Laserfiche WebLink
REV: 06-24-22 RL <br />2. PHYSICAL AND LOGICAL ACCESS <br />Granicus maintains an effective process to control and secure access to the data processing <br />system(s) and sensitive information resources leveraging secure authentication, and authorization <br />mechanisms: <br />2.1 Document procedures for granting and revoking access to Granicus information resources. <br />2.2 Access restrictions will be based on role and need-to-know and least privilege principles. <br />2.3 All access will be assigned using a unique identifier (User ID) and will be required to meet the <br />password complexity requirements in accordance with NIST 800-53. <br />2.4 Granicus will ensure that a password has a minimum of eight characters and contains at least <br />two of the following parameters: (i) alphanumeric characters; (ii) uppercase and lowercase <br />characters, and; (iii) special characters. <br />2.5 Multiple authorization levels will be used when granting access to sensitive information <br />resources, including those storing and processing personal information in accordance with the <br />Granicus Information Security policies. <br />2.6 All privileged access to production will be controlled by adequate security controls. <br />2.7 User access will be documented and reviewed on a periodic basis, based on risk. <br />Granicus will ensure that unauthorized persons are prevented from gaining physical access to <br />premises, buildings, or rooms where data processing systems that process or use Personal Data <br />are located: <br />2.8 Granicus protects its information resources and physical facilities using the adequate physical <br />and logical controls in accordance with the Granicus Information Security Policies. <br />2.9 In general, buildings are secured through access control systems (e.g., smart card access <br />system). <br />2.10 As a minimum requirement, the outermost entrance points of the building must be fitted <br />with a certified key system including modern, active key management <br />2.11 Depending on the security classification, buildings, individual areas and surrounding <br />premises may be further protected by additional measures. These include specific access <br />profiles, video surveillance, intruder alarm systems and biometric access control systems. <br />2.12 Access rights are granted to authorized persons on an individual basis according to the <br />System and Data Access Control measures (see below). This also applies to visitor access. <br />Guests and visitors to Granicus buildings must register their names at reception and must be <br />accompanied by authorized Granicus personnel. <br />2.13 Granicus employees and external personnel must wear their ID cards at all Granicus <br />locations. <br />2.14 All data centers adhere to strict security procedures enforced by guards, surveillance <br />cameras, motion detectors, access control mechanisms and other measures to prevent <br />equipment and data center facilities from being compromised. Only authorized <br />representatives have access to systems and infrastructure within the data center facilities. <br />To protect proper functionality, physical security equipment (e.g., motion sensors, cameras, <br />etc.) undergo maintenance on a regular basis. <br />2.15 Granicus and all third-party data center providers log the names and times of authorized <br />personnel entering Granicus’s private areas within the data centers. <br />3 DATA TRANSMISSION CONTROL <br />Except as necessary for the provision of the Cloud Services in accordance with the Services <br />Agreement, Granicus will ensure that Personal Data will not be read, copied, modified, or removed <br />without authorization during transfer. Where data carriers are physically transported, adequate <br />ATTY/AGR.2022.156/Granicus (Online agenda and meeting hosting and indexing) (Page 30 of 32)