Internal Use

PE - Physical Security Policy and Procedures

Dispel

Document Control

1. PURPOSE AND SCOPE

1.1 Purpose

This policy establishes Dispel’s approach to physical and environmental protection of information systems, facilities, and supporting infrastructure, and provides the procedures for implementing those controls. It defines the requirements and responsibilities necessary to:

• Protect company personnel and visitors from physical harm within Dispel-controlled facilities.
• Prevent unauthorized physical access to information systems, media, and supporting infrastructure.
• Protect facilities and equipment against damage, tampering, theft, and environmental threats.

1.2 Scope

This policy applies to:

• All Dispel-owned or leased office space and facilities.
• All workforce members, contractors, and interns who work at or visit Dispel facilities.
• All visitors, vendors, and third parties who are granted physical access to Dispel-controlled spaces.
• All physical assets that process, store, or transmit company information or support production services (including end-user devices located in offices).

Cloud data centers hosting the Dispel Zero Trust Engine are covered by the physical and environmental controls of the underlying cloud providers and are treated as inherited controls. This document focuses on Dispel-managed facilities and interfaces with those inherited controls.

1.3 Regulatory and Framework Alignment

2. POLICY STATEMENTS

2.1 Dispel SHALL maintain physical security and environmental protection controls for all company-controlled facilities that are commensurate with the sensitivity and criticality of the information and systems housed within.

2.2 Physical access to Dispel facilities and restricted areas SHALL be granted on a least-privilege basis, logged where technically feasible, and revoked promptly when access is no longer required.

2.3 Visitors and vendors SHALL be clearly identified, escorted where appropriate, and recorded in a visitor log for the duration of their presence in restricted areas.

2.4 Environmental controls (e.g., fire detection and suppression, power, temperature, water protection) SHALL be implemented, monitored, and maintained by building management and/or cloud providers, with Dispel responsible for ensuring appropriate coverage and documentation.

2.5 Workforce members SHALL protect equipment and media taken off-site and SHALL follow this policy and related procedures when transporting, storing, or disposing of equipment and media.

2.6 Physical security procedures SHALL be reviewed at least annually by the Policy Owner, and updated as necessary to reflect changes to facilities, organizational structure, technology, or regulations.

3. REQUIREMENTS

3.1 Governance and Review

• The Compliance Officer is the Policy Owner for this document.
• The Policy Owner SHALL review this policy and associated procedures at least annually and after significant changes to facilities, office locations, or applicable regulations.
• The policy SHALL be made readily available to all workforce members.

3.2 Facility Access Controls

• All office areas controlled by Dispel are considered restricted to workforce members and authorized contractors.
• Physical access to Dispel facilities SHALL be controlled via building-managed keys and/or electronic badges or fobs that produce access logs where available.
• Access to facilities SHALL be revoked promptly upon termination of employment or contract.
• Lost or stolen keys or access devices SHALL be reported immediately to the People function (or designated role), who coordinates with building management to disable or replace access devices.

3.3 Onboarding and Offboarding – Facility Access

• The People function (or equivalent) coordinates with building management to request and revoke facility access (keys, access cards, and fobs) for workforce members.
• Access is requested only after:
  • Completion of required background checks (where applicable), and
  • Completion of onboarding, including acceptance of the Information Security Policy and this Physical Security Policy.
• Upon termination or end of contract, all keys, cards, and fobs MUST be collected (or confirmed disabled) on or before the individual’s last day.
• Lost or stolen access devices MUST be reported immediately to the People function, who SHALL coordinate revocation and replacement with building management.

3.4 Visitor Management

• Visitors SHALL be pre-registered where feasible or otherwise checked in at arrival.
• At check-in, the Dispel host or designated receptionist SHALL:
  • Record the visitor’s name, organization (if any), date/time in, purpose of visit, and host.
  • Issue a visitor badge or equivalent identification.
  • Ensure the visitor is aware of any safety and emergency procedures.
• Visitors MUST:
  • Display their badge while in Dispel-controlled areas.
  • Be escorted by their host or a designated representative while in restricted areas.
• At checkout, badges SHALL be collected and time of departure recorded where log facilities are available.
• Violations of visitor controls SHALL be reported to management and may result in removal of access privileges.

3.5 Restricted Areas and General Office Access

• Dispel office space (non-public floors/units) is considered a restricted area.
• Access to restricted areas is limited to authorized workforce members and pre-approved vendors.
• Unescorted visitors are not permitted in restricted areas.
• Workforce members SHALL challenge or report unbadged or unknown individuals found within restricted areas, where it is safe to do so.

