Doctivity Health Policy Packet
Doctivity Health TABLE OF CONTENTS Access Control Policy 2 Asset Management Policy 7 Business Continuity and Disaster Recovery Plan 9 Code of Conduct 13 Cryptography Policy 16 Data Management Policy 18 Human Resource Security Policy 23 Incident Response Plan 26 Information Security Policy (AUP) 35 Information Security Roles and Responsibilities 41 Operations Security Policy 44 Physical Security Policy 50 Risk Management Policy 52 Secure Development Policy 60 Third-Party Management Policy 63 Access Control Policy Purpose To limit access to company information and information processing systems, networks, apps, and facilities to authorized parties in accordance with business objectives. Scope All company information systems that process, store, or transmit confidential company data as defined in the company Data Management Policy. This policy applies to all employees of the company and to all external parties with access to company networks and system resources. Policy
Access to the company's computing resources and information is restricted to employees who have a legitimate business need for this access.
Access rights shall be granted or revoked in accordance with this Access Control Policy.
Access granted and revoked shall be documented.
Business Requirements of Access Control Access Control Policy The company shall determine the type and level of access granted to individual users based on the principle of least privilege. This principle states that users are only granted the level of access absolutely required to perform their job functions, and is dictated by the company's business and security requirements. Permissions and access rights not expressly granted shall be, by default, prohibited. The company's primary method of assigning and maintaining consistent access controls and access rights shall be through the implementation of Role-Based Access Control RBAC . Wherever feasible, rights and restrictions shall be allocated to groups. Individual user accounts may be granted additional permissions as needed with approval from the system owner or authorized party. All privileged access to company production infrastructure shall use Multi-Factor Authentication MFA) when available. Access to Networks and Network Services The following security standards shall govern access to company networks and network services:
Technical access to company networks must be formally documented including the standard role or approver, grantor, and date
Only authorized company employees and contractors, with a business need, shall be granted access to the company production networks and resources
Company guests may be granted access to company guest networks after registering with office staff without a documented request
Remote connections to company production systems and networks must be encrypted
User Access Management The company requires that all personnel have a unique user identifier for company system access and that user credentials and passwords are not shared between multiple personnel. Users with multiple levels of access (e.g. administrators) should be given separate accounts for normal system use and administrative functions wherever feasible. Root, service, and administrator accounts may use a password management system to share passwords for business continuity purposes only. Administrators shall only use shared administrative accounts as needed. If a password is compromised or suspected of compromise the incident should be escalated to the Security Delegate immediately and the password must be changed. User Registration and Deregistration Only authorized administrators shall be permitted to create new company user IDs, and may only do so upon receipt of a documented request from authorized parties. User provisioning requests must include approval from data owners or company management authorized to grant system access. Before account creation, administrators should verify that the account does not violate any company security or system access control policies such as segregation of duties, fraud prevention measures, or access rights restrictions. Company user IDs shall be promptly disabled or removed when users leave the organization or contract work ends in accordance with SLAs. User IDs shall not be re-used. User Access Provisioning
New employees and/or contractors are not to be granted access to any company production systems until after they have completed all HR onboarding tasks, which may include but are not limited to the signed employment agreement, intellectual property agreement, security awareness training, and acknowledgment of the company's information security policy
Access should be restricted to only what is necessary to perform job duties
No access may be granted earlier than the official employee start date unless personnel have completed above referenced on-boarding tasks.
Access requests and rights modifications shall be documented in an access request ticket or email. No permissions shall be granted without approval from the system, data owner or management
Records of all permission and privilege changes shall be maintained for no less than one year
Management of Privileged Access The company shall ensure that the allocation and use of privileged access rights are restricted and managed judiciously. The objective is to ensure that only authorized users, software components, and services are granted privileged access rights. The company will ensure that access and privileges conform to the following standards:
Identify and Validate Users: Identify users who require privileged access to each system and process.
Assign Privileged Access: Grant access rights based on individual needs and qualifications, ensuring strict compliance with the access control policy.
Maintain Authorization Protocols: maintain records of all privileged access allocations.
Enforce Strong Authentication: Require MFA for all privileged access when available.
Prevent Generic Admin ID Usage: prevent the usage of generic administrative user IDs
When feasible, Adopt Time-Bound Access Protocols: Grant privileged access only for the necessary duration required to accomplish specific tasks and revoke once the task is completed.
Ensure Logging and Auditing: Log all privileged logins and activity
When feasible, Uphold Distinct and Separate Identities: Preserve distinct identities for privileged access rights and ensure such identities are neither shared among multiple users nor used for routine, non-administrative tasks.
User Access Reviews Administrators shall perform access rights reviews of user, administrator, and service accounts on a quarterly basis to verify that user access is limited to systems that are required for their job function. Access reviews shall be documented. Access reviews may include group membership as well as evaluations of any specific or exception-based permission. Access rights shall also be reviewed as part of any job role change, including promotion, demotion, or transfer within the company. Removal & Adjustment of Access Rights The access rights of all users shall be promptly removed upon termination of their employment or contract, or when rights are no longer needed due to a change in job function or role. The maximum allowable time period for access termination is 24 business hours. Access Provisioning, Deprovisioning, and Change Procedure The Access Management Procedure for company systems can be found in Appendix A to this policy. Segregation of Duties When feasible, conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of company assets. When provisioning access, care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization when feasible. The possibility of collusion should be considered when determining access levels for individuals and groups. User Responsibility for the Management of Secret Authentication Information Control and management of individual user passwords is the responsibility of all company personnel and third-party users. Users shall protect secret authentication information in accordance with the Information Security Policy. Password Policy Where feasible, passwords for company confidential systems shall be configured in accordance with the following:
Eight 8) or more characters, one upper case, one number
Systems shall be configured to remember and prohibit reuse of passwords for the last 8 passwords used
Passwords shall be set to lock out after 6 failed attempts.
