Skip to content

Physical Security Policy

Owner Classification Review Date Status
CDO Office Internal April 2027 Active

| Document Type | Policy |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |

Document #: SP-PSP-027 | Version: V1.2 | Issue Date: 05/09/2025

Document Creation

Field Details
Document # SP-PSP-027
Document Title Physical Security Policy
Version V1.2
Confidentiality Level Class 2 (Private Data / Confidential)
Date Created 26/03/2021
Issue Date 05/09/2025
Document Owner Chief Information Security Officer
Author(s) Simpaisa
Purpose To ensure that Physical Security Policy is implemented
Authorised By Yassir Pasha

Steering Committee

Name Role
Yassir Pasha Chief Executive Officer
Kamil Shaikh Chief Operating Officer
Osama Hashmi Chief Financial Officer
Bachir Njeim Chief Strategy and Operations Officer
Saqlain Raza Acting Chief Technology Officer
Rizwan Zafar Chief Product Officer
Ahsan Hussain Payment Channel Partnerships
Danish Abdul Hameed Chief Information Security Officer
Shahroze Khan Head of International Merchant Sales and Strategic Alliances
Noor Ali Country Head Pakistan
Shoukat Bizinjo Global Head of Regulatory Affairs — Regulatory

Change Control

Version Date of Issue Author(s) Brief Description of Changes Approved By
V1.0 08/04/2021 Rizwan Zafar Initial release Salim Karim
V1.1 07/02/2022 Rizwan Zafar Annual review Salim Karim
V1.2 02/02/2023 Rizwan Zafar Annual review Salim Karim
V1.2 27/09/2024 Syed Zubair Ahmed Annual review Yassir Pasha
V1.2 05/09/2025 Simpaisa Annual review Yassir Pasha

1. Introduction

This document defines the physical security policy of Simpaisa. Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism and terrorism.

This policy applies to all systems, people and processes that constitute the organisation's information systems, including board members, directors, employees, suppliers and other third parties who have access to Simpaisa facilities.

2. Secure Area

2.1 Physical Security Perimeter

Simpaisa shall define security perimeters and use them to protect areas that contain either sensitive or critical information and information processing facilities. The security perimeter must be clearly defined, and the siting and strength of each of the perimeters shall depend on the security requirements of the assets within the perimeter.

Physical security perimeter requirements include:

  • The perimeters of a building or site containing information processing facilities shall be physically sound (i.e., there shall be no gaps in the perimeter or areas where a break-in could easily occur).

  • The external walls of the site shall be of solid construction and all external doors shall be suitably protected against unauthorised access with control mechanisms (e.g., bars, alarms, locks).

  • A manned reception area or other means to control physical access to the site or building shall be maintained.

  • Physical barriers shall, where applicable, be extended to prevent unauthorised physical access.

  • All fire doors on a security perimeter shall be alarmed, monitored and tested in conjunction with the walls to establish the required level of resistance in accordance with applicable regional, national and international standards.

  • Suitable intruder detection systems shall be installed to national/international standards and regularly tested to cover all external doors and accessible windows.

2.2 Physical Entry Controls

Secure areas shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Entry controls shall include:

  • Visitors to secure areas shall be supervised or cleared and their date and time of entry and departure recorded.

  • Access to areas where confidential information is processed or stored shall be restricted to authorised individuals only.

  • All employees, contractors and third-party users shall be required to wear some form of visible identification.

  • Security personnel shall be engaged to control physical access to sensitive areas.

  • All accesses shall be regularly reviewed and updated, and all authorisation shall be revoked when no longer required.

2.3 Securing Offices, Rooms and Facilities

Physical security for offices, rooms, and facilities shall be designed and applied. When securing offices, rooms and facilities the following shall be considered:

  • Key facilities shall be sited to avoid access by the public.

  • Buildings shall be unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities.

  • Directories and internal telephone books identifying locations of sensitive information processing facilities shall not be easily accessible by the public.

2.4 Protecting Against External and Environmental Threats

Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. Guidance for avoiding or reducing damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster shall be sought from specialists.

2.5 Working in Secure Areas

Procedures for working in secure areas shall be designed and applied:

  • Personnel shall only be made aware of the existence of, or activities within, a secure area on a need-to-know basis.

  • Unsupervised working in secure areas shall be avoided both for safety reasons and to prevent opportunities for malicious activities.

  • Vacant secure areas shall be physically locked and periodically checked.

  • Photographic, video, audio or other recording equipment shall not be allowed without prior management authorisation.

2.6 Delivery and Loading Areas

Access points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access:

  • Access to a delivery and loading area from outside of the building shall be restricted to identified and authorised personnel.

  • The delivery and loading area shall be designed so that supplies can be loaded and unloaded without delivery personnel gaining access to other parts of the building.

  • External doors of a delivery and loading area shall be secured when the internal doors are opened.

  • Incoming material shall be inspected for potential hazards before it is moved from the delivery and loading area to the point of use.

