Data Center & Asset Physical Security
- Production infrastructure is hosted in a contracted, secured colocation data center with restricted, documented access.
- Physical assets are inventoried and access restricted to authorized personnel in owned facilities and third-party hosting locations.
- Media and equipment are physically secured, and a documented physical-security incident process is in place.
Framework Alignment: NIST CSF PR.AA, ID.AM; CMMC Level 1 (PE); GDPR Art. 32, 28; ISO 27001:2022 A.7.3, A.7.8
Environmental & Operational Protections
- Facilities are protected against fire, water damage, vandalism, and other location-specific threats.
- Uninterruptible power supplies and surge protection guard against power disruptions and voltage events.
- A clear-desk and clear-screen policy is enforced organization-wide.
Framework Alignment: NIST CSF PR.IR; GDPR Art. 32(1)(b); ISO 27001:2022 A.7.5, A.7.11, A.7.7
Facility Access Control
- Physical access to facilities, equipment, and operating environments is limited to authorized individuals using badges, card readers, and electronic locks under the physical security policy.
- Access is logged, periodically reviewed, and promptly revoked when no longer required.
- Sensitive areas such as server and computer rooms are restricted to authorized personnel.
Framework Alignment: NIST CSF PR.AA; CMMC Level 1 (PE); GDPR Art. 32; ISO 27001:2022 A.7.1, A.7.2
Visitor Management & Monitoring
- Visitors are escorted and their activity monitored, and visitor access is recorded.
- Physical access audit logs are maintained and retained per requirements.
- Facilities and server rooms are monitored around-the-clock by closed-circuit television (CCTV), with surveillance data protected and retained per policy.
Framework Alignment: NIST CSF DE.CM, PR.AA; CMMC Level 1 (PE); GDPR Art. 32; ISO 27001:2022 A.7.2, A.7.4