Initial passwords must be set to a unique value and changed after first login
For manual password resets, a user's identity must be verified prior to changing passwords
Do not use secret questions (place of birth, etc) as a sole password reset requirement
Require email or chat tool verification of a password change request
Require the current password in addition to the new password during password change
Store passwords in a hashed and salted format
Enforce appropriate account lockout and brute-force protection on account access
System and Application Access Information Access Restriction Applications must restrict access to program functions and information to authorized users and support personnel in accordance with the defined access control policy. The level and type of restrictions applied by each application should be based on the individual application requirements, as identified by the data owner. The application-specific access control policy must also conform to company policies regarding access controls and data management. Prior to implementation, evaluation criteria are to be applied to application software to determine the necessary access controls and data policies. Assessment criteria include, but are not limited to:
Sensitivity and classification of data.
Risk to the organization of unauthorized access or disclosure of data
The ability to, and granularity of, control(s) on user access rights to the application and data stored within the application
Restrictions on data outputs, including filtering sensitive information, controlling output, and restricting information access to authorized personnel
Controls over access rights between the evaluated application and other applications and systems
Programmatic restrictions on user access to application functions and privileged instructions
Logging and auditing functionality for system functions and information access
Data retention and aging features
All unnecessary default accounts must be removed or disabled before making a system available on the network. Specifically, vendor default passwords and credentials must be changed on all company systems, devices, and infrastructure prior to deployment. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, and Simple Network Management Protocol SNMP) community strings where feasible. Secure Log-on Procedures Secure log-on controls shall be designed and selected in accordance with the sensitivity of data and the risk of unauthorized access based on the totality of the security and access control architecture. Password Management System Systems for managing passwords should be interactive and assist company personnel in maintaining password standards by enforcing password strength criteria including minimum length, and password complexity where feasible. All storage and transmission of passwords is to be protected using appropriate cryptographic protections. Use of Privileged Utility Programs Use of utility programs, system files, or other software that might be capable of overriding system and application controls or altering system configurations must be restricted to the minimum personnel required. Systems are to maintain logs of all use of system utilities or alteration of system configurations. Extraneous system utilities or other privileged programs are to be removed or disabled as part of the system build and configuration process. Security Delegate approval is required prior to the installation or use of any ad hoc or third-party system utilities. Access to Program Source Code Access to program source code and associated items, including designs, specifications, verification plans, and validation plans shall be strictly controlled in order to prevent the introduction of unauthorized functionality into software, avoid unintentional changes, and protect company intellectual property. All access to source code shall be based on business needs and must be logged for review and audit. Exceptions Requests for an exception to this Policy must be submitted to the Security Delegate for approval. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. APPENDIX A Access Management Procedure At the completion of the onboarding process, HR will create a series of tasks to grant access for new onboarded personnel to various systems. IT or Security Delegate will provision access for all company-wide systems as well as appropriate systems based on role and group. Additional access, beyond standard pre-approved access, will be documented and approved by HR or the Security Delegate. Document History Version Date Description Written by Approved by
1.0.0 2025 Initial Version Ryan Rich Haili Coombe
Asset Management Policy Purpose To identify company assets and define appropriate protections and responsibilities.
To ensure that information receives an appropriate level of protection in accordance with its importance to the company.
To prevent unauthorized disclosure, modification, removal, or destruction of company information stored on media.
Scope This policy applies to all company-owned or managed information systems. Policy Inventory of Assets Assets associated with company information and information processing facilities that store, process, or transmit classified information shall be identified and an inventory of these assets shall be created and maintained. Ownership of Assets Assets maintained in the inventory shall be owned by a specific individual or group at the company. Acceptable Use of Assets Rules for the acceptable use of company information, assets, and information processing facilities shall be identified and documented in the Information Security Policy. Loss or Theft of Assets All company personnel must immediately report the loss of any company information systems or devices, including portable or laptop computers, smartphones, authentication tokens (keyfobs, one-time-password generators, or personally owned smartphones or devices with a company software authentication token installed), or other devices that can store and process or help grant access to company data. Return of Assets All employees and third-party users of company-issued or owned equipment shall return all of the company assets within their possession upon termination of their employment, contract, or agreement. Handling of Assets Employees and users who are issued or handle company equipment are expected to use reasonable judgment and exercise due care in protecting and maintaining the equipment. Employees are responsible for ensuring that company equipment is secured and properly attended to whenever it is transported or stored outside of company facilities. All mobile devices shall be handled in accordance with the Information Security Policy. Besides employee-issued devices, no company computer equipment or devices may be moved or taken off-site without appropriate authorization from management. For remote work, the use of company devices in remote locations is implicitly approved, as outlined in the Information Security Policy. Asset Disposal & Re-Use Company devices and media that store or process confidential company data shall be securely disposed of when no longer needed. Data must be erased prior to disposal or re-use, using an approved technology in order to ensure that data is not recoverable. A Certificate of Destruction COD) must be obtained for devices destroyed by a third-party service. Please refer to NIST Special Publication 800 88 Revision 1 "Guidelines for Media Sanitization" in order to select which methods are appropriate. Customer Asset Return Any physical assets owned by customers shall be promptly returned to the customer following service termination in accordance with the terms of the contract or service agreement. Exceptions Requests for an exception to this policy must be submitted to your manager for approval. Violations & Enforcement Any known violations of this policy should be reported to your manager. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. Document History Version Date Description Written by Approved by
1.0.0 2025 Initial Version Ryan Rich Haili Coombe
Business Continuity and Disaster Recovery BC/DR Purpose
To prepare the company in the event of service outages caused by factors beyond company control (e.g., natural disasters, man-made events).
To restore services to the widest extent possible in a minimum time frame.
Scope All Company information systems that are business-critical. This policy applies to all employees of the company and all relevant external parties, including but not limited to company contractors. Policy In the event of a major disruption to production services and a disaster affecting the availability and/or security of the company office or hosting facilities for more than 24 hours, senior managers and executive staff shall determine mitigation actions based on this plan. A disaster recovery test, including a test of backup restoration processes, shall be performed on an annual basis. In the case of an information security event or incident, refer to the Incident Response Plan. Communications and Escalation All staff shall be notified upon activation of this plan. Based on what is available, communications shall take place over any available regular channels including Slack and email. Roles and Responsibilities
Security Delegate: The Security Delegate shall lead BC/DR efforts to mitigate losses and recover the corporate network and information systems.
