(Swiss Verein; Zug register; principal base Geneva. This Bylaw governs identity-secure accreditation, pass lifecycle, facility and data-room controls under least-privilege with full logging, and event safety with auditable incident management. It integrates the Central Bureau (CB) clearance regime, the Council System of Record (CSR), and the Council Gazette for transparency. Cross-refs: Arts. 1–5 (Purpose; Defs/Precedence; EN controls; FR/DE companions), 6 (Organs; CB as non-executive Privy Council), 7 (Representation/Signatory), 8 (Elections & Conduct), 9 (Authorities/DoA; CB), 10 (Programs/Regionalization), 11 (ECT inter-nexus), 13 (Records/Gazette), 14–16 (Finance; Data/Privacy/Security; Ethics/Conflicts), 17 (Accreditation/Protocol & venues), 18–21. Annexes: F (DoA), G (Signatory Matrix), L (Identity & InfoSec Standard), T (Data/Model Governance), W (Records & Retention), X (Gazette), Z (Continuity/RAP), N (Conflicts & RPT). EN controls.)
10.0 Principles, Scope & Roles
10.0.1 Principles
(a) Safety first with proportional controls; (b) Independence (no donor-conditioned access); (c) Least-privilege & need-to-know; (d) Identity assurance with strong authentication; (e) Auditability through immutable logs; (f) Privacy-by-design (Art. 15); (g) Dignity, accessibility, and inclusion at all convenings.
10.0.2 Scope
Applies to all GRF locations (head office, branches, pop-up sites), designated Geneva venues contemplated under Art. 17 (e.g., CICG, Palexpo, UNOG facilities, WIPO/ITU premises, WTO Centre William Rappard, ICRC spaces, CERN for designated programs), temporary workspaces, virtual/hybrid events, and data rooms (physical or virtual, including VDRs on the Nexus stack).
10.0.3 Roles & RACI
- Responsible (R): CB Protocol & Security Office (PSO) for accreditation/process; EM Operations for site execution; CISO/DPO for cyber/privacy; Program Owners/Chairs for session compliance.
- Accountable (A): Chief Global Steward (CGS) for accreditation/protocol governance; ED/CEO for operational safety.
- Consulted (C): Local venue security, Geneva authorities where applicable, ECT counterparts for joint events, ECC for safeguarding.
- Informed (I): Board Committees (ARC/ECC/TDC), Board of Trustees.
10.1 Accreditation & Pass Lifecycle
10.1.1 Pass Classes & Zones
Pass classes (illustrative; defined in Standing Orders): Staff, Contractor/Secondee, Trustee, Chair/Panelist, Delegate (Institutional/State), Media/Press, Vendor/Build Crew, Visitor/Observer.
Access zones (color-coded): Green (Public/Reception), Amber (Member/Back-of-House), Red (Restricted/Backstage/Operations), Black (Data-Room/Secret). Zone rules map to data classification (Art. 13.2).
10.1.2 Identity Proofing & Verification
(a) In-person: Government photo ID + selfie match; optional secondary (passport/driver’s license).
(b) Remote/digital: QES/AES identity + MFA (hardware key/app) for hybrid passes; liveness & spoofing checks where used.
(c) Sovereign delegations: accreditation via Note Verbale/official letter; identity checked at badge pick-up; no public-law immunities accrue to GRF (Art. 2).
10.1.3 Application, Vetting & CB Clearance
(a) Application pack: purpose, affiliation, zones requested, dates, device needs, privacy notice acceptance, code of conduct/safeguarding acknowledgment.
(b) Vetting (proportional): sanctions/KYC screens (SECO/EU/OFAC), watchlist hits, conflicts (Annex N), media risk, prior incidents.
(c) CB Clearance: Pre-Clearance for Red/Black zone access, media with backstage access, and any pass with device/network privileges; Clearance ID printed/encoded on the pass.
10.1.4 Issuance, Format & Validity
(a) Badges: tamper-evident physical badge with photo + cryptographic QR/NFC; digital companion pass in wallet app for hybrid events.
(b) Validity: time-boxed to the event/program window; auto-expire at local midnight of final authorized day unless extended.
(c) Two-factor use for Black/Red zones; biometric turnstiles where installed (privacy controls per Art. 15).
