Physical & Environmental Security Policy¶
Document ID: AUL-POL-11 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy establishes physical and environmental security requirements for Aulendur Labs facilities, equipment, and media. Physical controls protect information systems and data — including CUI — from unauthorized physical access, theft, tampering, and environmental hazards. This policy implements NIST SP 800-171 Rev. 3 controls 03.10.01, 03.10.02, 03.10.07, and 03.10.08.
2. Scope¶
This policy applies to:
- Facilities: Omaha headquarters and any future Aulendur office locations.
- Personnel: All employees, contractors, visitors, and maintenance personnel accessing Aulendur facilities.
- Equipment: Servers, workstations, network gear, portable media, and any equipment processing or storing Aulendur data.
- Exclusions: Remote/home work locations are addressed in the Remote Work / Telework Policy. Cloud data center physical security is the responsibility of the cloud service provider (Linode, AWS, Cloudflare) and is validated through their SOC 2 / ISO 27001 attestations.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy; authorizes facility lease and physical security expenditures. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; defines physical access authorizations; reviews access logs; manages visitor procedures. |
| All Personnel | Comply with physical access procedures; challenge and report unescorted strangers; secure equipment and media. |
4. Policy Statements¶
4.1 Physical Access Authorization¶
4.1.1 The CTO/ISSM shall maintain a list of personnel authorized for unescorted physical access to Aulendur facilities (NIST SP 800-171 R3 03.10.01). The authorization list shall be reviewed quarterly and updated within 5 business days of any personnel change.
4.1.2 Physical access authorization shall be commensurate with job function. At current scale (~5 personnel), all employees are authorized for general office access. Server rooms or equipment closets containing network infrastructure shall be restricted to the CTO/ISSM and designated system administrators.
4.1.3 Contractors and maintenance personnel shall be authorized for physical access only for the duration and scope of their engagement, with CTO/ISSM approval.
4.2 Physical Access Controls¶
4.2.1 The Omaha headquarters shall employ the following physical access controls (NIST SP 800-171 R3 03.10.07):
- (a) Locked entry points controlled by key, keycard, or combination lock.
- (b) Visitor sign-in log at the reception point (name, organization, purpose, arrival/departure time, escort name).
- (c) Visitors shall be escorted by authorized Aulendur personnel at all times within the facility.
[!NOTE] DECISION POINT: The Omaha office is a shared accelerator/coworking space (Werner Exchange). Aulendur may not control building-level access. Physical security controls in this policy apply to Aulendur's dedicated workspace within the facility. The CTO/ISSM shall assess the landlord's building security controls and document any gaps as compensating controls or POA&M items. If the shared space cannot provide adequate isolation for CUI processing, CUI shall not be processed at that location.
4.2.2 Equipment containing CUI or Confidential data shall not be left unattended in shared or public areas. When not in use, such equipment shall be secured in a locked office, drawer, or cabinet.
4.3 Monitoring Physical Access¶
4.3.1 The CTO/ISSM shall monitor physical access to the facility through the visitor log, and through any electronic access logs provided by the building management system (NIST SP 800-171 R3 03.10.02).
4.3.2 Physical access logs shall be reviewed by the CTO/ISSM at least monthly. Anomalies (unexpected after-hours access, unknown visitors) shall be investigated within 5 business days.
4.3.3 Physical access logs shall be retained for a minimum of 1 year.
4.4 Transmission and Output Devices¶
4.4.1 Printers, scanners, fax machines, and other output devices capable of producing physical copies of data shall be placed in controlled areas accessible only to authorized personnel (NIST SP 800-171 R3 03.10.08).
4.4.2 Documents containing CUI or Confidential data shall be retrieved from output devices immediately after printing. Unclaimed output shall be collected and securely shredded by the discovering individual.
4.4.3 Shared printers in coworking spaces shall not be used for CUI or Confidential documents. CUI printing, if required, shall occur only on Aulendur-controlled printers in Aulendur-controlled space.
4.5 Media Protection — Physical¶
4.5.1 Physical media (USB drives, external hard drives, printed documents) containing CUI or Confidential data shall be stored in locked containers when not in active use (NIST SP 800-171 R3 03.08.01).