Department Leads: Each department lead shall be responsible for communications with their departmental staff and any actions needed to maintain the continuity of their business functions. Departmental heads shall communicate regularly with executive staff and the IT Manager.
Customer Support: Customer support, in conjunction with the CEO, will be responsible for any external and client communications regarding any disaster or business continuity actions that are relevant to customers and third parties.
Continuity of Critical Services Procedures for maintaining the continuity of critical services in a disaster can be found in Appendix A. Recovery Time Objectives RTO) and Recovery Point Objects RPO) can be found in Appendix B. Strategy for maintaining continuity of services can be seen below:
Customer Production) Service Delivery: Rely on hosting provider availability commitments and SLAs
IT and Product: Not dependent on HQ
Email: Utilize Gmail and its distributed nature, relying on Google's standard-level agreements
Finance, Legal, and HR All systems are vendor-hosted SaaS applications
Sales and Marketing: All systems are vendor-hosted SaaS applications Plan ActivationThis BC/DR shall be automatically activated in the event of the loss or unavailability of the Company office, or a natural disaster (i.e., severe weather, regional power outage, earthquake) affecting the larger primary cloud hosting facility.Appendix A Business Continuity Procedures and Scenario Disaster Recovery Procedures Disaster recovery procedures are broken up into stages. 1.) Notification and Activation Phase In this phase, it is determined that this plan should be activated and the initial steps below are taken to notify internal and external stakeholders. Notification Sequence
The initial step is to notify the Security Delegate.
The Security Delegate notifies the hosting provider.
The Security Delegate contacts all department leads who in turn contact all staff to notify them of the activation of the plan.
Damage Assessment
The Security Delegate, with help from engineering, assesses the situation and determines an appropriate plan to recover systems. 2.) Recovery Phase This phase of the plan outlines the steps to recover the company's systems to acceptable levels. The goal is to get company systems and applications back to a full, operational production state. Contact impacted customers and 3rd parties. Start relocating data and services to new hosting providers and/or facilities. Test system availability. Test security controls. Check software and OS versions to ensure up to date. Once the infrastructure has been set up at the new site, migrate data. Update any required DNS records to make new infrastructure available. 3.) Re-Establishment Phase In this phase, company systems are moved back to the original hosting provider. If this is deemed impossible given the nature of the disaster, the alternative site is to be converted to a primary site on an ongoing basis. Original Hosting Site re-establishment
Start relocating data and services to the original hosting provider and/or facilities.
Test system availability.
Test security controls.
Check software and OS versions to ensure up to date.
Once the infrastructure has been set up at the new site, migrate data.
Update any required DNS records to make new infrastructure available.
Plan Deactivation If the Company environment is moved back to the original site from the alternative site, all hardware used at the alternate site should be handled and disposed of according to Company policy. At this point, the Security Delegate can terminate this plan as operations have returned to normal. Business Continuity Scenarios Disaster Event or Offline at HQ
CRM, Telephony, Video Conferencing/Screen Share & Corp Email unaffected
SUPPORT offline
HQ Staff offline (variable impact)
Remote Staff unaffected US
Procedure: Activate Remote Staff US Notify Customer Base of impaired functions & potential delays Commandeer Field Resources for Critical Response Security Engineering Teams) SaaS Tools Down
CRM, Telephony, Video Conferencing/Screen Share, or Corp Email Affected
SUPPORT partially affected (no new cases, manual triage required)
HQ Staff unaffected
Remote Staff unaffected US
Procedures: Telephony Down Notify the customer base to use the support portal or email Support staff use mobile phones and/or land lines as needed Email Down Support Staff manually manage case' related communications Support Staff use alternate email accounts as needed CRM Down Notify customer base that CRM is down Activate Spreadsheet' case tracking Leverage Production' database for entitlements, case history, configuration data. Video Conferencing/ScreenShare Down Support Staff utilize alternate service as needed Collaboration Down Support Staff utilize alternate service as needed Appendix B RTOs/RPOs Rank Asset Affected Assets Business Impact Users Owners Recovery Time Objective RTO Recovery Point Objective RPO
1 Hosting facility Site Product down All Engineering 5 days 10 days
2 Corporate Office Site None, workers can shift to remote. All CEO 1 day 30 Days
3 Collaboration Tool (e.i, Sharepoint, Google Workspace, etc.) Productivity and comms Comms All Engineering 1 day 5 days
Document History Version Date Description Written by Approved by
1.0.0 2025 04 14 Initial Version Ryan Rich Haili Coombe
Code of Conduct Purpose The primary goal of the Code of Conduct policy is to foster inclusive, collaborative, and safe working conditions for all staff. As such, the organization is committed to providing a friendly, safe, and welcoming environment for all staff, regardless of gender, sexual orientation, ability, ethnicity, socioeconomic status, or religion (or lack thereof). This code of conduct outlines our expectations for all staff, as well as the consequences for unacceptable behavior. Scope The Code of Conduct applies to all staff. This includes full-time, part-time, and contractor staff employed at every seniority level. The Code of Conduct is to be upheld during all professional functions and events, including but not limited to business hours at the company office, during company-related extracurricular activities and events, while attending conferences and other professional events on behalf of the company, and while working remotely and communicating on company resources with other staff. We expect all staff to abide by this Code of Conduct in all business matters online and in-person as well as in all one-on-one communications with customers and staff pertaining to company business. This Code of Conduct also applies to unacceptable behavior occurring outside the scope of business activities when such behavior has the potential to adversely affect the safety and well being of company staff and clients. Culture and Citizenship A supplemental goal of this Code of Conduct is to increase open citizenship by encouraging participants to recognize the relationships between our actions and their effects within the shared company culture. Be welcoming. We strive to be a company that welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, color, immigration status, social and economic class, educational level, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability. Be considerate. Your work will be used by other people, and you in turn will depend on the work of others. Any decision you take will affect users and colleagues, and you should take those consequences into account when making decisions. Be respectful. Not all of us will agree all the time, but disagreement is no excuse for poor behavior and poor manners. We might all experience some frustration now and then, but we cannot allow that frustration to turn into a personal attack. It's important to remember that a company where people feel uncomfortable or threatened is neither productive nor pleasant. Company staff should always be respectful when dealing with other personnel as well as with people outside of the organization. Acceptable and Expected Behavior The following behaviors are expected and requested of all staff:
Participate in an authentic and active way. In doing so, you contribute to the health and longevity of the company.
