Physical_Security_Policy.md

January 25, 2026 Β· View on GitHub

Hack23 Logo

🏠 Hack23 AB β€” Physical Security Policy

πŸ›‘οΈ Home Office Security Through Layered Protection
🎯 Physical Asset Protection for Remote Operations Excellence

Owner Version Effective Date Review Cycle

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 1.1 | πŸ“… Last Updated: 2026-01-25 (UTC)
πŸ”„ Review Cycle: Annual | ⏰ Next Review: 2027-01-25


🎯 Purpose Statement

Hack23 AB's physical security policy demonstrates how systematic physical asset protection directly supports information security excellence even in distributed work environments. Our comprehensive home office security approach serves as both operational necessity and client demonstration of our cybersecurity consulting expertise.

As a cybersecurity consulting company operating from a home office, our commitment to physical security showcases how effective protection extends beyond digital controls. Our physical security framework demonstrates to potential clients how comprehensive security integrates physical and logical controls, creating competitive advantages through protected assets, maintained confidentiality, and demonstrated security culture.

This policy establishes mandatory physical security requirements for protecting Hack23 AB's information assets, equipment, and business operations in a work-from-home environment, supporting compliance with data protection regulations and industry security standards.

β€” James Pether SΓΆrling, CEO/Founder


πŸ” Purpose & Scope

Purpose

This policy establishes comprehensive physical security standards for Hack23 AB's home office environment, ensuring protection of physical assets, prevention of unauthorized access, and support for information security objectives in a remote work context.

Scope

This policy applies to:

  • Home office workspace and dedicated work areas
  • All physical information assets documented in πŸ’» Asset Register
  • Computing equipment, mobile devices, and storage media
  • Backup media and archived documentation
  • Network equipment and communication devices
  • The CEO/Founder's home office environment
  • Physical security controls supporting logical security measures

Out of Scope:

  • Traditional corporate office security (no physical office)
  • Server rooms and data centers (cloud-native infrastructure)
  • Reception and visitor management (no office visitors)
  • Physical access control systems (residential security)

🏒 Organizational Context

Single Person Company Work From Home Cloud Native No Physical Office

Hack23 AB operates as a single-person Swedish company with the CEO/Founder working exclusively from a home office. This unique context requires physical security policies that:

  • Acknowledge residential environment constraints and advantages
  • Focus on device protection rather than facility access control
  • Address home office specific risks (theft, family access, social engineering)
  • Balance security requirements with practical home environment realities
  • Demonstrate professional security practices to clients despite non-corporate setting
  • Maintain audit-ready documentation for compliance and consulting credibility

Key Physical Security Characteristics:

  • 🏠 Home Office Environment: Residential setting with dedicated workspace
  • ☁️ Cloud-Native Infrastructure: No physical servers or data center presence
  • πŸ“± Mobile Computing: Laptop and mobile devices as primary equipment
  • πŸ” Device-Centric Security: Protection focused on endpoints and media
  • πŸ‘€ Single Occupant: No employees requiring access control or monitoring
  • 🌐 Remote Operations: All business conducted from home environment

🎯 Physical Security Principles

Defense in Depth Asset Protection Access Control Environmental Security

ISO 27001 A.7.1 ISO 27001 A.7.2 CIS Control 12.6

1. πŸ›‘οΈ Layered Defense Strategy

Physical security implemented through multiple defensive layers:

  • Perimeter Security: Residential building access controls
  • Workspace Security: Dedicated home office with controlled access
  • Device Security: Laptop locks, encrypted storage, mobile device protection
  • Data Security: Physical backup media protection and secure disposal
  • Environmental Controls: Fire, water, and environmental monitoring

Integration with logical security per:

2. πŸ’» Asset-Centric Protection

Physical security focused on protecting devices and media:

  • Computing devices (laptops, desktops, tablets)
  • Mobile phones and communication devices
  • Backup media and external storage
  • Network equipment (routers, access points)
  • Sensitive documents and materials
  • Hardware security tokens and authentication devices

Asset protection requirements per πŸ’» Asset Register and 🏷️ Classification Framework.