10.1.5 Conditions of Use
(a) Passes are personal and non-transferable; visible at all times onsite.
(b) Acceptance of Code of Conduct, anti-harassment rules, photography/recording policy, and privacy notice is required.
(c) Device policy binds users (see §10.2.4).
10.1.6 Revocation, Loss & Misuse
(a) Lost/Stolen: report within 1 hour; CB PSO revokes; replacement logged in CSR.
(b) Misuse (tailgating, loaning, zone breach): immediate confiscation, incident record, potential expulsion (Bylaw 8, Art. 16).
(c) Revocation grounds: safety risk, legal order, independence/conflicts breach, failure to comply with staff directions, or venue breach.
10.1.7 Data Protection & Retention
(a) Accreditation PII processed per Art. 15; minimal fields; encryption at rest/in transit.
(b) Retention: standard 180 days post-event for green/amber; 365 days for red/black; shorter if law/venue requires; longer if Legal Hold (Art. 13.4).
(c) Disclosure to host venues/authorities is purpose-limited, logged in CSR.
10.1.8 Inter-Nexus & Host Coordination
(a) ECT reciprocity: where joint events occur, passes may be cross-recognized after joint vetting and mirrored register entries (Art. 11).
(b) Host liaison: CB PSO harmonizes with Geneva venue procedures and local policing plans; GRF standards prevail where stricter and lawful.
10.2 Facility & Data-Room Controls (Least Privilege; Logging)
10.2.1 Zoning, Segregation & Clean-Room Design
(a) Physical zoning aligns to data classification (Art. 13.2): Red/Black areas isolated with staffed points, mantraps where available.
(b) Clean-rooms for sensitive analytics: no personal devices, issued managed laptops, no removable media; video-free unless explicitly authorized.
10.2.2 Physical Access & Search
(a) Access control: turnstiles/badge readers, security staffing, visitor escorts, random bag checks (proportionate, posted notice).
(b) Prohibited items: weapons, explosives, drones (unless licensed operations), intoxicants; signage and enforcement protocol published.
(c) CCTV: visible signage; retention 30–90 days (venue policy); lawful redactions for requests.
10.2.3 Data-Rooms & VDRs (NXSGRIx/Nexus)
(a) Least-privilege RBAC/ABAC; just-in-time grants; quarterly access recertifications.
(b) Watermarking & session recording for exports; no personal email or consumer cloud; DLP & EDR enforced.
(c) Contracts/NDAs: required for Restricted/Secret classifications; file CRE references in Publication Packs (Bylaw 6).
10.2.4 Networks, Devices & BYOD
(a) Network tiers: Public/Guest, Member, Operations, Clean-room; strict segmentation and rate limits during events; WPA3-Enterprise where available.
(b) Devices: managed builds (MDM), disk encryption, screen locks, patching SLAs; hardware keys for admin roles.
(c) BYOD: permitted on Public/Member networks only; no access to Red/Black resources.
(d) Printing: restricted; release stations with badge PIN; logs retained (Annex W).
10.2.5 Monitoring, Logging & Retention
(a) Immutable logs for door readers, network auth, admin actions, VDR sessions; time-sync’d; retained per Annex W (≥ 12 months; longer for Black).
(b) Alerting: anomaly detection for tailgates, failed logins, mass downloads; SOC playbooks integrated with incident response (Bylaw 9).
10.3 Event Safety, Safeguarding & Incident Logs
10.3.1 Pre-Event Risk Assessment & Planning
(a) Risk Assessment (all events): crowd profile, dignitary protection, protest likelihood, severe weather, health hazards, critical-infrastructure dependencies.
(b) Plans: Emergency Response Plan (ERP), Evacuation Routes, Shelter-in-Place, Medical Plan, Fire Safety, Severe Weather, Communicable Disease protocols.
(c) Command structure: Incident Command System (ICS-analog) with roles (Incident Commander, Safety, Liaison, Comms, Operations, Intel).
(d) Insurance: event liability and vendor cover checked by EM/Finance; certificates filed to CSR.
10.3.2 On-Site Operations & Protocol
(a) Briefings: daily safety brief; radio discipline; lost-child/vulnerable-person protocol; safeguarding contacts posted.
