Physical Security Policy
Document ID: DPWAT-ISMS-POL-012 Version: 1.0 Owner: Administrator + CISO — Anna Boros; Timo Andreas Bejan Approved by: Administrator (ADM) — Anna Boros Effective date: 2025-10-15 Next review: 2027-02-01 (or on major change)
1. Operating context
DP WAT is remote-first with no owned physical infrastructure. Personnel work from:
- Home offices — treated as untrusted networks (zero trust)
- DP COWORKING SRL premises — private offices with physical security controls (see below)
- Client sites — subject to client security requirements
The primary physical risks are unauthorized access to endpoints and paper documents.
2. DP COWORKING SRL premises
DP WAT uses private offices provided by DP COWORKING SRL (related entity). Physical security is managed by DP COWORKING:
| Control | Provider | Notes |
|---|---|---|
| Physical perimeter | DP COWORKING | Building access control |
| Office entry | DP COWORKING | Digital locks, access granted to DP WAT personnel |
| Security monitoring | DP COWORKING | Camera on office door |
| Environmental protection | DP COWORKING | Fire safety, building maintenance |
| Network infrastructure | DP COWORKING | DP WAT treats as zero trust |
DP WAT personnel must follow DP COWORKING house rules in addition to this policy.
3. Rules for all personnel
- Visitors must be escorted and must not access confidential information.
- Keep work areas clear of sensitive papers (clear desk); lock screens when unattended (clear screen).
- Do not leave laptops unattended in public places.
- Paper documents containing sensitive information must be stored in locked cabinets when not in use.
- Report physical security concerns to the CISO.
4. Endpoint security
- Company-owned devices are enrolled in Apple device management (MDM).
- FileVault (full disk encryption) is required on all macOS devices.
- Screen lock is required on all devices.
- If a device is lost or stolen, report immediately; remote wipe will be initiated.
- Devices are expendable — if damaged or stolen, they are replaced.
5. Equipment disposal and reuse
Before disposing of or reassigning a company-owned device:
- Perform a full wipe via Apple device management or factory reset.
- Remove device from MDM enrollment if being disposed.
- Record disposal/reassignment in asset register.
6. External storage media
External storage (USB drives, external HDDs/SSDs) is prohibited without written CISO approval per the Acceptable Use Policy.