3.6 Workstation and Equipment Security

• Workstations and laptops MAY only be used by authorized workforce members for approved business purposes.
• Workforce members SHALL lock screens when away from their workstations and SHALL keep portable equipment (e.g., laptops) physically secured when off-site.
• Only authorized personnel may remove equipment (e.g., laptops, network devices) from Dispel facilities.
• The owner or custodian of the equipment MUST:
  • Ensure equipment is physically secure during transport (e.g., never left unattended in public spaces or unlocked vehicles).
  • Use appropriate locking mechanisms (e.g., cable locks, locked drawers) where risk justifies it.
  • Follow applicable data protection and encryption requirements for systems that store company data.
• Equipment taken off-site SHALL be tracked (e.g., inventory records or ticketing) and returned when no longer needed.
• If equipment is lost or stolen, the workforce member MUST notify the Security Officer and Compliance Officer as soon as possible so that incident response procedures can be initiated.

3.7 Environmental, Safety, and Backup Power Controls

• Building management is responsible for:
  • Fire detection and suppression systems.
  • Emergency power systems and electrical safety.
  • Climate control in office areas.
  • Water damage protection where applicable.
• Dispel SHALL:
  • Maintain documentation (e.g., lease agreements, building security descriptions) describing these protections.
  • Periodically confirm that emergency exits, evacuation routes, and safety equipment remain available and unobstructed.
  • Incorporate physical safety and evacuation topics into workplace orientation, where relevant.
• Dispel personnel SHALL keep laptops reasonably charged so that short power interruptions do not disrupt work.
• Where required by risk assessment, Dispel SHALL verify that critical facilities used for operations provide adequate fire detection and suppression, water damage protection, and climate controls.
• Dispel SHALL ensure that data center physical security for cloud-hosted systems is inherited from the cloud providers’ FedRAMP or equivalent certifications.

3.8 Cabling and Infrastructure Protection

• Power and telecommunications cabling within Dispel-controlled areas SHALL be routed and protected to reduce risks of tampering, damage, interference, or unauthorized interception.
• Where practicable, cabling SHOULD be concealed (e.g., in conduit, within walls, or overhead trays) and labeled to identify purpose and endpoints.
• Any significant changes to cabling infrastructure MUST be planned and documented by the responsible operations team.

4. ROLES AND RESPONSIBILITIES

• Compliance Officer – Policy Owner; oversees implementation, review, and continuous improvement of this policy.
• Head of Operations – Ensures that physical security practices for offices and operational areas align with this policy; coordinates with building management on physical security topics.
• Director of People (or equivalent) – Manages workforce onboarding and offboarding with respect to facility access, including issuance and revocation of keys and access devices.
• Security Officer – Coordinates incident response activities in the event of physical security incidents (e.g., lost devices, unauthorized entry).
• All Workforce Members – Follow these procedures, protect Dispel equipment and facilities, challenge unidentified individuals in restricted areas (where safe to do so), and promptly report suspected physical security incidents.
• Building Management / Landlord – Provides and maintains base building physical and environmental controls under contractual agreements and applicable regulations.

5. PROCEDURES

5.1 The Policy Owner and Head of Operations MAY maintain additional, more granular standard operating procedures (SOPs) to implement this policy, including but not limited to:

• Detailed visitor check-in/check-out instructions.
• Steps for provisioning, revoking, and auditing facility access badges.
• Procedures for periodic walkthroughs and safety checks.
• Equipment and asset movement logs and forms.

5.2 FedRAMP-specific procedures and mappings related to PE-1 through PE-18 for the Dispel Zero Trust Engine SHALL be documented in the FedRAMP documentation set, referenced from this policy as needed.

6. MONITORING AND COMPLIANCE

• Compliance with this policy MAY be evaluated through internal audits, walkthroughs of facilities, review of visitor logs, and review of access records (where available from building management).
• The Compliance Officer MAY schedule periodic reviews or audits to ensure that:
  • Visitor logs (where used) are maintained and complete.
  • Access revocations are timely and documented.
  • Any known physical incidents are captured and managed under the incident response process.
• Identified deficiencies SHALL be tracked to remediation.
• Repeated or serious violations SHALL be escalated to management and may result in disciplinary action or vendor/visitor access revocation.

7. EXCEPTIONS AND WAIVERS

• Requests for temporary exceptions to this policy (e.g., special events, construction) MUST be documented, time-bound, approved by the Policy Owner, and include appropriate compensating controls (e.g., additional staffing, temporary barriers, or signage).
• Structural or long-term changes to physical security controls SHALL be implemented through the formal policy revision and approval process and approved by senior management.

8. DEFINITIONS

• Covered Person – Any workforce member or contractor authorized to access Dispel information systems or facilities.
• Restricted Area – Any non-public space in a Dispel-controlled facility where access is limited to authorized personnel (e.g., office areas, storage rooms containing equipment or media).
• Visitor – Any person who is not a Covered Person and who is granted temporary physical access to a Dispel-controlled facility.

9. REFERENCES

• Dispel Information Security Policy.
• Dispel System Access Control Policy.
• Dispel Asset Management and Data Protection Policies.
• FedRAMP Moderate/High baselines (PE family) as applicable to the Dispel Zero Trust Engine.

10. DOCUMENT HISTORY

11. APPROVAL SIGNATURES

APPENDICES

(Intentionally left blank at this time. Detailed FedRAMP PE narratives and any building-specific security documentation are maintained separately and may be linked or embedded here in a future revision.)