Physical security policy

1. Purpose

This document establishes mandatory requirements for HLD Group personnel, contractors, and third parties with access to HLD Group systems, facilities, or data. It supports our information security management system (ISMS), regulatory obligations, and customer contractual commitments.

Compliance with this policy is a condition of access to company resources. Exceptions require documented approval from the Chief Information Security Officer (CISO) or delegate and must include compensating controls.

2. Scope

This policy applies globally to all HLD Group employees, contractors, consultants, interns, and agency staff ("Personnel"). It covers all information assets owned, leased, or processed by HLD Group, including cloud services, customer environments under our management, development systems, corporate IT, and removable media.

Where a customer contract or applicable law imposes stricter requirements, the stricter requirement prevails. Customer-specific security addenda form part of the compliance baseline for assigned personnel.

• Corporate and production information systems
• Endpoints, mobile devices, and removable media used for company business
• Collaboration tools, email, and messaging platforms
• Source code repositories, CI/CD pipelines, and artefact stores
• Physical offices, co-working facilities, and data centre space under our control

3. Definitions

• Information asset — any data, system, application, or service that stores, processes, or transmits information
• Sensitive data — confidential, restricted, regulated, or customer data requiring heightened protection
• Privileged access — administrative or elevated rights that can alter security configuration or access unrelated data
• Security incident — a confirmed or suspected breach of policy, loss of confidentiality, integrity, or availability
• Compensating control — alternative safeguard that achieves equivalent risk reduction when a primary control cannot be met

4. Facilities

Offices and co-located spaces use access control (badges, keys). Server and network equipment reside in provider data centres meeting SOC 2 / ISO 27001 where applicable.

5. Visitor management

Visitors sign in, display badges, and are escorted in secure areas. Visitor logs retained 90 days.

6. Equipment and media

Laptops are cable-locked in shared offices where practical. Sensitive paper media is shredded. Hard drives are wiped or destroyed before disposal.

7. Environmental controls

Cloud and colocation providers supply fire suppression, climate control, and UPS; contracts require evidence of controls.

Roles and responsibilities

Enforcement, exceptions, and review

Violations may result in access suspension, disciplinary action up to termination, contract remedies for third parties, and referral to law enforcement where appropriate.

Exception requests must be submitted in writing, include business justification, risk assessment, expiry date, and compensating controls. Exceptions are reviewed at least quarterly.

This policy is reviewed at least annually and upon significant regulatory, organisational, or technology changes. Version history is maintained in the compliance repository.