Introduction
This policy is part of the medDigital ISMS and must be fully complied with.
Physical access to information processing and storage areas must be controlled to prevent, detect
and to minimize the effects of unintended access to these areas.
Access control is established by imposing standards for protection at the building, processing area,
and supporting areas.
Scope
medDigital has outsourced all physical data center operations to Amazon Web Services. Under the
Shared Responsibility model,
Amazon Web Services are responsible for physical security. Amazon Web Services are ISO27001:2013 certified.
The scope of this policy is therefore limited to physical security of our offices, laptops, desktops, mobile devices and removable media.
Offices
Access to our offices is protected by key card entry. In addition, the offices themselves are locked.
Access to our offices is handled as part of the UMS.
Electronic information is not stored at our offices and there are no servers present.
If any employee becomes aware of unauthorised access to our offices, they must report it immediately to
building security staff and raise an Information Security Incident as per the Information Security Incident Management Policy.
Laptop & Desktop Computers
All laptops & desktop computers must have access to the provided network storage, the M drive. This drive
is encrypted, provides version control and backup with no limit on time or number of versions. Use of the M drive is also audited.
Laptops & desktops must not leave Great Britain without the consent of IT.
All medDigital information must be stored on the M drive and all local disks must be fully encrypted.
Mobile Devices
Mobile devices must support AES-256 encryption of local storage and this must be enabled at all times.
Mobile devices must not leave Great Britain without the consent of IT.
Mobile devices must have the company portal application installed at all times.
Secure disposal
All devices that are no longer required should be returned to the IT team to ensure all data is securely
erased and the device is re-allocated or disposed of as required.
Unattended equipment
All laptops & desktops must be configured to lock after 10 minutes of inactivity and authentication must
occur to remove the lock. This control should be enforced by Active Directory Group Policy.
For mobile devices, users are required to ensure the device will automatically lock after 1 minute of
inactivity and authentication must occur to remove the lock. This control should be enforced by the
MDM.
Removable media
Portable media, such as USB drives, may be used provided they are encrypted in-line with our
Cryptography policy.
This control should be enforced by Active Directory Group Policy.
Clear desk and clear screen
Personnel should ensure their desk is clean, with any documents securely locked away, and desktops/laptops shutdown
before leaving their desk.