Exercise consideration and respect in your speech and actions at all times.
Attempt collaboration before conflict.
Refrain from demeaning, discriminatory, or harassing behavior and speech.
Be mindful of your surroundings and of your fellow participants. Alert company leadership if you notice a dangerous situation, someone in distress, or violations of this Code of Conduct, even if they seem inconsequential.
Remember that company events may be shared with members of the public as well as customers; please be respectful to all patrons of these locations at all times.
Unacceptable Behavior The following behaviors are considered harassment and are unacceptable within our community:
Violence, threats of violence, or violent language directed against another person.
Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
Posting or displaying sexually explicit or violent material.
Posting or threatening to post other people's personally identifying information ("doxing").
Personal insults, particularly those related to gender, sexual orientation, race, religion, or disability.
Inappropriate photography or recording.
Inappropriate physical contact. You should have someone's consent before touching them in any manner.
Unwelcome sexual attention. This includes sexualized comments or jokes; inappropriate touching, groping, and unwelcome sexual advances.
Deliberate intimidation, stalking, or following (online or in person).
Advocating for, or encouraging, any of the above behavior.
Repeated harassment of others. In general, if someone asks you to stop, then stop.
Other conduct which could reasonably be considered inappropriate in a professional setting.
Weapons Policy No weapons will be allowed at company events, office locations, or in other spaces covered by the scope of this Code of Conduct. Weapons include but are not limited to guns, explosives (including fireworks), and large knives such as those used for hunting or display, as well as any other item used for the purpose of causing injury or harm to others. Anyone seen in possession of one of these items will be asked to leave immediately and will be subject to punitive action up to and including termination and involvement of law enforcement authorities. Company staff are further expected to comply with all state and local laws on this matter. Consequences of Unacceptable Behavior Unacceptable behavior from any staff member, including those with decision-making authority, will not be tolerated. Anyone asked to stop unacceptable behavior is expected to comply immediately. If a staff member engages in unacceptable behavior, company leadership may take any action deemed appropriate, up to and including suspension or termination. Reporting Violations If you are subject to or witness unacceptable behavior, or have any other concerns, please notify an appropriate member of leadership as soon as possible. It is a violation of this policy to retaliate against any person making a complaint of Unacceptable Behavior or against any person participating in the investigation of (including testifying as a witness to) any such allegation. Any retaliation or intimidation may be subject to punitive action up to and including termination. Disciplinary Action Employees who violate this policy may face disciplinary consequences in proportion to their violation. Company management will determine how serious an employee's offense is and take the appropriate action. Responsibility It is the Security Delegate's responsibility to ensure this policy is followed. Document History Version Date Description Written by Approved by
1.0.0 2025 Initial Version Ryan Rich Haili Coombe
Cryptography Policy Purpose
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information.
Establish requirements for the use and protection of cryptographic keys and cryptographic methods throughout the entire encryption lifecycle.
Scope All information systems developed and/or controlled by the company which store or transmit confidential data. Policy The company shall evaluate the risks inherent in processing and storing confidential data and shall implement cryptographic controls to mitigate those risks where deemed appropriate. Where encryption is in use, strong cryptography with associated key management processes and procedures shall be implemented and documented. When feasible, encryption shall be performed in accordance with industry standards, including NIST SP 800. Customer or confidential company data must utilize strong ciphers and configurations in accordance with vendor recommendations and industry best practices including NIST when stored or transferred over a public network. Key Management Access to keys and secrets shall be controlled in accordance with the Access Control Policy. The following table includes the recommended usage for cryptographic keys to be used when appropriate and feasible: Domain Key Type Algorithm Key Length Max Expiration
Web Certificate RSA or ECC with SHA2+ signature RSA or ECC with SHA2+ signature 2048 bit or greater/RSA, 256bit or greater/ECC Up to 1 year
Web Cipher TLS Asymmetric Encryption Ciphers of B or greater grade on SSL Labs Rating Varies N/A
Confidential Data at Rest Symmetric Encryption AES 256 bit 1 Year
Passwords One-way Hash Bcrypt, PBKDF2, or scrypt, Argon2 256 bit+10K Stretch. Include unique cryptographic salt+pepper N/A
Endpoint Storage SSD/HDD Symmetric Encryption AES 128 or 256 bit N/A
Exceptions Requests for an exception to this policy must be submitted to the Security Delegate for approval. The organization does not issue or authorize the use of removable media. However, if a legitimate use case arises, a documented exception is required prior to moving, copying, or storing customer or company confidential data on any media or removable device; all portable devices and removable media containing sensitive data must be encrypted using approved standards and mechanisms. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. Document History Version Date Description Written by Approved by
1.0.0 2025 04 14 Initial Version Ryan Rich Haili Coombe
Data Management Policy Purpose
To ensure that information is classified, protected, retained, and securely disposed of in accordance with its importance to the organization.
To define data classification and standards.
