| Document Number | POL-GL-COM-PHYS-1.0 |
| Target audience | <<intended recipients>> |
Cover page layout
This policy establishes the minimum physical and environmental security requirements for LEAP offices, facilities, secure areas, and physical assets. It is intended to protect LEAP personnel, customer information, company assets, and information processing facilities from unauthorised access, theft, damage, interference, and environmental threats.
This policy applies to all LEAP employees, contractors, consultants, temporary staff, and third parties who access LEAP offices, facilities, secure areas, or physical assets. It applies across all LEAP locations, including offices, communications rooms, network equipment areas, storage rooms, meeting rooms, and any other location where LEAP information or technology assets are processed, stored, or supported.
Each LEAP office location must have defined physical security perimeters with clearly delineated secure areas. Perimeter types include: building entry points (reception/lobby), floor-level access, communications and network rooms, and server or data processing areas. Perimeters must be physically sound, with no gaps in the boundary that would allow unauthorised entry. All perimeter entry points must be protected by access control mechanisms appropriate to the sensitivity of the area they protect.
LEAP equipment must be physically protected from theft, tampering, accidental damage, and environmental hazards. Network devices, switches, firewalls, wireless controllers, and other critical infrastructure must be located in secured rooms or cabinets with restricted access. Supporting utilities such as power protection must be used where required to protect critical equipment.
All LEAP equipment must be maintained in accordance with supplier-recommended service schedules and intervals. Requirements include: only authorised personnel or approved third-party service providers may carry out maintenance on LEAP equipment; maintenance activities on equipment containing confidential data must be supervised or must involve data sanitisation prior to service; maintenance records must be kept for all critical equipment; faults suspected to have been caused by tampering or unauthorised access must be reported as security incidents.
The following rules apply to all personnel working in or accessing secure areas such as server rooms, network rooms, and restricted storage areas: Food and drink are prohibited in server and network rooms. Photography, video recording, and use of personal devices for recording are prohibited in secure areas unless explicitly authorised. Where practicable, work in highly sensitive areas (e.g., server rooms) should be performed with a second person present. Unsupervised work by third-party maintenance personnel in secure areas is prohibited; an authorised LEAP employee must be present
Critical information processing facilities must be supported by adequate utilities to prevent interruption or degradation of service. Requirements include: Uninterruptible Power Supplies (UPS) must be installed for servers and critical network equipment; power supply capacity must be reviewed periodically against equipment load; HVAC (heating, ventilation, and air conditioning) systems must maintain appropriate temperature and humidity levels in server and network rooms; utility failures (power, cooling, water ingress) must be reported and treated as physical security incidents; backup power arrangements must be in place at critical hosting sites.
Network and telecommunications cabling must be protected from interception, interference, and damage. Requirements include: power cabling and network data cabling must be routed separately where practicable; cable runs must be labelled and documented; cables in accessible areas must be protected by conduit or trunking; patch panels and cable termination points must be located in locked rooms or lockable cabinets; cable inspections must be included in periodic physical security reviews.
LEAP office locations must be equipped and monitored by CCTV. In addition, all LEAP office locations must be equipped with equivalent surveillance systems intrusion detection and alarm systems. Alarm systems must cover all entry and exit points to sensitive areas. Alarm alerts must be monitored and responded to within a defined timeframe. CCTV and alarm systems must be tested periodically to verify functionality. Where physical monitoring infrastructure (CCTV, alarms) is managed by a landlord or building management company, LEAP must assess whether those controls meet the requirements of this policy, and must implement compensating controls where gaps exist.
LEAP-issued assets taken off company premises are subject to the following requirements: removal of assets from LEAP premises for purposes other than normal business travel must be authorised by the employee's manager; all mobile devices and laptops used off-premises must have full-disk encryption enabled in accordance with LEAP's Encryption Policy; assets must not be left unattended in vehicles, public spaces, or hotel rooms without being secured; loss or theft of an asset off-premises must be reported immediately to the CISO and the employee's manager. LEAP employees travelling internationally must be aware of local laws regarding encryption and device inspection at borders.
LEAP operates across multiple countries. Physical security controls must comply with applicable local laws and regulations in each jurisdiction in addition to the requirements of this policy. This includes, but is not limited to: workplace health and safety laws; privacy and data protection laws governing CCTV and surveillance (e.g., GDPR requirements in the UK and EU, Australian Privacy Act); local fire safety codes and building regulations. Where LEAP occupies leased premises and physical security infrastructure is managed by a landlord or building management, LEAP must formally assess whether the controls meet this policy's requirements and document any compensating controls where gaps are identified.
Each LEAP office location must assess and mitigate environmental threats relevant to its geography. LEAP operates across multiple jurisdictions including Australia & New Zealand, the United Kingdom, the United States, Canada, Poland and other locations, each with different environmental risk profiles. Controls must include as applicable: fire detection and suppression systems; flood protection measures; temperature and humidity monitoring for server rooms; earthquake preparedness where applicable; protection against power surges and supply interruptions. Physical security configurations must account for local environmental risks and be documented in each location's site security configuration.
Any suspected theft, unauthorised access, or physical breach must be reported immediately to security@leaplegalsoftware.com
LEAP Information Security Policy
LEAP Access Control Policy
LEAP Asset Management Policy
LEAP Mobile Device Policy
LEAP Control of Records SOP
LEAP Staff Onboarding, Role Change and Offboarding SOP
Exceptions in this policy will be risk-assessed by CISO with valid business justification and Policy Owner's approval. Exceptions will be time bound>>
Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to HR disciplinary action, up to and including termination of employment
Compliance with this policy will be monitored through periodic reviews, audits, and management oversight.
This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).
| Version Number | Date | Section Changes | Author | Approver |
|---|---|---|---|---|
| 1.0 | <<enter date>> | Initial Release | <<Title>> | <<Title>> |