Physical Security Standard

Scope

This policy is intended for all parties related to the Corporate Group’s business, including but not limited to employees, third-party service providers, partners, affiliates, interns, visitors.

External security

General:

• Where possible, entrances should be fitted with access-control devices that log any entry or exit

• Where possible, entrances should be fitted with a speed gate or a similar configuration disallowing piggybacking or tailgating

• Entrances should be locked or electronically controlled at all times

• Where possible and logical, entrance doors should be of a higher grade and reinforced to resist intrusion (meeting local fire and safety regulations)

• Where reasonable, windows, doors and other openings must be set with appropriate intrusion prevention and detection mechanisms

• If applicable, no device should be placed on the inner or outer perimeter of external walls

• Elevators and their waiting areas must be appropriately secured if insecure and secure areas are connected, such as underground parking.

Emergency exits:

• Emergency doors must not be used for any other purpose than emergency and must be kept closed

• Emergency exits must be set with audible alarms and contact-alarm monitored

• Emergency exits must not lead to a Higher Security Area.

Exterior lighting:

• Exterior lighting must be positioned and of sufficient power to illuminate all entrances and exits, any delivery areas, so that persons within these areas can be identified

Roof and terrace access:

• The area surrounding the property must be cleared of all objects that might allow access to the roof or any other opening that circumvents the main designated entrances

• Any access to the roof or terrace must be locked and/or controlled from the inside if reasonable

• All ventilation, cooling system ducts or other types of possible openings must be secured by taking appropriate measures.

Exterior CCTV:

• Exterior CCTV must be set on all entrances and exits to the building

• Follow general CCTV rules set below

Internal structure and processes

General:

• All electronic access points must be equipped to and log activity

• Employees should be trained to disarm/set the alarm if they are the first ones to come in or the last ones to leave the office premises

• All alarm, intrusion detection, motion sensors, access control points and other applicable systems must be equipped with an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.

Maintenance:

• All equipment should be correctly maintained to ensure its continued availability and integrity in accordance with the manufacturer and third-party supplier's instructions and any applicable laws and regulations

• Only authorized personnel should maintain the critical equipment

• During maintenance, it must be ensured that business processing or information security would not be reasonably affected

• Logs of maintenance should be kept and include who carried out the maintenance, what was done and who authorized the maintenance

Alarm systems:

• Alarms must alert the employees in the vicinity and all appropriate security personnel - guards or third-party security companies, who would then escalate the situation to the Security Manager if necessary

• Security manager must be notified in case the power backup systems have been activated

CCTV:

• All cameras must be able to provide adequate recording during the dark periods of the day

• All cameras must have alerts set up in their monitoring system in case of malfunction and video loss

• The recording system must be able to provide replay functionality without interrupting the recording

• CCTV monitoring and recording must be located in a High Security Area, preferably a Security Room, and accessible only to the employees authorized by the Security Manager and otherwise meeting the national regulations

• CCTV recordings must be kept for at least 14 days and in accordance with the GDPR requirements

• CCTV cameras must be inventoried and the inventory list reviewed once a year

Security Device Inspection:

• All security systems must be thoroughly tested for condition, backup source power and, when appropriate, other measures (such as image quality in CCTV) at least annually - including, but not limited to alarm systems, access control systems, window and door contacts, glass-break detectors, motion sensors, emergency door alarms, CCTV monitors and image recorders

• Records of the inspections must be kept for at least 18 months

• External audits can only be conducted by specialized companies.

Supporting Utilities

In addition to meeting the building code and other regulations, the following must be included in the facility planning and specifications when logical:

• Uninterruptible power supply, back-up generators, and fuel, as required by the business and technical requirements

• Emergency power off switches located near the emergency exits in the equipment rooms

• Emergency lighting

• Alarms and monitoring to indicate malfunctions in heating, ventilation, air conditioning, humidity control and sewage systems, especially in the High Security Areas

• Multiple connections to the power utility for the critical systems and equipment

• If possible and when logical, multiple communications connections or appropriate backups

• Where possible, power and communication lines should be under the floors or with alternative protection

• Power cables should be separated from communication lines to avoid interference

• Sensible additions for critical systems and the High Security Areas depending on the specificities

Reception area:

• The main entrance to the building must lead visitors into a reception area that restricts physical contact between the visitors and the receptionist and/or guard

• During the working hours, an authorized employee must be present within the reception area at all times

• Outside the working hours, all security devices in the area must be monitored

• If possible and preferable, the reception area must be fitted with an access control point that logs entrance and exit, as well as prevents piggybacking or tailgating

• Reception area may not lead directly to a High Security Area

Delivery and Loading areas:

• Any deliveries done by non-employees or contracted third-party personnel must happen in the designated spaces that are outside of general or High Security Areas

• These areas must be appropriately covered by CCTV

High Security Areas

Definition:

• Non-general office areas that would require extra safety fall under this broad categorisation and include, but are not limited to the key information processing facilities, critical infrastructure (i.e. switch, server rooms), and technical bulk storage areas

• The list of High Security Areas includes, but is not limited to, the server rooms, archives, the Media Lab, and IT equipment storages

Construction:

• Reasonably reinforced and sound proofed wall construction and protection from direct sunlight if appropriate

• Appropriate supporting utilities, such as electricity, water supply, sewage, humidity, heating/ventilation, and air conditioning must be provided at a level that is required for the systems they are supporting

• Fire suppressants in accordance with the local law, preferably dry-pipe, must be installed

