Build My Company's Physical Security & Safety Policy

YOUR COMPANY — GLOBAL PHYSICAL SECURITY & SAFETY POLICY Scope: Global Technical owner: IT Functional owner: Workplace Senior approver: Director of Workplace 1. OVERVIEW This document provides minimum standards for the installation and management of YOUR COMPANY's access control and video solution. Any existing equipment that does not comply with this standard should be considered for decommissioning and/or updating. Final proof of functionality for added equipment must be confirmed by system integrators with YOUR COMPANY's Workplace and IT teams. IT is the technical owner of the access control and video systems — no updates or server-room access should occur without their permission. Workplace is the functional owner/user of the system. 2. SCOPE This policy applies to all YOUR COMPANY office spaces that are owned or leased by the company where a corporate network is deployed. Access control and/or video is not always possible in shared workspaces (e.g. WeWork). In those locations CCTV will, where permitted, be positioned internally covering entrances/exits and set on motion-sensor alarms for after-hours movement. 3. POSITIONING AND PLACEMENT OF CAMERAS - Cameras monitor doors, entrances, and restricted areas such as IT server rooms. - YOUR COMPANY does not deploy cameras over employee desks or areas with a reasonable expectation of privacy. - Audio capabilities on cameras are disabled. - Restricted-area cameras must have an unobstructed view of the entrance and capture face on entry. - CCTV signage is posted where required by law (GDPR / applicable US states). - Camera positions, coverage direction and blind spots are marked on floor plans saved in Avigilon. - Cameras are linked to associated doors/door alarms by the Super Admin. 4. MONITORING Live viewing is restricted to authorized personnel. 5. ROLES & ACCESS PERMISSIONS TO CCTV / ACCESS CONTROL Any request to access cameras must be approved by Legal and/or the Director of Workplace. Access control and video information will not be used for time-keeping purposes unless approved by Legal. 6. ALARMS & INCIDENT RESPONSE - People detected (not motion) during non-business hours — if capable. - Door forced open or held open. 7. SECURITY PROTOCOLS — VIDEO FEEDS, FIRMWARE & SETTINGS IT is the technical owner. Software and firmware updates are performed by IT. 8. DATA RETENTION - Video — doors: 30 days - Video — IT server rooms: 30 days - Visitor management: minimum 1 year - Access-control badge records: minimum 1 year Retention may be extended for regulatory reasons or as approved by the Director of Workplace. 9. ACCESS CONTROL - When an employee leaves YOUR COMPANY, access is manually revoked and the badge/fob retrieved and wiped. - When an employee joins, onboarding status is confirmed before issuing a badge. - CCTV images of the office are sent to the Director of Workplace for approval (no vision of employees at their desks). - Cameras cover entryways, exits, and IT closets only. 10. RESTRICTED-AREA ACCESS REVIEWS (quarterly / 90 days) - IDF / IT network rooms. Reviews are conducted by Workplace and IT and documented via a ticketing system. Approvers have 7 days to confirm. Facilities have default access for service/maintenance. 11. BADGE STANDARD & ROLES - Employees and contractors: global access 24/7. - Visitors: paper badge only. - All persons display their badge at all times on premises. - Tailgating is prohibited. - Lost badges must be reported and deactivated immediately. - Badges must not be loaned. Temp day badges: issued and tracked; audited each morning by Workplace; deactivated after 48 hours if not returned. Contractor badges: assigned as required; access removed at end of contract. 12. PLACEMENT OF BADGE READERS - All doors leading to office space (including stairwells). - All restricted areas: IT server rooms, IT storage, forensic labs, and any door directed by the Director of Workplace. 13. TECHNICAL — ACCESS CONTROL SYSTEM - REX (request-to-exit) and door contacts at all office entry doors. - Controllers positioned so external tampering is not possible. - OSDP communication between controllers and badge readers. - Fire-alarm relay at lock power supply for fail-safe operation. - POE provided by IT. - Electric mortise locks preferred; magnetic locks avoided. Centrally powered by 24 VDC. Supported badge formats: HID Prox II 26-Bit (H10301), 37-Bit Wiegand HID H10304 / H10302, HID 35-Bit Corporate 1000, MiFare / DESFire / SEOS (high & low frequency). 14. INTERCOM Intercoms at front door and loading area, linked to a mobile device with pinhole camera so the requester is seen before entry. 15. DOOR / CAMERA ALARM PROTOCOLS Forced door / held door / invalid access / after-hours motion / comms-fail / BOLO / gun detection (if deployed) all trigger camera review and response per the documented call list. 16. CCTV ADMIN ACCESS GROUPS - Super Admin: IT — all privileges. - Admin: Workplace / Security — view & configure, share footage, remote unlock, trace badges, assign privileges. - Receptionist: assign badge access / view cameras. 17. VISITOR MANAGEMENT Sign-in captures photo, name, email, cell, host, reason for visit, NDA. Non-FTEs may not bring guests. No photos/recordings by visitors. Guest Wi-Fi is for YOUR COMPANY work purposes only. Paper badge printed with photo, date and host; visitors are escorted at all times; badges are returned at end of visit and are valid for one day. 18. REMOVAL OF ASSETS YOUR COMPANY personnel must obtain prior authorization (verbal from a manager, Facilities or IT) before taking assets off-site. 19. CLEAR DESK & CLEAR SCREEN All YOUR COMPANY employees follow a clear-desk and clear-screen standard: - Lock unattended laptop/desktop screens. - Desks clear of Secret/Confidential information when not in use. - Whiteboards erased after sensitive discussions. - File cabinets with sensitive information kept closed and locked. - Keys to confidential information not left unattended. - No passwords on sticky notes or accessible locations. - Confidential printouts collected immediately. - Shred or use confidential disposal bins for Secret/Confidential documents. - USB/SD storage treated as sensitive and locked away. — End of policy. Approved by Director of Workplace on behalf of YOUR COMPANY.