Equipment Security
Asset Management
| Asset Type | Tagging | Inventory | Tracking | Disposal |
|---|
| Laptops | Asset tag + serial | ITSM inventory | MDM | Certified recycler |
| Mobile devices | ITSM registration | ITSM inventory | MDM | Certified recycler |
| Monitors | Asset tag | Office inventory | Manual | Certified recycler |
| Network equipment | Asset tag + config | Network inventory | NMS | Certified recycler |
| Printers/copiers | Asset tag | Office inventory | Manual | Certified recycler |
| Servers (if any) | Asset tag | Infrastructure inventory | CMDB | Certified recycler |
Equipment Security Controls
| Control | Implementation | Verification |
|---|
| Encryption | Full-disk encryption required on all devices | MDM enforcement |
| Screen Lock | Auto-lock after 5 minutes inactivity | MDM enforcement |
| BIOS/Firmware Password | Required on all company devices | Configuration baseline |
| Cable Locks | Available for office use | Optional but provided |
| Secure Storage | Lockable cabinets for sensitive items | Office inventory |
| Theft Prevention | GPS tracking on laptops | MDM capability |
Equipment Check-Out/In
| Process | Requirement | Tracking |
|---|
| New hire issuance | Documented receipt; asset assignment | ITSM ticket |
| Equipment replacement | Trade-in documented; new asset assigned | ITSM ticket |
| Remote work equipment | Shipping tracked; receipt confirmation | Shipping + ITSM |
| Termination return | Verified return; asset recovery | Exit checklist |
| Lost/stolen reporting | Immediate report; remote wipe | Security incident |
Remote Work Physical Security
Home Office Security Requirements
| Requirement | Description | Verification |
|---|
| Secure Workspace | Dedicated work area; not publicly visible | Employee attestation |
| Screen Privacy | Screen not visible to unauthorized persons | Employee attestation |
| Device Storage | Secure storage when not in use | Employee attestation |
| Document Handling | Sensitive documents secured; shredding available | Training + attestation |
| Network Security | Separate or secured home network; no public WiFi for sensitive work | Security training |
| Visitor Awareness | Work not visible to visitors | Employee responsibility |
Home Office Security Checklist
| Category | Requirement | Employee Responsibility |
|---|
| Physical Space | Dedicated work area with door/privacy | Best effort |
| Screen Positioning | Screen not visible from windows or common areas | Required |
| Document Storage | Lockable storage for sensitive documents | Required if applicable |
| Equipment Security | Devices secured when unattended | Required |
| Clean Desk | Sensitive materials secured end of day | Required |
| Shredding | Cross-cut shredding for sensitive documents | Required |
| Reporting | Report theft/loss immediately | Required |
Remote Work Security Training
| Topic | Content | Frequency |
|---|
| Home Office Setup | Secure workspace configuration | Onboarding |
| Device Security | Encryption, screen lock, physical security | Annual |
| Document Handling | Classification, secure disposal | Annual |
| Incident Reporting | Lost/stolen device procedures | Annual |
| Travel Security | Device security while traveling | Annual |
Cloud Infrastructure Physical Security (AWS)
AWS Physical Security Controls
Acme Cloud does not operate physical data centers. Customer data is hosted in Amazon Web Services (AWS) facilities. AWS maintains comprehensive physical security controls documented in their SOC 2 Type II reports and ISO 27001 certifications.