(b) Protocol: order of precedence for delegations, flag/insignia rules, seating and motorcade staging; no implication of state recognition (Independence, Art. 3).
(c) Accessibility: step-free access, reserved seating, captioning/interpretation (FR/DE as feasible), sensory-friendly areas.
10.3.3 Medical, Fire & Crowd Management
(a) Medical: on-site medic/first-aid for events >250 pax; AEDs sign-posted; ambulance rendezvous point; incident reporting to CSR.
(b) Fire: coordinate with venue wardens; maintain clear egress; test alarms/PA.
(c) Crowd: capacity limits, queuing plans, choke-point monitoring; protective-intelligence scans for agitators (lawful means only).
10.3.4 Safeguarding & Code of Conduct
(a) Anti-harassment policy enforced; hotline and QR reporting; chaperone/escort options.
(b) Consequences: warning, removal of badge, ejection, escalation to authorities, and GA suspension under Bylaw 5 where applicable.
(c) Media rules: clear on/off-the-record zones; photography consent signage; minors’ faces blurred unless guardian consent.
10.3.5 Cyber for Events
(a) Ephemeral Wi-Fi SSIDs; per-session keys; captive portal privacy notice.
(b) Stage/AV isolated from attendee networks; signed firmware; vetted media on show machines; no USB from unknown hosts.
10.3.6 Incident Intake, Logging & Notification
(a) Severity: P0 (life/safety), P1 (major operational), P2 (minor).
(b) Intake: radio, hotline, QR form; time, location, persons, narrative, evidence captured; Case ID opened in CSR within 2 hours for P0/P1.
(c) Notifications: venue security and authorities as needed; CB notified for P0/P1; where personal data involved, Bylaw 9 72-hour standard applies.
(d) Comms: a single Official Spokesperson; rumor control; media holding statements pre-cleared.
10.3.7 After-Action & Transparency
(a) RCA & After-Action Report within 10 Business Days for P0/P1; lessons and Cure Plan filed to CSR; Gazette summary (lawful redactions).
(b) Exercises: annual tabletop and venue walk-throughs; corrective actions tracked in CSR Action Logs.
10.4 RAP Interface (Continuity/Emergency)
(a) During a Rapid Activation Protocol (RAP) (Art. 19), CB may authorize compressed accreditation, expanded RAP-Clearances, and temporary zone merges for humanitarian operations, with post-event ratification and a consolidated RAP Transparency Report.
(b) Curfews/restrictions imposed by Swiss authorities are observed; CB logs derogations from standard timelines with reasons.
10.5 Training, Certifications & Quick-Reference
10.5.1 Training & Drills
Annual training for staff/contractors: ICS basics, crowd safety, safeguarding, ABAC & conflicts (Bylaw 8), privacy (Art. 15), radio/comms, device/network hygiene. Venue-specific inductions at first call.
10.5.2 Quick-Reference Tables
Accreditation Timelines (minimums)
- Standard passes: 5 Business Days before Day-1
- Red/Black access: 10 Business Days (with CB vetting)
- Media passes: 3 Business Days (background check complete)
- Lost badge turnaround: ≤ 2 hours post-report
Log Retention (minimums)
- Door/access logs: 12 months (Black: 24 months)
- VDR/session logs: 12 months (Black: 36 months)
- CCTV (venue): 30–90 days (as venue policy/law)
- Incident case files: ≥ 10 years for P0/P1; 3 years for P2
10.6 Enforcement & Remedies
(a) Non-compliance (unauthorized access, badge sharing, logging bypass, data-room violations) is misconduct: immediate badge revocation, ejection, and discipline under Art. 16/Art. 8.5; vendor sanctions per Bylaw 7.
(b) Acts executed without required CB Clearance or contrary to conditions are voidable (Art. 7.11); repeat breaches escalate to the Board.
(c) Material outcomes are recorded in CSR and summarized in the Council Gazette with lawful redactions.
Design result: A Swiss-grade, trust-minimized security and accreditation regime—identity-verified passes, least-privilege zoning, granular logging, and ICS-based event safety—anchored by CB Clearances, CSR records, and Gazette summaries so GRF convenings and data-room operations are safe, lawful, independent, and auditable at global scale.