Scope All company data, information, and information systems. Policy The classification of data and information systems is done in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements. Information systems and applications shall be classified according to the highest classification of data that they store or process. Data Classification To help employees and stakeholders easily understand requirements associated with different kinds of information, the company has created three classes of data. Confidential Highly sensitive data, or Confidential data, requires the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive. Example include:
Customer Data
Personally identifiable information PII
Company financial and banking data
Salary, compensation personnel, and payroll information
Strategic plans
Incident reports
Risk assessment reports
Technical vulnerability reports
Authentication credentials
Secrets and private keys
Source code
Litigation data
Restricted Company proprietary information requires thorough protection; access is restricted to employees with a "need-to-know" based on business requirements. This data can only be distributed outside the company with approval. This is the default for all company information unless stated otherwise. Examples include:
Internal policies Legal documents
Meeting minutes and internal presentations Contracts
Internal reports
Slack messages Email
Public Documents intended for public consumption can be freely distributed outside the company. Examples include:
Marketing materials
Product descriptions
Release notes
External facing policies
Labeling Paper Confidential data should be labeled "confidential" whenever paper copies are produced for distribution. Data Handling Confidential Data Handling Confidential data is subject to the following protection and handling requirements:
Access for non-preapproved roles requires documented approval from the Security Delegate
Access is granted on an as-needed basis.
Access is restricted to specific employees, roles, and/or departments
Confidential systems shall not allow unauthenticated or anonymous access
Confidential Customer Data shall be handled like Company confidential data.
Confidential data shall be encrypted at rest and in transit over public networks in accordance with the Cryptography Policy
Mobile device hard drives containing confidential data, including laptops, shall be encrypted
Mobile devices storing or accessing confidential data shall be protected by a log-on password (or equivalent, such as biometric) or passcode and shall be configured to lock the screen after fifteen 15) minutes of non-use
Backups of Confidential data shall be encrypted
Confidential data shall not be stored on removable media including USB drives, CDs, or DVDs
Paper records shall be labeled "confidential" and securely stored and disposed of in a secure, approved manner in accordance with data handling and destruction policies and procedures
Hardcopy paper records of Confidential data shall only be created based on a business need and shall be avoided whenever possible
Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement or as mandated by law or regulation, and the explicit written permission of management or the data owner
Restricted Data Handling Restricted data is subject to the following protection and handling requirements:
Access is restricted to users with a need-to-know based on business requirements Restricted systems shall not allow unauthenticated or anonymous access
Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner
Paper records shall be securely stored and disposed of in a secure, approved manner in accordance with data handling and destruction policies and procedures
Restricted data shall not be stored on removable media including USB drives, CDs, or DVDs
Public Data Handling No special protection or handling controls are required for public data. Public data may be freely distributed. Data Retention Company shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with security leadership and/or legal counsel, may determine retention periods for their data. Personally identifiable information PII) shall be deleted or de-identified when it no longer has a business use. Retention periods shall be documented in the Data Retention Matrix in Appendix B to this policy. Data & Device Disposal Data classified as restricted or confidential shall be securely deleted when no longer needed. The organization shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third parties who meet company requirements for secure data disposal shall be used for the storage and processing of restricted or confidential data. Where feasible, all restricted and confidential data will be securely deleted from company devices prior to, or at the time of, disposal. Confidential and Restricted hardcopy materials shall be shredded or otherwise disposed of using a secure method. Personally identifiable information PII) shall be collected, used and retained only for as long as the company has a legitimate business purpose. PII shall be securely deleted and disposed of following contract termination in accordance with company policy, contractual commitments and all relevant laws and regulations. PII shall also be deleted in response to a verified request from a consumer or data subject, where the company does not have a legitimate business interest or other legal obligation to retain the data. Annual Data Review Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy. Legal Requirements Under certain circumstances, the organization may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with the company's legal counsel to evaluate continuing requirements and scope. Policy Compliance The company will measure and verify compliance with this policy through various methods, including but not limited to, business tool reports, and both internal and external audits. Exceptions Requests for an exception to this policy must be submitted to the Security Delegate for approval. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. APPENDIX A Internal Retention and Disposal Procedure Engineering personnel are responsible for setting and enforcing the data retention and disposal procedures for company-managed accounts and devices. Customer Accounts: Customer accounts and data shall be deleted within ninety 90) days of contract termination and data no longer being needed for business purposes through manual data deletion processes. Devices: Employee devices will be collected promptly upon an employee's termination.
Remote employees will be sent a shipping label and the return of their device shall be monitored.
Collected devices will be cleared to be re-provisioned or removed from inventory;
The company will securely erase the device when reprovisioning. Device images may be retained at the discretion of management for business purposes. The company may employ a third party to manage the above. Destroying devices or electronic media In cases where a device is damaged in a way that it cannot be accessed in order to erase the drive, the company may optionally decide to use an E Waste service that includes data destruction with a certificate. Certificates of destruction will be kept on record for one year. Physical destruction can be optional if it is verified that the device is encrypted with Full Disk Encryption, which would negate the risk of data recovery. APPENDIX B Data Retention Matrix System or Application Data Description Retention Period
Company SaaS Products Customer Data Up to 90 days after contract termination
Company Support Customer instance and metadata, debugging data Indefinite
Company Customer Support Tickets Support Tickets and Cases Indefinite
Company Customer Support Phone Conversations Support Phone Conversations Indefinite
Company Security Event Data Security and system event and log data, network data flow logs On-Premise -Indefinite Cloud/Host Instance -1 year
Company Vulnerability Scan Data Vulnerability scan results and detection data 6 months host (asset) data is retained until removed and purged from the vulnerability management tool
Company Customer Sales Opportunity and Sales Data Indefinite
Company QA and Testing Data QA, testing scenarios, and results data Indefinite
Security Policies Security Policies 1 year after archive
Temporary Files IaaS /tmp ephemeral storage automatically when the process finishes
Document History Version Date Description Written by Approved by
1.0.0 2025 04 14 Initial Version Ryan Rich Haili Coombe
Human Resource Security Policy Purpose
To ensure that company personnel meet security requirements, understand their responsibilities, and are suitable for their roles.
To minimize human risk.