| Control Area | AWS Implementation | Verification Method |
|---|
| Perimeter Security | Fencing; security personnel; vehicle barriers | AWS SOC 2 report |
| Access Control | Biometric authentication; badge + PIN | AWS SOC 2 report |
| Visitor Management | Escorted access only; pre-approval required | AWS SOC 2 report |
| Video Surveillance | 24/7 monitoring; 90-day retention | AWS SOC 2 report |
| Environmental Controls | Redundant HVAC; fire suppression | AWS SOC 2 report |
| Power Redundancy | UPS; backup generators; redundant feeds | AWS SOC 2 report |
| Intrusion Detection | Electronic perimeter monitoring; alarm systems | AWS SOC 2 report |
| Physical Destruction | Degaussing and destruction procedures | AWS media sanitization |
AWS Compliance Certifications
| Certification | Scope | Verification | Review Frequency |
|---|
| SOC 2 Type II | All AWS services | Certificate + report | Annual |
| ISO 27001 | Global infrastructure | Certificate | Annual |
| ISO 27017 | Cloud security | Certificate | Annual |
| ISO 27018 | PII protection | Certificate | Annual |
| PCI DSS Level 1 | Payment processing | AOC | Annual |
| FedRAMP | Government workloads | Authorization | Annual |
AWS Region Selection Criteria
| Criterion | Consideration | Implementation |
|---|
| Physical Security | AWS security certifications | All regions certified |
| Data Residency | Customer requirements; regulations | EU data in eu-west-1 |
| Disaster Recovery | Geographic separation | Multi-region deployment |
| Availability | Redundant availability zones | Multi-AZ architecture |
| Environmental | Renewable energy percentage | Region preference policy |
Environmental Controls
Office Environmental Requirements
| Parameter | Acceptable Range | Monitoring | Response |
|---|
| Temperature | 68-76°F (20-24°C) | Building HVAC | Building management |
| Humidity | 40-60% RH | Building HVAC | Building management |
| Fire Detection | Smoke detectors; heat sensors | Building fire system | Fire department |
| Fire Suppression | Sprinkler system | Building fire system | Automatic activation |
| Water Detection | Under-floor sensors | Building management | Building maintenance |
| Power | Stable supply; surge protection | Electrical system | Building electrician |
Emergency Procedures
| Emergency Type | Detection | Response | Recovery |
|---|
| Fire | Smoke/heat detectors | Evacuation; fire department | Fire department clearance |
| Medical | Employee report | First aid; call 911 | Professional care |
| Intrusion | Security system; observation | Security response; police | Security clearance |
| Power Outage | Loss of power | UPS for critical systems; building backup | Power restoration |
| Natural Disaster | News; alerts | Evacuation if needed | Damage assessment |
| Severe Weather | Weather alerts | Shelter in place or evacuation | Weather clearance |
Emergency Equipment
| Equipment | Location | Testing | Responsibility |
|---|
| Fire Extinguishers | Per fire code placement | Monthly inspection | Building management |
| First Aid Kits | Reception; break areas | Quarterly inventory | Office Manager |
| AED | Reception area | Monthly check | Office Manager |
| Emergency Lighting | Throughout facility | Monthly test | Building management |
| Exit Signs | All exits | Monthly test | Building management |
| Emergency Contacts | Posted; digital | Quarterly update | Office Manager |
Numbered Policy Statements
-
Physical Security Requirement: All Acme Cloud, Inc. facilities shall maintain physical security controls appropriate to the sensitivity of assets and information processed at each location.
-
Access Control Mandate: Physical access to Acme Cloud facilities shall be controlled through badge access systems with access granted on a need-to-have basis and approved by appropriate management.
-
Visitor Management: All visitors to Acme Cloud facilities must be pre-registered, sign in at reception, wear visitor badges, and be escorted by an employee at all times in secure areas.
-
Badge Responsibility: Employees are responsible for safeguarding their access badges. Lost or stolen badges must be reported within 4 hours and will be immediately deactivated.
-
Termination Access Removal: Physical access credentials shall be deactivated within 4 hours of employment termination, with badges collected on the employee's final day.
-
Video Surveillance Notice: Video surveillance is deployed in common areas and entry points. All persons entering Acme Cloud facilities consent to video recording as posted at entry points.
-
Equipment Security: All company-issued equipment must be secured when unattended, with full-disk encryption enabled and automatic screen lock configured.
-
Clean Desk Policy: Employees must secure sensitive documents and portable media when leaving their workstation unattended.
-
Remote Work Security: Employees working remotely must maintain appropriate physical security for company equipment and information as defined in remote work guidelines.
-
Secure Disposal: Electronic media and documents containing sensitive information must be disposed of using approved secure disposal methods.
