Physical Security Policy

LEAP -- Physical Security Policy

Document Number POL-GL-COM-PHYS-1.0
Target audience <<intended recipients>>

Cover page layout

Contents

  • 1. Purpose
  • 2. Scope
  • 3. Roles and Responsibilities
  • 4. Access Control
  • 5. Physical Security Controls
  • 6. Equipment Protection
  • 7. Equipment Maintenance
  • 8. Working in Secure Areas
  • 9. Supporting Utilities
  • 10. Cabling Security
  • 11. Surveillance & Monitoring
  • 12. Workstation and Equipment Security
  • 13. Off-premises Asset Security
  • 14. Multi-Location and Jurisdiction Compliance
  • 15. Protection against Environmental and Physical Threats
  • 16. Incident Management
  • 17. Related documents (optional)
  • 18. Policy Exceptions
  • 19. Policy Enforcement
  • 20. Policy Monitoring
  • 21. Awareness & Communication
  • 22. Version History

Purpose

This policy establishes the minimum physical and environmental security requirements for LEAP offices, facilities, secure areas, and physical assets. It is intended to protect LEAP personnel, customer information, company assets, and information processing facilities from unauthorised access, theft, damage, interference, and environmental threats.

Scope

This policy applies to all LEAP employees, contractors, consultants, temporary staff, and third parties who access LEAP offices, facilities, secure areas, or physical assets. It applies across all LEAP locations, including offices, communications rooms, network equipment areas, storage rooms, meeting rooms, and any other location where LEAP information or technology assets are processed, stored, or supported.

Roles and Responsibilities

  • The Chief Information Security Officer (CISO) is responsible for oversight of LEAP's physical security program.
  • Facilities Management is responsible for implementing and maintaining approved access control systems, surveillance, and visitor management.
  • All employees, contractors, and visitors are responsible for complying with this Policy and immediately reporting physical security incidents

Access Control

  • All facilities must use physical access control mechanisms (e.g., electronic access cards, biometric systems, or equivalent) to restrict entry.
  • Access rights are based on role and business need and are revoked upon termination of employment or contract.
  • Visitors must:
    • Sign in upon arrival and wear a visitor badge at all times;
    • Be escorted by an authorised LEAP employee while onsite.
    • Tailgating (allowing unauthorised individuals to enter secure areas) is strictly prohibited.

Physical Security Controls

Each LEAP office location must have defined physical security perimeters with clearly delineated secure areas. Perimeter types include: building entry points (reception/lobby), floor-level access, communications and network rooms, and server or data processing areas. Perimeters must be physically sound, with no gaps in the boundary that would allow unauthorised entry. All perimeter entry points must be protected by access control mechanisms appropriate to the sensitivity of the area they protect.

Equipment Protection

LEAP equipment must be physically protected from theft, tampering, accidental damage, and environmental hazards. Network devices, switches, firewalls, wireless controllers, and other critical infrastructure must be located in secured rooms or cabinets with restricted access. Supporting utilities such as power protection must be used where required to protect critical equipment.

Equipment Maintenance

All LEAP equipment must be maintained in accordance with supplier-recommended service schedules and intervals. Requirements include: only authorised personnel or approved third-party service providers may carry out maintenance on LEAP equipment; maintenance activities on equipment containing confidential data must be supervised or must involve data sanitisation prior to service; maintenance records must be kept for all critical equipment; faults suspected to have been caused by tampering or unauthorised access must be reported as security incidents.

Working in Secure Areas

The following rules apply to all personnel working in or accessing secure areas such as server rooms, network rooms, and restricted storage areas: Food and drink are prohibited in server and network rooms. Photography, video recording, and use of personal devices for recording are prohibited in secure areas unless explicitly authorised. Where practicable, work in highly sensitive areas (e.g., server rooms) should be performed with a second person present. Unsupervised work by third-party maintenance personnel in secure areas is prohibited; an authorised LEAP employee must be present

Supporting Utilities

Critical information processing facilities must be supported by adequate utilities to prevent interruption or degradation of service. Requirements include: Uninterruptible Power Supplies (UPS) must be installed for servers and critical network equipment; power supply capacity must be reviewed periodically against equipment load; HVAC (heating, ventilation, and air conditioning) systems must maintain appropriate temperature and humidity levels in server and network rooms; utility failures (power, cooling, water ingress) must be reported and treated as physical security incidents; backup power arrangements must be in place at critical hosting sites.