3. πŸ” Access Control Integration

Physical access controls complement logical access:

  • Residential security preventing unauthorized entry
  • Workspace isolation during business hours
  • Device lock screens and encryption
  • Visitor awareness and control (friends, family, service providers)
  • Social engineering awareness and prevention

4. 🏠 Environmental Security

Home office environment protection addressing:

  • Fire detection and suppression
  • Water damage prevention
  • Temperature and humidity control
  • Power protection (UPS, surge protection)
  • Natural disaster preparedness
  • Equipment placement and safety

🏠 Home Office Physical Security

πŸšͺ Workspace Access Control

Workspace Security Privacy Clean Desk

Perimeter Security (Residential Level):

  • βœ… Residential Building Security: Secure locks on entry doors and windows
  • βœ… Neighborhood Awareness: Understanding local security characteristics
  • βœ… Entry Point Protection: Functioning locks on all ground-floor access points
  • βœ… Security System: Optional home security system or monitoring (risk-based)
  • βœ… Delivery Management: Secure package delivery and acceptance procedures

Home Office Workspace Security:

  • βœ… Dedicated Workspace: Separate room or clearly defined work area
  • βœ… Door Control: Lockable door or equivalent access control to workspace
  • βœ… Window Security: Window locks and privacy controls (blinds/curtains)
  • βœ… Visual Privacy: Screens not visible from outside or common areas
  • βœ… Family Awareness: Household members understand workspace boundaries
  • βœ… Visitor Protocol: Procedures for managing home visitors during work hours

Clean Desk Requirements:

ISO 27001 A.7.7

βœ… Mandatory Clean Desk Practices:

  • Lock computer screens when leaving workspace unattended
  • Store sensitive documents in locked drawers or cabinets when not in use
  • Avoid leaving printouts or notes with sensitive information visible
  • Secure or lock away portable media (USB drives, external drives)
  • Lock workspace when leaving home or during extended absences
  • Remove or secure sensitive materials before allowing home visitors

🏠 Single-Person Context: While living alone reduces insider threats, clean desk practices remain important for:

  • Emergency responder access (fire, medical)
  • Home service providers (repair, maintenance, delivery)
  • Social visits (friends, family)
  • Potential theft during burglary
  • Professional demonstration of security culture

πŸ’» Computing Equipment Protection

Device Security Laptop Lock Encryption

Device Physical Security:

ISO 27001 A.7.9 CIS Control 2.1

βœ… Required Controls:

  • Full Disk Encryption: All computing devices must use full disk encryption per Cryptography Policy
  • Screen Locks: Automatic screen locks enabled (maximum 5 minutes idle)
  • Strong Authentication: Device login requires strong password or biometric authentication
  • Cable Locks: Optional cable locks for stationary equipment in high-risk scenarios
  • Backup Devices: Secondary devices secured with same standards as primary
  • Home Storage: Secure storage location when devices not in use (locked drawer/cabinet)

πŸ“± Mobile Device Protection: Per Mobile Device Management Policy:

  • Device encryption enabled
  • Strong lock screen passwords or biometrics
  • Remote wipe capabilities configured
  • Find My Device features enabled
  • Regular backup procedures followed
  • Physical protection from damage (cases, careful handling)

Travel and Transport Security:

  • Devices never left unattended in vehicles
  • Carry-on luggage only for air travel (never checked)
  • Public transportation awareness (theft prevention)
  • Coffee shop and public space vigilance
  • VPN required for all public network access per Network Security Policy

🌐 Network Equipment Security

Network Security Router Security Access Control

Home Network Physical Security:

ISO 27001 A.13.1

βœ… Required Controls:

  • Router Placement: Located in secure area of home (not easily accessible from outside)
  • Physical Access: Router admin interface access requires physical presence or secure remote access
  • Default Credentials: All default passwords changed per Access Control Policy
  • Firmware Updates: Regular router firmware updates per Vulnerability Management
  • Wi-Fi Security: WPA3 or WPA2 encryption with strong passwords
  • Network Segmentation: Guest network separated from business network (if applicable)
  • Port Security: Unused network ports disabled or secured

IoT and Smart Device Security:

  • Smart home devices on separate network segment (if possible)
  • Security cameras and monitoring devices secured and encrypted
  • Voice assistants positioned away from confidential conversations
  • Regular security updates applied to all smart devices
  • Default credentials changed on all IoT devices

πŸ’Ύ Backup Media and Storage

Backup Security Media Control Disposal

Physical Backup Media Security:

ISO 27001 A.8.3.3 CIS Control 3.3

βœ… Required Controls:

  • Encrypted Backups: All backup media encrypted per Cryptography Policy
  • Secure Storage: Backup media stored in locked cabinet or safe
  • Off-Site Backups: Cloud backups preferred; if physical off-site, use secure location
  • Media Labeling: Clear labels with data classification per Classification Framework
  • Access Control: Only authorized user (CEO) has access to backup media
  • Regular Testing: Backup media tested per Backup Recovery Policy

Portable Storage Media:

  • USB Drives: Encrypted USB drives only for business data
  • External Hard Drives: Full encryption required for business use
  • SD Cards: Secure storage and encryption for sensitive data
  • Physical Security: Locked storage when not in active use
  • Inventory: All portable media tracked in Asset Register

Secure Disposal Procedures:

ISO 27001 A.8.3.2

βœ… Disposal Requirements:

  • Data Wiping: Secure wipe using NIST-approved methods before disposal
  • Physical Destruction: Hard drives and SSDs physically destroyed if containing sensitive data
  • Shredding: Paper documents shredded using cross-cut shredder
  • Disposal Services: Use certified e-waste disposal services for equipment
  • Verification: Document disposal completion for audit purposes
  • Classification Based: Disposal method based on data classification level

πŸ”₯ Environmental and Safety Controls

🌑️ Environmental Protection

Fire Protection Water Protection Power Protection Climate Control

Fire Detection and Prevention:

ISO 27001 A.7.10

βœ… Required Controls:

  • Smoke Detectors: Working smoke detectors in home office area
  • Fire Extinguisher: Accessible fire extinguisher (optional but recommended)
  • Fire Safety Plan: Understanding of home evacuation procedures
  • Equipment Placement: IT equipment away from fire hazards (candles, heaters)
  • Electrical Safety: Proper power distribution, avoid overloaded circuits
  • Regular Testing: Test smoke detectors monthly

Water and Liquid Damage Prevention:

  • Equipment Elevation: Devices stored off floor to prevent flood damage
  • Water Sources: IT equipment away from plumbing, windows, and roof leaks
  • Beverage Safety: Covered containers for drinks near computers (optional but wise)
  • Weather Awareness: Protection during storms and severe weather
  • Leak Detection: Awareness of potential water sources and risks
  • Waterproof Storage: Critical backup media in waterproof containers

Power Protection:

CIS Control 12.3

βœ… Required Controls:

  • Surge Protection: Quality surge protectors for all IT equipment
  • UPS (Uninterruptible Power Supply): Optional but recommended for critical equipment
  • Power Management: Proper shutdown procedures during power events
  • Battery Backup: Laptop batteries maintained for emergency power
  • Electrical Safety: Professional electrical work, no DIY modifications
  • Overload Prevention: Avoid overloading circuits with too many devices

Climate and Environmental Control:

  • Temperature Control: Maintain reasonable temperature (15-25Β°C / 59-77Β°F)
  • Humidity Management: Avoid extreme humidity (30-50% relative humidity ideal)
  • Ventilation: Adequate ventilation to prevent overheating
  • Dust Control: Regular cleaning to prevent equipment damage
  • Sunlight Protection: Avoid direct sunlight on equipment (heat and glare)
  • Pet Safety: Keep pets away from critical equipment and cables

πŸŒͺ️ Natural Disaster Preparedness

Disaster Planning Business Continuity Data Protection

Natural Disaster Considerations:

βœ… Preparedness Measures:

  • Cloud Backup Priority: Primary data backup to cloud per Backup Recovery Policy
  • Mobile Computing: Laptop-based operations enable rapid evacuation
  • Insurance Coverage: Equipment insurance for theft, fire, natural disaster
  • Emergency Contacts: Documented emergency procedures in Business Continuity Plan
  • Alternative Workspace: Ability to work from alternative location (library, coworking space)
  • Critical Data Identification: Know what must be protected during emergency evacuation

Regional Considerations (Sweden):

  • Winter storms and power outages
  • Flooding from heavy rainfall or snowmelt
  • Rare but possible extreme weather events
  • Building security during extended absences (winter holidays)

πŸšͺ Visitor Management and Social Engineering

πŸ‘₯ Home Office Visitor Control

Visitor Management Social Engineering Privacy Protection

Home Visitor Categories and Risks:

ISO 27001 A.7.3

1. Social Visitors (Friends, Family):

  • βœ… Workspace Protocol: Lock computer screens before allowing into workspace
  • βœ… Document Security: Clear desk of sensitive materials before visitors arrive
  • βœ… Privacy Awareness: Avoid discussing confidential business during visits
  • βœ… Device Security: Devices locked and secured during social gatherings
  • βœ… Network Access: Guest Wi-Fi network for visitor devices (if available)

2. Service Providers (Maintenance, Delivery, Utilities):

  • βœ… Supervision: Accompany service providers in workspace areas
  • βœ… Device Security: Computers locked or powered off during service visits
  • βœ… Visual Privacy: Screens turned off or facing away from visitors
  • βœ… Documentation Security: All sensitive documents secured
  • βœ… Network Security: No access to business network credentials

