Physical Security Summary

Operating model and locations

Virtus Group operates with a distributed/remote delivery model. Where an engagement requires on‑site activity, we follow the client’s site access and safety requirements in addition to our internal controls.

Physical security focuses on preventing unauthorised access to devices, information, and work areas, and reducing incidental exposure risks (e.g., shoulder‑surfing).

• Client sites: access is granted through client processes; visitor rules and escort requirements are followed.
• Cloud/data centres: physical controls are managed by providers; our responsibilities focus on logical access, encryption, logging, and backup/DR.
• Remote work: devices and workspaces must meet minimum security requirements (see below).

Office and workspace controls

• Access control: controlled entry (keys/fob) where applicable; visitors sign in and are escorted.
• Work area discipline: clean‑desk/clear‑screen; sensitive material not left unattended; secure storage for any paper records.
• Screen privacy: auto‑lock, privacy practices in shared spaces, and privacy filters where required.
• Equipment security: laptops and removable devices stored securely when not in use; devices not left in vehicles.
• Physical tamper reduction: comms/storage areas restricted; tamper‑evident measures used where applicable.

Remote work and field work safeguards

Remote work introduces physical exposure risks. We require a controlled working environment for any role that may access client data or systems.

• Approved workspace: no public/shared screens for sensitive work; avoid public Wi‑Fi for administrative access unless protected by approved controls.
• Shoulder‑surfing mitigation: position screens away from view; use privacy filters where appropriate.
• Device posture: full‑disk encryption, MFA, screen lock, and MDM/endpoint protection where applicable.
• Secure conversations: avoid discussing client matters in public spaces; use headsets and private areas.

Asset handling, media, and disposal

• Asset register maintained for company‑owned devices used for client work.
• Approved removable media only; unmanaged USB storage is prohibited.
• Secure disposal and sanitisation procedures are used for end‑of‑life devices (see Sanitisation & Destruction Summary).
• Printing: avoid printing sensitive material; if required, use secure storage and prompt retrieval.

Incident reporting and response

• Report lost/stolen devices or suspected physical compromise immediately.
• Trigger credential resets, token revocation, and access review following any device loss.
• Record physical incidents in an incident log; escalate to client if client data may be impacted.