SUPPORTED MOBILE BROWSERS
ANDROID AND IOS	Chrome Firefox
ANDROID ONLY	Android v5.0+
IOS ONLY	Safari
WINDOWS 10 MOBILE	Edge
SUPPORTED DESKTOP BROWSERS
WINDOWS AND MAC	Chrome 12+ Firefox 16+ Opera 15+
MAC ONLY	Safari 6+
WINDOWS ONLY	Edge Internet Explorer 10+

Compliance ISO 27001

Physical Security Policy

Classification	Public
Location	https://www.medcrowd.com/compliance/iso27001/policies/PhysicalSecurity
Author	Paul Gardner
Approver	Felix Jackson
Approved	14th December 2016

Date	Author	Changes
19th June 2023	Paul Gardner	Periodic review
6th June 2022	Paul Gardner	Periodic review
16th February 2021	Paul Gardner	Periodic review
12th February 2020	Paul Gardner	Periodic review
15th May 2018	Paul Gardner	Periodic review
15th November 2016	Paul Gardner	Moved to the web
17th May 2016	Paul Gardner	Removable media is now permitted using enforced encryption
29th July 2015	Paul Gardner	Periodic review
22nd September 2014	Paul Gardner	Updated to reflect new offices and building security
8th September 2014	Paul Gardner	Rebranding
1st July 2014	Paul Gardner	Initial revision

Introduction

This policy is part of the medDigital ISMS and must be fully complied with.

Physical access to information processing and storage areas must be controlled to prevent, detect and to minimize the effects of unintended access to these areas.

Access control is established by imposing standards for protection at the building, processing area, and supporting areas.

Scope

medDigital has outsourced all physical data center operations to Amazon Web Services. Under the Shared Responsibility model, Amazon Web Services are responsible for physical security. Amazon Web Services are ISO27001:2013 certified.

The scope of this policy is therefore limited to physical security of our offices, laptops, desktops, mobile devices and removable media.

Offices

Access to our offices is protected by key card entry. In addition, the offices themselves are locked. Access to our offices is handled as part of the UMS.

Electronic information is not stored at our offices and there are no servers present.

If any employee becomes aware of unauthorised access to our offices, they must report it immediately to building security staff and raise an Information Security Incident as per the Information Security Incident Management Policy.

Laptop & Desktop Computers

All laptops & desktop computers must have access to the provided network storage, the M drive. This drive is encrypted, provides version control and backup with no limit on time or number of versions. Use of the M drive is also audited.

Laptops & desktops must not leave Great Britain without the consent of IT.

All medDigital information must be stored on the M drive and all local disks must be fully encrypted.

Mobile Devices

Mobile devices must support AES-256 encryption of local storage and this must be enabled at all times.

Mobile devices must not leave Great Britain without the consent of IT.

Mobile devices must have the company portal application installed at all times.

Secure disposal

All devices that are no longer required should be returned to the IT team to ensure all data is securely erased and the device is re-allocated or disposed of as required.

Unattended equipment

All laptops & desktops must be configured to lock after 10 minutes of inactivity and authentication must occur to remove the lock. This control should be enforced by Active Directory Group Policy.

For mobile devices, users are required to ensure the device will automatically lock after 1 minute of inactivity and authentication must occur to remove the lock. This control should be enforced by the MDM.

Removable media

Portable media, such as USB drives, may be used provided they are encrypted in-line with our Cryptography policy. This control should be enforced by Active Directory Group Policy.

Clear desk and clear screen

Personnel should ensure their desk is clean, with any documents securely locked away, and desktops/laptops shutdown before leaving their desk.