3. Emergency Responders (Fire, Medical, Police):

  • βœ… Emergency Preparedness: Accept potential data exposure in life-safety situations
  • βœ… Device Locks: Automatic screen locks provide basic protection
  • βœ… Encryption: Full disk encryption protects against device seizure
  • βœ… Cloud Backup: Critical data backed up to cloud for recovery
  • βœ… Post-Incident: Follow Incident Response Plan if device access occurred

🎭 Social Engineering Awareness

Social Engineering

Common Social Engineering Threats:

Phone/Email Based:

  • Phishing: Emails requesting credentials or sensitive information
  • Vishing: Phone calls pretending to be support, vendors, or authorities
  • Pretexting: Creating scenarios to extract information
  • Baiting: Offers of services, gifts, or opportunities to trick victim
  • Urgency Tactics: Creating false sense of urgency to bypass security procedures

Physical Social Engineering:

  • Shoulder Surfing: Observing screens, keyboards, or documents
  • Dumpster Diving: Searching trash for sensitive information
  • Impersonation: Pretending to be service provider, delivery, or authority
  • Tailgating: Following authorized person through secure entry
  • Package Deception: Fake deliveries to gain entry or plant devices

βœ… Defense Strategies:

CIS Control 14.2

  • Verify Identity: Always verify caller identity through independent contact
  • Question Requests: Legitimate organizations don't request credentials
  • Follow Procedures: Stick to established security procedures even under pressure
  • Trust Instincts: If something feels wrong, verify before proceeding
  • Secure Disposal: Shred documents containing sensitive information
  • Awareness: Stay informed about current social engineering tactics
  • Report Attempts: Document and report social engineering attempts per Incident Response Plan

πŸ“± Device Security in Public Spaces

β˜• Working Outside Home Office

Mobile Security Privacy Screens VPN Required

Occasional Remote Work (Cafes, Libraries, Coworking):

βœ… Security Requirements:

  • VPN Mandatory: Always use VPN on public networks per Network Security Policy
  • Privacy Screens: Use privacy screen filters to prevent shoulder surfing
  • Device Awareness: Never leave devices unattended, even briefly
  • Clean Desk: No sensitive documents in public spaces
  • Conversation Privacy: No confidential calls or discussions in public
  • Screen Lock: Lock screen when stepping away, even for moments
  • Charging Security: Use own charger and cable, avoid public USB charging stations

Avoid High-Risk Behaviors:

  • ❌ Banking or financial transactions on public Wi-Fi without VPN
  • ❌ Leaving laptop at table while ordering or using restroom
  • ❌ Working with sensitive data in crowded spaces
  • ❌ Accepting network or device help from strangers
  • ❌ Using unknown USB drives found in public spaces

✈️ Travel Security

Travel Security Border Security Data Protection

Travel Security Best Practices:

Before Travel:

  • βœ… Data Minimization: Store only necessary data on travel devices
  • βœ… Full Backup: Complete backup before travel per Backup Recovery Policy
  • βœ… Device Updates: Ensure all security updates installed before departure
  • βœ… Emergency Plan: Document remote wipe procedures and emergency contacts
  • βœ… Insurance Verification: Confirm travel insurance covers devices

During Travel:

  • βœ… Physical Security: Carry devices in carry-on, never checked luggage
  • βœ… Hotel Safety: Use hotel safe for devices when not present
  • βœ… Public Wi-Fi: VPN mandatory for all network access
  • βœ… Border Crossings: Understand device search rights and procedures
  • βœ… Theft Awareness: Be vigilant in high-theft areas (tourist attractions, transportation)

After Travel:

  • βœ… Security Scan: Run malware scan on devices after international travel
  • βœ… Password Changes: Change critical passwords if device security compromised
  • βœ… Incident Review: Report any security concerns per Incident Response Plan

πŸ”’ Equipment Lifecycle Security

πŸ“¦ Procurement and Deployment

Procurement Security Supply Chain Configuration

Secure Procurement:

ISO 27001 A.7.8 CIS Control 4.1

βœ… Requirements:

  • Trusted Vendors: Purchase from reputable vendors per Third Party Management
  • Supply Chain Security: Direct from manufacturer or authorized reseller
  • Tamper Evidence: Inspect packaging for signs of tampering
  • Firmware Verification: Verify firmware authenticity when possible
  • Asset Registration: Register device in Asset Register upon receipt
  • Secure Configuration: Apply security baseline before use

Initial Device Setup:

  1. Physical Inspection: Check device for tampering or damage
  2. Firmware Update: Install latest firmware and security updates
  3. Encryption Setup: Enable full disk encryption per Cryptography Policy
  4. Authentication Configuration: Set strong passwords and enable MFA per Access Control Policy
  5. Security Tools: Install antivirus, firewall, and monitoring tools
  6. Backup Configuration: Configure backup per Backup Recovery Policy
  7. Documentation: Record serial number, configuration, and owner in Asset Register

πŸ”„ Maintenance and Repair

Maintenance Security Data Protection Warranty Service

Equipment Repair Security:

βœ… Repair Procedures:

  • Data Backup: Full backup before any repair per Backup Recovery Policy
  • Data Removal: Remove sensitive data before sending for repair (if possible)
  • Encryption: Maintain encryption; do not provide passwords to repair services
  • Authorized Service: Use manufacturer authorized service centers
  • Tracking: Document repair details, date, provider, and serial number
  • Post-Repair Verification: Verify device integrity after return
  • Data Restoration: Restore from known-good backup after major repairs

Remote Support Considerations:

  • βœ… Verify identity of support providers
  • βœ… Use screen sharing rather than remote control when possible
  • βœ… Monitor technician actions during remote support
  • βœ… Close sensitive applications before granting access
  • βœ… Change passwords after remote support sessions
  • βœ… Document support session per Asset Register

πŸ—‘οΈ Secure Disposal and Decommissioning

Secure Disposal Data Destruction E-Waste

End of Life Procedures:

ISO 27001 A.8.3.2

Classification-Based Disposal:

Device ClassificationData SensitivityDisposal MethodVerification Required
ExtremeCritical business dataPhysical destructionCertificate of destruction
Very HighFinancial, customer dataSecure wipe + physical destructionWipe verification report
HighBusiness sensitiveDOD 5220.22-M wipe (3-pass minimum)Wipe completion log
ModerateInternal use onlySingle-pass secure wipeBasic verification
Low/PublicPublic informationFactory resetStandard reset procedure

βœ… Disposal Checklist:

  1. Data Backup: Verify critical data backed up to cloud
  2. Asset Deregistration: Remove from Asset Register
  3. Account Removal: Deactivate associated accounts and services
  4. License Recovery: Recover software licenses if transferable
  5. Data Wiping: Perform appropriate data destruction method
  6. Physical Disposal: Use certified e-waste disposal service
  7. Documentation: Document disposal method and date
  8. Verification: Obtain certificate of destruction for sensitive devices

Donation and Resale Considerations:

  • Only donate/resell devices with successful secure wipe
  • Remove all identifying labels and asset tags
  • Factory reset insufficient for devices containing sensitive data
  • Consider physical destruction over resale for highly sensitive equipment
  • Document disposition method for audit purposes

🚨 Physical Security Incidents

πŸ“’ Reporting Physical Security Events

Incident Reporting Response Procedures Documentation

Reportable Physical Security Events:

πŸ”΄ Critical (Immediate Report):

  • Device theft or loss (laptop, phone, backup media)
  • Unauthorized access to home office
  • Natural disaster affecting equipment
  • Fire or water damage to IT equipment
  • Device seizure by authorities
  • Suspected tampering with devices

🟑 Important (Report Within 24 Hours):

  • Suspicious visitors or social engineering attempts
  • Environmental issues affecting equipment (overheating, humidity)
  • Equipment malfunction suggesting tampering
  • Unusual physical access patterns
  • Lost authentication tokens or access devices

🟒 Low Priority (Report During Normal Review):

  • Minor equipment damage
  • Environmental concerns (but no damage)
  • Near-miss incidents (prevented theft, avoided damage)

πŸ”„ Incident Response Procedures

Follow Incident Response Plan with physical security considerations:

Device Theft Response:

  1. Immediate Actions:

    • Report theft to local police
    • Initiate remote wipe procedures (if configured)
    • Change credentials for services accessed from device
    • Notify clients if customer data potentially exposed
    • Document incident details
  2. Assessment:

    • Determine what data was on device
    • Assess data protection (encryption status)
    • Evaluate business impact per Classification Framework
    • Identify required notifications (GDPR breach reporting if applicable)
  3. Recovery:

  4. Lessons Learned:

    • Document incident and response
    • Identify prevention opportunities
    • Update security controls if needed
    • Update this policy if necessary

πŸ” Strategic & Governance

πŸ”’ Security Policies

βš™οΈ Operational Integration


πŸ“‹ Document Control:
βœ… Approved by: James Pether SΓΆrling, CEO
πŸ“€ Distribution: Public
🏷️ Classification: Confidentiality: Public
πŸ“… Effective Date: 2026-01-25
⏰ Next Review: 2027-01-25
🎯 Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls