This Policy provides a framework which allows Quandis to manage resources in the most secure way. Security is everyone’s responsibility and all personnel employed by Quandis must make every effort to comply with this Policy. This Physical Security Policy will ensure a consistent approach to the implementation of appropriate security controls against common threats.

Server Hosting Facilities

The data centers are to provide sufficient controls and maintain protection of computer equipment from physical and environmental hazards. These controls are as follows:

  1. Server hosting facilities are designated a secure area. Visitors are to be escorted at all times and a record of visitors kept in Reception.
  1. Badge and bio-metric readers are used at the entrance to the facility.
  1. Perimeter and interior of the buildings are monitored by security equipment 24x7x365. Security guards patrol the facilities and monitor security systems and alarms.
  1. The building must be contained by a physical perimeter and cannot be shared by other tenants.
  1. Building and roof construction is rated to withstand wind speeds of at least 100 mi/hr.
  1. Redundant water chillers, condensers and/or air handlers.
  1. Strategically placed water sensors.
  1. Separate cooling zones.
  1. Diesel generators sufficient to power entire facility
  1. A minimum forty-eight hour fuel supply, with vendors waiting on demand if needed.
  1. Ceiling mounted smoke detectors.
  1. Dry Pipe fire suppression systems.
  1. Chemical fire extinguishers and gas suppression systems.
  1. All windows have motion/contact alarms that will trigger if opened or broken.
  1. Building has external lighting for all entries and windows.
  1. Digital CCTV at entry points. Recordings stored for at least 90 days.
  1. Redundant UPS, PDU and transfer switches.
  1. Current and preventive maintenance contracts are in place for UPS System, Security System, Generators, Fire Alarms and Suppression Systems, HVAC. These items are tested annually.
  1. Regular testing and preventative maintenance of environment control systems.
  1. All assets held by Quandis are held against an asset register and be uniquely marked.
  1. All equipment storage areas are ‘out of bounds’ to visitors.
  1. On-going maintenance arrangements are to be made for all essential equipment and installations and are to be reviewed at regular intervals.
  1. Equipment is not to be removed from Quandis without the authority of the CTO.

 

Quandis hosting facilities are monitored and visited annually as well as randomly to ensure continued compliance. Please see example Appendix A.

Business Office Facility Controls

The Quandis office building hours are from 6:00am to 6:00pm. Employees must complete a probationary period before they are permitted to access the building outside of these hours. All visitors to Quandis must sign and out at the front reception.

Any access to the building after the posted hours requires a Security FOB. Access to the Suite requires a key to the Suite and an Alarm Code. Security FOBs, Keys and Alarm Codes are issued and uniquely assigned to each employee. The building property management as well as the cleaning crew are also assigned keys and codes for the office. All security access is managed and tracked by the Quandis office manager.

Upon separation from Quandis, employees will turn in the Security Fob, Suite key and sign a form acknowledging the same. The office manager will then deactivate their security code.

 

All Quandis employees are required to:

  1. Ensure the safe keeping of the keys to prevent unauthorized access.  Any loss of keys is to be reported to the CEO without delay.
  1. Keep alarm keypad combinations confidential at all times.
  1. Immediately notify the office manager or CEO if anyone feels that a combination has been compromised.

The Quandis suite is monitored by CCTV that runs 24/7/365 and those recordings are stored indefinitely.

 

POLICY REVIEW

This Policy is to be reviewed on an annual basis by the CTO to take account of changing circumstances, technology and security risks.

Any revisions to the Policy are to be approved by the CEO and CTO prior to implementation.

Version Updated Name Title Update Summary
8/9/2013 Laura Hadley VP Product Development Added Policy Version Control
9/2013 Eric Patrick CTO Review
9/2014 Eric Patrick CTO Review
9/2015 Eric Patrick CTO Review
9/2016 Eric Patrick CTO Review
 10/2017 Wes Coulter VP Business Development Review
 9/2018  Wes Coulter  VP Client Partnerships  Annual Review