4.5.2 Access to physical media containing CUI shall be restricted to personnel authorized for CUI access (NIST SP 800-171 R3 03.08.02).
4.5.3 Portable storage media (USB drives) shall not be connected to Aulendur systems without CTO/ISSM authorization. Unauthorized USB devices shall be disabled via endpoint security policy where technically feasible.
4.6 Environmental Controls¶
4.6.1 The Aulendur workspace shall maintain environmental conditions suitable for information technology equipment: (a) temperature between 64-80°F (18-27°C), (b) relative humidity between 30-70%, and (c) adequate ventilation.
4.6.2 The workspace shall be equipped with, or have access to, fire detection and suppression systems (building-provided in shared spaces).
4.6.3 Critical equipment (if co-located on-premise) shall be connected to uninterruptible power supplies (UPS) to prevent data loss from power fluctuations. At current scale, Aulendur's production infrastructure is cloud-hosted (Linode, AWS, Cloudflare), making on-premise UPS requirements limited to endpoint equipment.
4.7 Equipment Disposal and Reuse¶
4.7.1 Equipment being decommissioned, returned (leased), or disposed of shall be sanitized per the Data Retention & Disposal Policy (forthcoming) and NIST SP 800-88 Rev. 1 before leaving Aulendur control.
4.7.2 Equipment that processed CUI shall be sanitized to the Purge or Destroy level per NIST SP 800-88 before disposal or transfer.
4.8 Clean Desk¶
4.8.1 All personnel shall maintain a clean desk practice: documents classified Internal or above shall not be left visible on desks, whiteboards, or monitors when the workspace is unattended. Whiteboards containing Confidential or CUI information shall be erased before leaving the room.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Information Classification & Handling Policy
- Remote Work / Telework Policy (forthcoming)
- Data Retention & Disposal Policy (forthcoming)
- Endpoint Security Policy (forthcoming)
6. Compliance & Enforcement¶
Violations of this policy may result in disciplinary action up to and including termination. Tailgating (allowing unauthorized individuals through controlled entry points) and leaving CUI media unsecured are actionable violations. Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy. The shared-space limitations at Werner Exchange are documented as a standing exception with compensating controls reviewed quarterly.
8. Definitions¶
| Term | Definition |
|---|---|
| Physical Access Authorization | Formal approval to enter a facility or restricted area without escort. |
| Escort | Continuous accompaniment of an unauthorized visitor by an authorized Aulendur employee. |
| Clean Desk | The practice of clearing all sensitive information from work surfaces when unattended. |
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
| NIST SP 800-88 | Guidelines for Media Sanitization. |
| UPS | Uninterruptible Power Supply. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.10.01 | Physical Access Authorizations | Full |
| NIST SP 800-171 R3 | 03.10.02 | Monitoring Physical Access | Full |
| NIST SP 800-171 R3 | 03.10.07 | Physical Access Control | Full |
| NIST SP 800-171 R3 | 03.10.08 | Access Control for Transmission and Output Devices | Full |
| NIST SP 800-171 R3 | 03.08.01 | Media Storage | Full — combined with AUL-POL-04 |
| NIST SP 800-171 R3 | 03.08.02 | Media Access | Full — combined with AUL-POL-04 |
| CMMC 2.0 L2 | PE.L2-3.10.1 | Limit Physical Access | Full |
| CMMC 2.0 L2 | PE.L2-3.10.2 | Monitor Facility | Full |
| CMMC 2.0 L2 | PE.L2-3.10.5 | Manage Physical Access | Full |
| CMMC 2.0 L2 | PE.L2-3.10.6 | Alternative Work Sites | Partial — full with AUL-POL-12 |
| NIST SP 800-53 R5 | PE-2 | Physical Access Authorizations | Full |
| NIST SP 800-53 R5 | PE-3 | Physical Access Control | Full |
| NIST SP 800-53 R5 | PE-6 | Monitoring Physical Access | Full |
| NIST SP 800-53 R5 | PE-5 | Access Control for Output Devices | Full |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.