Scope This policy applies to all employees, consultants, contractors, and other third-party entities with access to company production networks and system resources. Policy Screening Background verification checks on company personnel shall be carried out in accordance with relevant laws, and regulations, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. Background screening shall include criminal history checks unless prohibited by local statute. All employees with technical privileged or administrative access to company production systems or networks are subject to a background check or requirement to provide evidence of an acceptable background, based on their level of access and the perceived risk. Competence & Performance Assessment The skills and competence of employees and contractors shall be assessed by human resources staff, the hiring manager, or his or her designees as part of the hiring process. Required skills and competencies shall be listed in job descriptions and requisitions, and/or aligned with the responsibilities outlined in the Information Security Roles and Responsibilities Policy. Competency evaluations may include reference checks, education and certification verifications, technical testing, and interviews. All company employees will undergo periodic performance reviews which will include an assessment of job performance, competence in the role, adherence to company policies and code of conduct, and achievement of role-specific objectives. Terms & Conditions of Employment Company policies and information security roles and responsibilities shall be communicated to employees and third parties at the time of hire or engagement, and employees and contractors are required to formally acknowledge their understanding and acceptance of their security responsibilities. Employees with access to company or customer information shall sign appropriate non-disclosure, confidentiality, and appropriate code-of-conduct agreements. Contractual agreements shall state responsibilities for information security as needed. Employees and relevant third parties shall follow all Company information security policies. Management Responsibilities Management shall be responsible for ensuring that information security policies and procedures are reviewed annually, distributed, and available. Additionally, they will ensure all employees and contractors abide by those policies and procedures for the duration of their employment or engagement. Annual policy review shall include a review of any linked or referenced procedures, standards, or guidelines. Management shall ensure that information security responsibilities are communicated to individuals, through written job descriptions, policies, or some other documented method that is accurately updated and maintained. Compliance with information security policies and procedures and fulfillment of information security responsibilities shall be evaluated as part of the performance review process wherever applicable. Management shall consider excessive pressures, and opportunities for fraud when establishing incentives and segregating roles, responsibilities, and authorities. Information Security Awareness, Education & Training All Company employees and contractors with administrative or privileged technical access to Company production systems and networks shall complete security awareness training at the time of hire and annually thereafter. Management shall monitor training completion and shall take appropriate steps to ensure compliance with this policy. Employees and contractors shall be aware of relevant information security and data privacy policies and procedures. The company shall ensure that personnel receive security and data privacy training appropriate to their role and data handling responsibilities. In order to maintain a robust level of security awareness, the company will provide security-related updates and communications to company personnel on an ongoing basis through multiple communication channels as needed. Information security leaders and managers shall ensure appropriate professional development occurs to provide an understanding of current threats and trends in the security landscape. Security leaders and key stakeholders shall attend training, obtain and maintain relevant certifications, and maintain memberships in industry groups as appropriate. Termination Process Employee and contractor termination and offboarding processes shall ensure that physical and logical access is promptly revoked in accordance with company SLAs and policies and that all company-issued equipment is returned. Any security or confidentiality agreements that remain valid after termination shall be communicated to the employee or contractor at the time of termination. Disciplinary Process Employees and contractors who violate Company information security policies shall be subject to progressive disciplinary process, up to and including termination of employment or contract. Exceptions Requests for an exception to this policy must be submitted to the Security Delegate for approval. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company policies up to and including termination of employment. Document History Version Date Description Written by Approved by
1.0.0 2025 Initial Version Ryan Rich Haili Coombe
Incident Response Plan Purpose
To establish the plan for managing information security incidents and events.
To offer guidance for employees or incident responders who believe they have discovered, or are responding to, a security incident.
Scope This policy covers all information security or data privacy events or incidents impacting non-public Company data. Incident and Event Definitions A security event is an observable occurrence relevant to the confidentiality, availability, integrity, or privacy of company-controlled data, systems, or networks. A security incident is a security event that results in loss or damage to the confidentiality, availability, integrity, or privacy of company-controlled data, systems, or networks. Incident Reporting & Documentation Reporting If a Company employee or contractor becomes aware of an information security event or incident, possible incident, imminent incident, unauthorized access, policy violation, security weakness, or suspicious activity, then they shall immediately report the information using one of the following communication channels.
Email or message your supervisor about the event or incident
Send a Slack message to the Security Delegate
Reporters should act as good witnesses and behave as if they are reporting a crime. Reports should include specific details about what has been observed or discovered. Severity and Escalation The Security Delegate shall monitor security incident notifications and assign a severity based on the following categories. P2/P3 Low and Medium Severity This level of severity pertains to incidents that are unconfirmed or exhibit unusual behavior, necessitating further investigation. There is no definitive evidence suggesting a significant risk to systems. Immediate emergency response is not required. Examples include encrypted laptops that are lost or stolen, suspicious emails, system outages, and unusual activities observed on a laptop. Escalation: Must be tracked and assigned to the appropriate department for response P1 High Severity High severity issues are those where there's a strong likelihood of an attack or exploitation, even though direct evidence of an adversary's presence or active exploitation hasn't been confirmed. These include scenarios like a lost or stolen laptop without encryption, vulnerabilities that are highly exploitable, threats indicating potential or ongoing unauthorized access to our systems (such as backdoors or malware), and unauthorized access to sensitive business data (like passwords, details of vulnerabilities, or payment information). Escalation: This must be documented and the appropriate manager (see P0 below) must also be notified via Slack with a reference to more information. P0 Critical Severity Critical issues are those involving active exploitation by a malicious actor, or threats that pose a risk of physical harm to any individual. To be classified under this severity category, there must be clear evidence of ongoing exploitation. Escalation: Immediate notification to senior management. Incidents will be closed within the following SLAs, when feasible: Determined Severity Remediation Time
Low P3 90 Days
Medium P2 90 Days
High P1 14 Days
Critical P0 7 Days
Documentation All reported security events, incidents, and response activities shall be documented and adequately protected in Google Drive or the ticketing system. A root cause analysis may be performed on all verified S1 security incidents. A root cause analysis report shall be documented and referenced in the incident documentation. The root cause analysis shall be reviewed by the Security Delegate who shall determine if a post-mortem meeting will be called. Incident Response Process For critical issues, the response team will follow an iterative response process designed to investigate, contain exploitation, eradicate the threat, recover system and services, remediate vulnerabilities, and document a post-mortem report including the lessons learned from the incident. Summary
Event reported
Triage and analysis Investigation
Containment & neutralization (short-term/triage)
Recovery & vulnerability remediation
Hardening & Detection improvements (lessons learned, long-term response)
Detailed
Security Delegate will manage the incident response effort
If necessary, a dedicated Slack channel will be created for the incident
A recurring, daily Incident Response Meeting will occur at regular intervals until the incident is resolved
Legal, staff, and 3rd parties (partners and customers) will be informed as required Incident Response Meeting Agenda
Update documentation and timelines
Document new Indicators of Compromise IOCs
Perform investigative Q&A
Apply emergency mitigations
External Reporting / Breach Reporting (if necessary)
Plan long-term mitigations
Document or update Root Cause Analysis RCA
Additional items as needed
Special Considerations Internal Issues When the suspected malicious actor is an internal employee, contractor, vendor, or partner, the situation demands discreet management. In such cases, the incident manager must directly contact the Security Delegate and refrain from discussing the matter with other employees. These are considered critical issues that require immediate and careful follow-up. Compromised Communications If there are IT communication risks, an out-of-band solution will be chosen, and communicated to incident responders via mobile phone messaging. Root Account Compromise If a cloud provider root account compromise is known or expected, refer to the playbook in Appendix C. Additional Requirements
Suspected and reported events and incidents shall be documented
Suspected incidents shall be assessed and classified as either an event or an incident
Incident response shall be performed according to this plan and any associated procedures.
