Corda Network Foundation Document history

Physical Security Policy

1 Purpose

The purpose for this policy is to establish the minimum requirements for the physical security of the Corda Network Foundation’s systems and facilities.

2 Risks Addressed

Failure to comply with this policy may expose the Foundation to loss of intellectual property or other confidential information or disruption of Foundation operated services.

Furthermore, failure to comply with this policy may constitute a breach of the Foundation’s legislative, regulatory and or contractual obligations.

3 Who Does the Policy Apply To?

This policy applies to employees and contractors, consultants, temporaries, and other workers at the Foundation, including all personnel affiliated with third parties. This group is referred to as “team members” throughout this policy.

This policy also applies to all services provided to the Foundation by other entities, such as the Corda Network Operator.

4 Scope

All facilities used by Foundation or its Operator’s team members or that support Corda Network systems.

5 Mandatory Controls

Generally applicable controls

Appropriate physical access control systems must be implemented for all facilities critical to the operation of the Foundation and the Corda Network. Physical access controls will be implemented according the to the sensitivity and criticality of activities conducted within those facilities.

Physical access to Foundation facilities will be granted according to the provisions of the user access control and access management policy. In particular:

  • Access will be granted according to the principle of least privilege.
  • Segregation of duties between access request, approval and action must be maintained wherever possible.
  • Access to facilities will be regularly reviewed and revoked where no longer needed.

The Foundation will require team members to display appropriate identity and access passes where necessary.

Visitors and team members not authorised for access to a given facility must be escorted by appropriately authorised employees and associates at all times.

All team members are required to observe the Foundation clean desk policy, irrespective of the location at which they are working.

Controls specific to Foundation leased or owned facilities

A facility security manager and deputy must be assigned for each Foundation leased or owned facility.

The facility security manager will, under the guidance of the information security manager, ensure that an appropriate security plan is developed for that facility. The security plan must take into account the sensitivity and criticality of information processed at that site as well as the safety of the site’s occupants. The facility security plan shall include provision for:

  • Occupant emergency procedures.
  • Fire and flood protection.
  • Loss of critical infrastructure services such as telecommunications, power, water, heating and sanitation.
  • Access control systems.
  • Intrusion detection, CCTV and alarm systems.
  • Any other physical security controls that the information security manager and facility security manager deem appropriate for that particular facility, and the information processed there.

Controls specific to cloud service providers

Cloud service providers exhibit specific problems regarding policy compliance, as they are unlikely to provide bespoke security capabilities. It will therefore be necessary for the service owner and information security manager to together evaluate the provider’s stated security physical security controls in the context of the classification of the information they will handle, and the criticality of the services that they will provide. The Foundation vendor risk management policy provides and appropriate framework for this.

Physical and environmental security factors must be carefully considered when selecting cloud providers for sensitive or critical services.

Cloud hosted services are subject to the Foundation supplier risk management policy. In particular the service owner will be responsible for ensuring that the service provider meets the requirements of this policy.

Cloud hosted services are required to enforce physical security controls appropriate to the sensitivity and criticality of the information processed by that service. The Foundation information security manager may additionally require service owners for cloud services to verify that such controls are in place. This may be accomplished through third party security accreditations, certifications or attestations, including ISO 27001 certification or SOC 2 reports, on site visits or similar.

Controls for other service providers

Other service providers might include providers of data centre colocation services, Corda Network operators or other bespoke services providers, appointed by the Foundation for the operation of the Corda Network.

Service providers are subject to the Foundation supplier risk management policy. The individual performing the service owner role as defined in that policy is responsible for ensuring that the service provider meets the requirements of this policy.

Service providers may be required to provide third-party certifications or attestations describing the design and operation of physical security controls relevant to delivery of services to the Foundation. Depending on the sensitivity and criticality of the service, current ISO 27001 certification or SOC 2 type 2 reports may be required.

The supplier must designate a facility security manager or equivalent for every facility used to deliver services to the Foundation.

The facility security manager will ensure that an appropriate security plan is developed for that facility. The security plan must take into account the sensitivity and criticality of information processed at that facility and must satisfy the service owner that:

  • The facility has access control capabilities that are compatible with the Foundation access control policy.
  • There exists a process for requesting and granting access to the facility for team members and service provider staff. The facility security manager must be required to explicitly authorise access to any facility (rack, cage or suite) housing Foundation equipment on a case-by-case basis.
  • Periodic review and reporting on physical security controls in force by the facility security manager. The review will include confirmation of the effectiveness of access control and intrusion detection systems and protection against key threats, including fire, flood and loss of critical infrastructure services.
  • Provision for tracking the remediation of issues identified as threats to Foundation operation (failed backup generator tests etc.).
  • The facility security plan will also include any other physical security controls agreed between the facility security manager and service owner that are appropriate for that particular facility, and for the information processed within it.

6 Compliance

Regular assessments are carried out for compliance against this policy. Any violation of this policy will be investigated and if the cause is found due to wilful disregard or negligence, it will be treated as a disciplinary offence. All disciplinary proceedings are coordinated through the Human Resources Department.

The Foundation reserves the right to amend this policy at any time and will publish updated versions to all team members.