  • Incoming material shall be registered in accordance with asset management procedures on entry to the site, where applicable.

3. Paper and Equipment Security

3.1 Equipment Siting and Protection

Equipment shall be sited and protected to reduce the risks from environmental threats and hazards and opportunities for unauthorised access:

  • Equipment shall be sited to minimise unnecessary access into work areas.

  • Information processing facilities handling sensitive data shall be positioned carefully to reduce the risk of information being viewed by unauthorised persons during their use.

  • Items requiring special protection shall be isolated to reduce the general level of protection required.

  • Controls shall be adopted to minimise the risk of potential physical and environmental threats (e.g., theft, fire, explosives, smoke, water, dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation and vandalism).

  • Eating, drinking and smoking shall not be permitted in proximity to information processing facilities.

  • Environmental conditions, such as temperature and humidity, shall be monitored for conditions that could adversely affect the operation of information processing facilities.

  • Lightning protection shall be applied to all buildings and lightning protection filters shall be fitted to all incoming power and communications lines.

  • For industrial environments, the use of special protection methods, such as keyboard membranes, shall be considered.

  • Equipment processing sensitive information shall be protected to minimise the risk of information leakage due to electromagnetic emanations.

3.2 Supporting Utilities

Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities:

  • All supporting utilities, such as electricity, water supply, sewage, heating/ventilation and air conditioning shall be adequate for the systems they are supporting.

  • Supporting utilities shall be regularly inspected and, as appropriate, tested to ensure their proper functioning and to reduce any risk from their malfunction or failure.

  • If necessary, multiple power feeds shall be used to avoid a single point of failure in the power supply.

  • Emergency lighting and communications shall be available.

3.3 Cabling Security

Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage:

  • Power and telecommunications lines into information processing facilities shall be underground where possible, or subject to adequate alternative protection.

  • Network cabling shall be protected from unauthorised interception or damage, for example, by using a conduit or by avoiding routes through public areas.

  • Power cables shall be separated from communications cables to prevent interference.

  • Cables and equipment shall be labelled clearly to minimise handling errors, such as accidental patching of wrong network cables.

3.4 Equipment Maintenance

Equipment shall be correctly maintained to ensure its continued availability and integrity:

  • Equipment shall be maintained in accordance with the supplier's recommended service intervals and specifications.

  • Only authorised maintenance personnel shall carry out repairs and service equipment.

  • Records shall be kept of all suspected or actual faults and all preventive and corrective maintenance.

  • Appropriate controls shall be in place when equipment is scheduled for maintenance.

  • Equipment shall be checked to ensure that no sensitive data and licenced software has been removed prior to disposal or re-use.

3.5 Security of Equipment Off-Premises

Security shall be applied to off-site equipment taking into account the different risks of working outside the organisation's premises:

  • Equipment and media taken off-site shall not be left unattended in public places.

  • At all times, portable computers shall be carried as hand luggage and disguised where possible when travelling.

  • Manufacturer's instructions for protecting equipment shall be observed at all times.

  • Controls for home working shall be determined by an information security risk assessment and appropriate controls applied as appropriate, e.g., lockable filing cabinets, clear desk policy, access controls for computers and secure communications with the office.

  • Adequate insurance cover shall be in place to protect off-site equipment.

3.6 Secure Disposal or Re-Use of Equipment

All items of equipment containing storage media shall be checked to ensure that any sensitive data and licenced software has been removed or securely overwritten prior to disposal or re-use.

  • Storage devices containing sensitive information shall be destroyed physically, or the information shall be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.

  • Damaged storage devices containing sensitive data may require a risk assessment to determine whether the items should be destroyed rather than sent for repair or discarded.

  • All disposal of hardware assets shall be recorded.

3.7 Removal of Property

Equipment, information or software shall not be taken off-site without prior authorisation:

  • Spot checks shall be conducted to detect unauthorised removal of property.

  • Employees, contractors and third-party users shall be made aware that spot checks are carried out.

  • The date and time of removal and return of equipment shall be recorded and a record maintained.

4. Equipment Lifecycle Management

4.1 Asset Register

Simpaisa shall maintain an asset register that includes all information processing equipment. The asset register shall include:

  • A unique identifier for each asset

  • The asset description and type

  • The asset owner and user

  • The asset location

  • The classification of information processed, stored or transmitted by the asset

  • Date of purchase and expected end-of-life

4.2 Equipment Review

All equipment in the asset register shall be reviewed on a regular basis (at minimum annually) to ensure:

  • Assets are still in use and required

  • Asset details are accurate and up to date

  • Assets are being used in accordance with the organisation's policies

  • Assets nearing end-of-life are identified for replacement or decommissioning

4.3 End-of-Life and Disposal

When equipment reaches end-of-life, it shall be decommissioned and disposed of securely:

  • All data shall be securely wiped from storage media using approved methods prior to disposal

  • Equipment shall be disposed of in accordance with applicable environmental regulations

  • Certificates of destruction shall be obtained for all equipment containing sensitive data

  • Disposal shall be recorded in the asset register