Policy on physical information security