Cabling Security

Network and telecommunications cabling must be protected from interception, interference, and damage. Requirements include: power cabling and network data cabling must be routed separately where practicable; cable runs must be labelled and documented; cables in accessible areas must be protected by conduit or trunking; patch panels and cable termination points must be located in locked rooms or lockable cabinets; cable inspections must be included in periodic physical security reviews.

Surveillance & Monitoring

LEAP office locations must be equipped and monitored by CCTV. In addition, all LEAP office locations must be equipped with equivalent surveillance systems intrusion detection and alarm systems. Alarm systems must cover all entry and exit points to sensitive areas. Alarm alerts must be monitored and responded to within a defined timeframe. CCTV and alarm systems must be tested periodically to verify functionality. Where physical monitoring infrastructure (CCTV, alarms) is managed by a landlord or building management company, LEAP must assess whether those controls meet the requirements of this policy, and must implement compensating controls where gaps exist.

Workstation and Equipment Security

  • A Clean Desk Policy applies in all offices. Confidential or restricted documents must be securely stored when not in use.
  • All workstations and laptops must be locked or logged out when unattended.
  • LEAP-issued hardware must not be left unattended in unsecured public areas (e.g., cafes, airports).
  • Hardware disposal must follow LEAP's Secure Disposal Policy, including secure erasure and/or physical destruction.

Off-premises Asset Security

LEAP-issued assets taken off company premises are subject to the following requirements: removal of assets from LEAP premises for purposes other than normal business travel must be authorised by the employee's manager; all mobile devices and laptops used off-premises must have full-disk encryption enabled in accordance with LEAP's Encryption Policy; assets must not be left unattended in vehicles, public spaces, or hotel rooms without being secured; loss or theft of an asset off-premises must be reported immediately to the CISO and the employee's manager. LEAP employees travelling internationally must be aware of local laws regarding encryption and device inspection at borders.

Multi-Location and Jurisdiction Compliance

LEAP operates across multiple countries. Physical security controls must comply with applicable local laws and regulations in each jurisdiction in addition to the requirements of this policy. This includes, but is not limited to: workplace health and safety laws; privacy and data protection laws governing CCTV and surveillance (e.g., GDPR requirements in the UK and EU, Australian Privacy Act); local fire safety codes and building regulations. Where LEAP occupies leased premises and physical security infrastructure is managed by a landlord or building management, LEAP must formally assess whether the controls meet this policy's requirements and document any compensating controls where gaps are identified.

Protection against Environmental and Physical Threats

Each LEAP office location must assess and mitigate environmental threats relevant to its geography. LEAP operates across multiple jurisdictions including Australia & New Zealand, the United Kingdom, the United States, Canada, Poland and other locations, each with different environmental risk profiles. Controls must include as applicable: fire detection and suppression systems; flood protection measures; temperature and humidity monitoring for server rooms; earthquake preparedness where applicable; protection against power surges and supply interruptions. Physical security configurations must account for local environmental risks and be documented in each location's site security configuration.

Incident Management

Any suspected theft, unauthorised access, or physical breach must be reported immediately to security@leaplegalsoftware.com

Related documents (optional)

LEAP Information Security Policy
LEAP Access Control Policy
LEAP Asset Management Policy
LEAP Mobile Device Policy
LEAP Control of Records SOP
LEAP Staff Onboarding, Role Change and Offboarding SOP

Policy Exceptions

Exceptions in this policy will be risk-assessed by CISO with valid business justification and Policy Owner's approval. Exceptions will be time bound>>

Policy Enforcement

Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to HR disciplinary action, up to and including termination of employment

Policy Monitoring

Compliance with this policy will be monitored through periodic reviews, audits, and management oversight.

Awareness & Communication

This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).

Version History

Version Number Date Section Changes Author Approver
1.0 <<enter date>> Initial Release <<Title>> <<Title>>