Connor Group

 Information Security

Facility Security Standard

December 2023

v.1.2

Introduction

Connor Group maintains dedicated physical locations for personnel to perform their work duties. Connor Group also utilizes hosted datacenter environments to hold company servers and data. These physical locations must be appropriately managed and protected to ensure compliance to legal and business requirements for Connor Group. This standard codifies the expectations of physical security for computer systems hosting or processing company data. It is one of a set of documents that together, form Connor Group's Information Security Management System (ISMS). 

Purpose

The purpose of the Facility Security Standard (Also referenced as “Standard” in this document) is to establish the requirements for physical security of Connor Group work locations and datacenters utilized by Connor Group.  

Connor Group is committed to maintaining formal procedures to limit physical access to facilities housing processing or storage of sensitive data. As such, Connor Group’s physical offices and datacenters must be properly secured for appropriate access to protect the integrity and confidentiality of the data stored therein. This Standard provides the minimum physical security requirements for these locations.

Scope

This standard applies to all Connor Group employees, contractors, vendors, or any other individual or entity with physical access to office space or datacenters supporting business operations.  

All staff and Third Parties responsible for physical access to locations hosting IT Systems are responsible to understand the content of this Policy and follow its requirements. In the event of uncertainty regarding applicability, contact Information Security for clarification or guidance.  

Definitions

References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://helpdesk.connorgp.com/a/solutions/articles/11000112202)

Policy

Standards

1. Connor Group’s designated Security Officer, in collaboration with the Facilities Manager, will ensure the following physical security controls are implemented to protect facilities from unauthorized access: 

1. The building will include solidly constructed exterior and interior walls, with a minimum number of secure doors (robust materials, properly hinged) locking-by-default, and secure locked windows. 
2. The building will have a monitored alarm or intrusion detection system for notifying of improper access.  
3. The external area of the building and access points to sensitive areas will be monitored at all times through surveillance systems with a 90-day retention period at a minimum.
4. The building will have appropriate fire detection, alarm, and suppression systems appropriate for equipment or personnel in each area. 
5. The building will have appropriate controls (such as HVAC, dust filters, and air humidifiers/de-humidifiers) to ensure air quality is maintained as appropriate for equipment or personnel in each area.
6. The building will have appropriate controls to guard against power surges and outage (such as multiple power feeds, backup generators, and uninterruptable power supplies), appropriate for equipment and personnel in the area. 
7. Public access doors will remain locked after business hours or when workforce members or security personnel are not present to control access from unauthorized visitors. 
8. Visitors will be required to check in at the main entrance or holding area and be escorted at all times where access to sensitive data or networks is available. 
9. Maintenance personnel will be verified, monitored, and not given an access key. If not being escorted by an authorized workforce member while working, they will be identified, monitored, and verified on a daily basis. 
10. In areas directly processing, managing, housing, or processing sensitive data, visitors will be escorted or otherwise have an authorized workforce member in the general area to monitor potential data exposure. 
11. Points of entry will be monitored through a video surveillance system that holds footage for at least 30 days. Abnormal activity (late night or weekend access) will create an alert for review by the Facilities Manager or designee on an as-needed basis. 
12. Access keys are granted on an individual basis and require manager approval. Access upon departure will be revoked in a timely manner. Access logs will be retained for two years, or as required by local law. 
13. Activity logs of key usage to sensitive IT asset areas (e.g. server closets, network closets, or inventory storage) will be reviewed regularly by the IT Manager or designee to identify and investigate potentially questionable access.
14. Master keys to facilities, whether internal or external, will be changed when there is a suspicion of compromise. 

2. The IT Manager will create, document, and maintain an inventory including the physical location of all shared server systems that contain sensitive data. 

1. These systems shall be mainly housed at a secured co-location facility, with documented physical controls tested annually by an external party. 
2. Secondary servers will be housed in an internal, isolated server room without windows and behind additional interior doors with access separate from the main doors, thus restricting physical access. The doors to the server room will remain locked at all times. 
3. If applicable, server systems will be further protected through installation in a locking cage or cabinet utilizing enclosure physical locks. Management of these controls will follow management procedures of facility keys. 
4. The IT Manager will create, document, maintain and store an inventory of workstations that may store or process sensitive data. Areas containing workstations that contain or manage sensitive data will be physically isolated from public areas such as lobbies and conference rooms accessible to unauthorized visitors. 
5. To limit unauthorized access or viewing, workstations in public areas accessible to unauthorized individuals will be further protected with visual barriers, screen protectors, physical lockdowns, external device connection restrictions, tracking through an asset management system, and integration with remote physical tracking technology, where reasonable and appropriate. 

3. Connor Group’s designated Security Officer, in collaboration with the IT Manager, will ensure the following physical security controls are implemented to protect datacenter facilities from unauthorized access or downtime: 

1. The building will include solidly constructed exterior and interior walls, with a minimum number of secure doors (robust materials, properly hinged) locking-by-default.
2. Access to the datacenter is restricted to authorized personnel and must be approved by the IT Manager.
3. The building will have a fully integrated alarm or intrusion detection system monitored for proper operation, especially for offices not staffed 24x7.  
4. The external area of the building and access points will be monitored at all times through surveillance systems with a 90-day retention period at a minimum.
5. The building will have appropriate fire detection, alarm, and suppression systems appropriate for server equipment. 
6. The building will have appropriate controls (such as HVAC, dust filters, and humidifiers/de-humidifiers) to ensure air quality and temperature is properly maintained. 
7. The building will have appropriate equipment to guard against power surges and outage (multiple power feeds, backup generators, uninterruptable power supplies, etc.). 
8. The Facilities Manager shall make available and maintain secure destruction bins or shredders for any physical documents requiring disposal. Shredders shall use cross-cut mechanisms and secure destruction bins shall be maintained only by authorized individuals.
9. The Facilities Manager or designee will regularly, but not less than annually, conduct tests of the security attributes of a sample of the facilities that contain sensitive data to ensure the proper operation of controls. 
10. All repairs and modifications to the components of physical security features (e.g., walls, doors, HVAC, fire suppression, cameras, flooring and locks) of a facility containing sensitive data will be executed and documented, with documentation retained for 2 years plus the current year by Facility Management. 
11. Any detected or suspected compromise of physical security controls will be immediately reported to the Security Officer by the Facility Manager or IT Manager and will be treated as a security incident. 
12. The Security Officer will regularly perform a risk assessment to determine the likelihood of physical compromise of the facilities or information systems hardware and take corrective actions as determined by the results of the assessment. 

4. Business Continuity or Emergency Response:

1. On an annual basis, the Security Officer will review and test relevant portions of the Information Security Standard, to ensure that the facilities’ security procedures contained therein can be properly executed in a state of emergency, particularly where manual security controls may be the only functioning controls. 
2. During a disaster or emergency, the Security Officer will approve any needed modification of processes and controls protecting the facility and equipment containing sensitive data to ensure the level of security is not reduced without proper risk acceptance. 
3. The Security Officer will utilize senior management or other trusted designees (such as an external security service) as compensating controls during an emergency when facility power is lost or reduced and electronic, automated security controls are rendered unusable. These manual controls will remain in place until full recovery of the facility security controls has been accomplished and normal business operations can resume. 

Revision History

Revisions require approval by the Director of Information Technology and dissemination to applicable business units prior to release.