All incidents shall be formally documented, and a documented root cause analysis shall be performed on S1 incidents
Incident responders shall collect, store, and preserve incident-related evidence in accordance with industry guidance and best practices
Suspected and confirmed unauthorized access events shall be reviewed by the Incident Response Team to determine if a data breach has occurred. Breach determinations shall only be made by the CEO and Security Delegate.
The company shall promptly and properly notify customers, partners, users, affected parties, and regulatory agencies of relevant incidents or breaches in accordance with Company policies, contractual commitments, and regulatory requirements, as determined by the CEO and Security Delegate.
External Communications and Breach Reporting Legal and executive staff shall confer with technical teams and Security Delegate in the event of unauthorized access to company or customer systems, networks, and/or data. Legal staff along with the CEO shall determine if breach reporting or external communications are required. Breaches shall be reported to customers, consumers, data subjects, and regulators without undue delay and in accordance with all contractual commitments and applicable legislation. No personnel may disclose information regarding incidents or potential breaches to any third party or unauthorized person without the approval of legal and/or executive management. Mitigation and Remediation Legal and Security Delegate shall determine any immediate or long-term mitigations or remedial actions that need to be taken as a result of an incident or breach. In the event that mitigations or remedial actions are needed, executive staff shall direct personnel with respect to planning, communicating, and executing those activities. Cooperation with Customers, Data Controllers and Authorities As needed and determined by legal and Security Delegate, the company shall cooperate with customers, Data Controllers, and regulators to fulfill all of its obligations in the event of an incident or data breach. Roles & Responsibilities Every employee and user of any Company information resources has responsibilities toward the protection of the information assets. The table below establishes the specific responsibilities of the incident responder roles. Response Team Members Role Responsibility
Security Delegate The primary and ultimate decision maker during the response period. Ultimately responsible for resolving the incident and formally closing incident response actions. See Appendix A for contact information. These responsibilities include: Ensuring the right people from all functions are actively involved as appropriate Communicating status updates to the appropriate person or teams at regular intervals Resolving incidents in the immediate term Determining necessary follow-up actions Assigning follow-up activities to the appropriate people Promptly reporting incident details which may trigger breach reporting, in writing to the CEO
Incident Response Team IRT The individuals who have been engaged and are actively working on the incident. All members of the IRT will remain engaged in incident response until the incident is formally resolved, or they are formally dismissed by the Incident Manager.
Engineers Support and Development) Qualified engineers will be placed into the on-call rotation and may act as the Security Delegate (if primary resources are not available) or a member of the IRT when engaged to respond to an incident. Engineers are responsible for understanding the technologies and components of the information systems, the security controls in place including logging, monitoring, and alerting tools, appropriate communications channels, incident response protocols, escalation procedures, and documentation requirements. When Engineers are engaged in incident response, they become members of the IRT.
Users Company employees and contractors, referred to as 'users', are responsible for adhering to company policies. They must report any issues, suspected problems, vulnerabilities, unusual activities, and security incidents or events.
Customers Customers are encouraged to report problems with their use of Company services.
Legal Counsel Responsible, in conjunction with the CEO and Security Delegate, for determining if an incident presents legal or regulatory exposure as well as whether an incident shall be considered a reportable breach. Counsel shall review and approve in writing all external breach notices before they are sent to any external party.
Executive Management Responsible, in conjunction with the CEO and Legal Counsel, for determining if an incident shall be considered a reportable breach. An appropriate company officer shall review and approve in writing all external breach notices before they are sent to any external party. The company shall seek stakeholder consensus when determining whether a breach has occurred. The Company CEO shall make a final breach determination in the event that consensus cannot be reached.
Management Commitment Company management has approved this policy and commits to providing the resources, tools, and training needed to reasonably respond to identified security events and incidents with the potential to adversely affect the company or its customers. Exceptions Requests for an exception to this Policy must be submitted to and authorized by the Security Delegate for approval. Exceptions shall be documented. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy may result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. Appendix A Contact Information Contacts for company personnel as well as Security Delegate can be found in Slack. Appendix B Incident Collection Form Incident Detectors Information
Name
Title
Phone
Incident Information
Incident Overview
Date and Time Detected
Location Incident Detected From
Additional Information
Type of Incident _ Denial of Service _ Unauthorized Use _ Hoax _ Probe _ Malicious Code _ Unauthorized Access _ Other:
Incident Location
Site
Site Point of Contact
Phone
Additional Information
How was the Incident Detected?
