Physical Security Policy (A.11)

Objectives

This policy objective is to document Breezy’s physical security controls relative to a completely remote workforce.

Scope

The physical security policy covers the information processing facilities used to provide Breezy product offerings.

In physical terms, this policy therefore covers third-party data centers as well as Breezy’s central office in Jacksonville, FL.

Policy

Third-Party Information Storage and Processing

All customer information storage and processing takes place in third-party facilities. For the scoped services, Breezy uses Amazon Web Services as the infrastructure provider of choice. Breezy relies on Amazon Web Services to maintain physical controls for the in scope systems responsible for storing and processing customer data. AWS’s controls are described in Amazon’s Data Center Controls document.

Other third-party providers may be used in providing the scoped services as well, as described in our Vendor Security Policy. In those cases, Breezy expects those suppliers to maintain appropriate physical security controls.

Breezy Office

As above, Breezy policy is to keep information storage and processing in third-party facilities so the physical office controls are less important. However, a collection of physical policies for the office is maintained.

Physical Security Perimeter (A.11.1.1)

Because the Breezy office in Jacksonville, FL is not the primary work site for employees but contains employee laptops and workstations, it is considered an area containing sensitive information. Therefore, a secure premises is maintained by controlling entry to the building.

Access Policy (A.11.1.2)

All entrances to the premises remain locked. Any entrances temporarily unlocked or left ajar must be monitored by Breezy personnel. The person who temporarily unlocks or leaves an entrance ajar is responsible for ensuring it is closed and locked after being used.

Employees are provided electronic badges granting access to the premises. Badges are revoked in a timely manner when an employee leaves. Visitors are escorted when on site.

In the event the electronic access system is unavailable or nonfunctional, critical personnel will be provided with a physical key for building access. Exterior doors will remain locked as usual, and Breezy employees with physical access will be required to admit other personnel into the building.

Secure Facilities (A.11.1.3)

Each on-site employee has their own office located in the secure premises. Each office is furnished with a locking filing cabinet.

Secure Equipment Disposal (A.11.2.7)

Breezy maintains a registered asset inventory. Prior to asset disposal or reuse, any sensitive data or licensed software is removed or securely overwritten. If data removal is not possible, the asset is destroyed.

Unattended User Equipment (A.11.2.8)

Unattended equipment or login sessions are locked to protect against unauthorized access. Physical workstations are configured with automatic locking after inactivity. Employees also lock their workstations when leaving them unattended in the office. This requirement is delivered through annual training.

Clear Desk and Clear Screen (A.11.2.9)

Breezy maintains a clear working area policy. Staff are responsible for ensuring their working area does not leave sensitive information exposed, either by locking their workstation or physically securing any media when leaving the work area unattended.

Network Security

Breezy provides both wired and wireless internet access at the office.

The physical network at the office does not have any special privileged access. The office network is treated as an internet connection and nothing more.

Remote Work

All Breezy employees work remotely. In terms of system access, this is no different than working from the office.

When working remotely, employees are responsible for ensuring the security of their working environment in the spirit of the above policies.