-
Incident Reporting: Physical security incidents including theft, unauthorized access attempts, and suspicious activity must be reported immediately to the security team.
-
Emergency Preparedness: All employees must be familiar with emergency procedures including evacuation routes and assembly points.
-
Cloud Provider Reliance: For cloud-hosted infrastructure, Acme Cloud relies on AWS physical security controls, verified through annual review of SOC 2 reports and certifications.
-
Annual Assessment: Physical security controls shall be assessed annually, with penetration testing of physical access controls where appropriate.
Framework Appendix
Compliance Mapping
| Requirement | SOC 2 Criteria | ISO 27001 Control | HIPAA Provision | Implementation |
|---|
| Physical access control | CC6.4 | A.11.1.1 | §164.310(a)(1) | Badge access system |
| Facility security | CC6.4 | A.11.1.2 | §164.310(a)(2)(ii) | Controlled entry |
| Visitor management | CC6.4 | A.11.1.6 | §164.310(a)(2)(ii) | Visitor logs; escorts |
| Equipment security | CC6.4 | A.11.2.1 | §164.310(d)(1) | Asset management |
| Environmental controls | A1.1 | A.11.1.4 | §164.310(a)(2)(ii) | Building systems |
| Media disposal | CC6.5 | A.11.2.7 | §164.310(d)(2)(i) | Secure disposal |
ISO 27001 A.11 Physical Security Mapping
| ISO 27001 Control | Control Title | Implementation |
|---|
| A.11.1.1 | Physical security perimeter | Building security; office access |
| A.11.1.2 | Physical entry controls | Badge access; reception |
| A.11.1.3 | Securing offices, rooms, and facilities | Zone-based access |
| A.11.1.4 | Protecting against external threats | Environmental controls |
| A.11.1.5 | Working in secure areas | Restricted area procedures |
| A.11.1.6 | Delivery and loading areas | Delivery procedures |
| A.11.2.1 | Equipment siting and protection | Equipment security |
| A.11.2.3 | Cabling security | Network closet access |
| A.11.2.7 | Secure disposal | Certified recycling |
| A.11.2.8 | Unattended user equipment | Clean desk; screen lock |
| A.11.2.9 | Clear desk and clear screen | Clean desk policy |
Related Trust Center documents
security overview, access control, business continuity, incident response, data retention, encryption standards
Document revision history
| Version | Date | Author | Summary of changes |
|---|
| 1.0 | 2024-06-01 | Legal & Compliance | Initial Trust Center publication |
| 2.0 | 2025-03-15 | GRC Program | SOC 2 Type II alignment refresh; expanded subprocessors |
| 2.5 | 2025-09-01 | Security Engineering | Encryption standards update; ISO 27001 mapping |
| 3.0 | 2026-01-15 | Trust Center Program | Full procurement-grade expansion; 34-document set |
Contact
Acme Cloud, Inc.
1200 Market Street, Suite 400
San Francisco, CA 94103, USA
Physical Security Contacts
| Contact | Role | Availability | Use Case |
|---|
| Office Manager | Facilities + badge management | Business hours | Badge issues; facility requests |
| security@acmecloud.com | Security Team | 24/7 (critical) | Security incidents; investigations |
| Building Security | Building management | 24/7 | Building emergencies |
| Emergency Services | 911 | 24/7 | Life-threatening emergencies |
Appendix: Facility Security Checklist
| Category | Daily | Weekly | Monthly | Annually |
|---|
| Access log review | — | ✓ | — | — |
| Visitor log review | ✓ | — | — | — |
| Video surveillance check | — | ✓ | — | — |
| Badge system functionality | — | — | ✓ | — |
| Emergency equipment inspection | — | — | ✓ | — |
| Fire extinguisher inspection | — | — | ✓ | — |
| Access rights review | — | — | — | ✓ |
| Physical security assessment | — | — | — | ✓ |
| Emergency drill | — | — | — | ✓ |
| AWS SOC 2 report review | — | — | — | ✓ |
Document Version: 3.0
Last Updated: January 15, 2026
Visit EthicPages