• Facilities are planned and arranged for reasonable access for maintenance and cleaning

Access Controls and Procedures:

• Doors with at least two measures of safety, i.e. conventional reasonably higher grade lock and an electronic one

• An in-and-out reader

• Metal clad or solid wood doors with at least 2-hour fire rating

• Doors with either interior hinges or exterior hinges with non-removable pins

• Intrusion detection system fit on the doors and any other openings

• Entrances and the entire High Security Area must be covered by CCTV

• All High Security Areas must be secured by internal motion detectors

• Access hardware removed from the Master Key system of the facility

• Mandatory log trail of any access

• External Service providers entering the High Security Areas must follow the instructions in Maintenance Section

• Access is granted only by the procedure defined in Access Section. with any exceptions authorized by the Security Manager and granted only via written email request

• Video or photography without prior written consent of confidentiality is forbidden

• When logical, doors fit with a mechanism or alarm that allows only necessary time (i.e. 30s) for entrance, with any exceptions requiring authorization from the Security Manager

• The High Security Areas must have Internal rules and an audit log with a list of employees with granted access that can be obtained from the secure area owner and risk manager

Workspace security

Shared printers and other similar equipment are positioned to allow easy physical access when required, but have technological restrictions for use (i.e. IP whitelisting, or printing only with a provided access token).

Employees must secure their work space and equipment whenever it is not supervised by an authorized person, including during short breaks, attendance at meetings, at the end of the work day, and during transit.

Securing work space includes, but is not limited to:

• Clearing the desks and work areas, especially from sensitive and restricted information, and any storage devices

• Securing documents and mobile or portable storage devices in a locker, locked drawer, or file cabinet

• Clearing whiteboards of sensitive information

• Maintaining password protection features enabled on all equipment

• Logging out, shutting down or restarting workstations at the end of each work day

• Checking printers to ensure that no sensitive information is left to be picked up

• Locking doors and windows, where appropriate

• Ensuring that equipment is protected at all times when travelling

• Using the physical locking, restraint or security mechanisms provided by the IT admins whenever logical

• Any loss of equipment should be immediately reported to the IT admin team and the Security Manager

Employees must take reasonable care and precautions transporting and securing equipment in a remote location.

Monitoring rooms:

• Access to the monitoring rooms available for the security team only

• Monitoring rooms operate 24/7 and are locked at all times

Physical keys:

• Physical keys are stored in a safe box and are available at the monitoring room only

• Physical keys are only issued for agreed maintenance and all issues must be logged in a journal

Employees

Security awareness

Basic physical security principles must be incorporated in the onboarding process and the periodic mandatory Risk and InfoSec awareness training.

Granting Employee Access

Basic access to general office areas is granted to every employee via an access card or its technological equivalent (and additionally other required means to arm or disarm the employee entrance alarm system).

Access to all other areas is granted only on a need-to-have basis and appropriately registered and authorized by the Security Team.

Personnel changes

Upon employee changing job functions, their security accesses must be reviewed and changed appropriately if needed within one business day.

Upon employee termination a designated representative(-s) must:

• Deactivate all access rights

• Recover the access badge

• Change all applicable access codes known to or utilized by the employee

A quarterly review of the access privileges and revocation of what is no longer required must be conducted.

Any lost access cards or ID badges, keys or other access methods must be immediately reported to the Security Manager or a designated employee, recorded and particular card access either revoked or locks changed.

Visitors

Registration

All visitors must confirm the previously agreed appointment and their identity.

The following recorded in the logbook:

• Name of the visitor, printed and signed

• Corporate Group the visitor represents (if any)

• Name of the person being visited or in charge of the visitor

• Purpose of the visit

• Date and time of arrival and departure

• Signature of the employee assigned to escort the visitor

Registration records are maintained for up to 3 months and in accordance with the GDPR requirements.

An authorized employee must accompany a visitor at all times.

Any unsolicited visitors must be turned away.

In case of unauthorized access or intrusion - inform the police.

Notification

Visitors must be made aware of the security and confidentiality requirements, and the visitor escort must ensure the visitor’s adherence to those requirements.

Identification

• Each visitor must be issued and wear visibly on their person a security pass or a visitor badge that identifies them as a non-employee

• Escorting employees must make sure that the visitor surrenders their security pass or visitor badge to the receptionist or the appropriate personnel before leaving the perimeter

• Any unbadged visitors must be recorded in a log

• Visitors employed within the Corporate Group can move across the Campus (as defined in 8.1) under the Campus access control management system in the communal areas only.

External service providers

General Guidelines

Requirements and procedures of 1.3 section of this document ‘Granting Access’ apply to all suppliers, third party repair or maintenance staff, or any external service provider that require access on a permanent basis.

If possible, access cards or ID badges should be visually distinct from those of internal employees.

A registry of all external service provider staff is kept who have been granted access, as well as their work schedules.

External service providers must agree to inform of any of the service staff employment changes within X days.

Only persons with pre-approved access cards or ID badges may be granted access, with exceptions granted in writing by a security manager or senior management.

External service providers’ staff requiring access to restricted or High Security Areas follow the section 3.1 Visitor registration procedures and must be accompanied by an employee at all time while they are in High Security Areas.

When reasonable an individual who has knowledge of the system being worked on shall escort non-permanent contractors needing access to the High Security Areas at all times.

Compliance

In cases of violation of the standard, sanctions or disciplinary action might be taken according to the Rules of Procedure.

Review and Update

This Standard must be maintained in accordance with the Information Security Policy.

Revision History