Location(s) of affected systems
Date and time incident handlers arrived at site
Describe affected information system(s) (one form per system is recommended)
Hardware Manufacturer
Serial Number
Corporate Property Number (if applicable)
Is the affected system connected to a network? _ Yes _ No
Describe the physical security of the location of affected information systems (locks, security alarms, building access, etc.)
Isolate affected systems
Approval to remove from the network? If Yes, please provide the name of Approver If No, provide Reason _ Yes _ No Name: Reason:
Date and Time Removed
Backup of Affected System(s
Last System backup successful? _ Yes _ No
Name of persons who did backup
Date and time last backups started
Date and time last backups completed
Backup Storage Location
Incident Eradication
Name of persons performing forensics
Was the vulnerability (root cause) identified _ Yes _ No
Please describe the Vulnerability
How was eradication validated
Appendix C Cloud Provider Root Account Compromise Playbook Incident Response Runbook -Root Usage Objective The objective of this runbook is to provide specific guidance on how to manage Root cloud account usage. This runbook is not a substitute for an in-depth Incident Response strategy. This runbook focuses on the IR lifecycle:
Establish control.
Determine impact.
Recover as needed.
Investigate the root cause. Improve.
The Indicators of Compromise IOC , initial steps (stop the bleeding), and the detailed CLI commands needed to execute those steps are listed below. The Indicators of Compromise IOC) and remediation steps (stop the bleeding) are listed below: Indicators of Compromise
Activity that is abnormal for the account:
Creation of new users.
Monitoring/logging turned off.
Notifications paused.
Automated actions paused.
Launching of new or unexpected resources.
Changes to the contacts on the account.
Steps to Remediate -Establish Control Cloud provider documentation for a possible compromised account should call out the specific tasks listed below. Contact Cloud provider support as soon as possible. Change and rotate Root password and add an MFA device associated with Root. Rotate passwords, access/secret keys, and CLI commands relevant to remediation steps. Review actions taken by the root user. Open the runbooks for those actions. Close incident. Review the incident and understand what happened. Fix the underlying issues, implement improvements, and update the runbook as needed. Further Action Items -Determine Impact Review created items and mutating calls. There may be items that have been created to allow access in the future. Some things to look at:
Cross-account roles. Users. Storage.
Virtual servers.
Other cloud services in production accounts
Document History Version Date Description Written by Approved by
1.0.0 2025 04 14 Initial Version Ryan Rich Haili Coombe
Information Security Policy Overview This Information Security Policy aims to safeguard the company's employees, partners, and the company itself from harmful actions, whether intentional or unintentional, by any individual. All company-owned or managed systems, including but not limited to computers, software, operating systems, storage devices, and network accounts used for email, chat, web browsing, and file transfers, are company property. These systems should be used to support the company's interests, as well as those of our clients, customers, and partners in regular business activities. Effective security is a collaborative effort that requires the active participation and support of every company employee or contractor who interacts with company information and/or information systems. It is the responsibility of every team member to read, understand, and adhere to this policy, conducting their activities in a manner that is compliant with these guidelines. Purpose The purpose of this policy is to communicate our information security policies and outline the acceptable use and protection of the company's information and assets. These rules are in place to protect customers, employees, and the company. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, financial and reputational risk, and legal and compliance issues. The company "Information Security Policy" consists of this policy and all company policies referenced and/or linked within this document. Scope This policy applies to the use of information, electronic and computing devices, and network resources to conduct company business or interact with internal networks and business systems, whether owned or leased by the company, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at the company and its subsidiaries are responsible for exercising good judgment regarding the appropriate use of information, electronic devices, and network resources in accordance with company policies and standards, and local laws and regulations. This policy applies to employees, contractors, consultants, and other workers at the company, including all personnel affiliated with third parties. This policy applies to all company-controlled company and customer data as well as all equipment, systems, networks, and software owned or leased by the company. Security Incident Reporting All users are required to report known or suspected security events or incidents, including policy violations and observed security weaknesses. Incidents shall be reported immediately or as soon as possible by sending a message to the Security Delegate via email or other messaging communication means. In your message, please describe the incident or observation along with any relevant details. Whistleblower Anonymous Fraud Reporting Our Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that we can address and correct inappropriate conduct and actions. It is the responsibility of all employees to report concerns about violations of our code of ethics or suspected violations of laws or regulations that govern our operations. It is contrary to our values for anyone to retaliate against any employee or who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, suspected fraud, or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment. Mobile Device Policy All end-user devices (e.g., mobile phones, tablets, laptops, desktops) must comply with this policy. Employees must use extreme caution when opening email attachments received from unknown senders, which may contain malware, and when adding external users to tools such as chat applications (ex: Slack, Teams, etc.) and other SaaS apps. System-level and user-level passwords must comply with the Access Control Policy. Providing access to another individual, either deliberately or through failure to secure a device is prohibited. All end-user, personal BYOD , or company-owned devices used to access company information systems (i.e. email, chat applications (ex: Slack, Teams, etc.), Google services, etc.) or data must adhere to the following rules and requirements:
Devices must be locked with a password (or equivalent control such as biometric) protected screensaver or screen lock after 15 minutes of non-use.
Devices must be locked whenever left unattended
Users must report any suspected misuse or theft of a mobile device immediately to the Security Delegate
Confidential information must not be stored on mobile devices or USB drives (this does not apply to business contact information, e.g., names, phone numbers, and email addresses); "stored" in this context does not mean accessed via mobile apps.
Any mobile device used to access company resources (such as file shares and email) must not be shared with any other person
Upon termination, users agree to return all company-owned devices and delete all company information and accounts from any personal devices
Clear Screen Clear Desk Policy Users shall not leave confidential materials unsecured on their desk or workspace and will ensure that screens are locked when not in use, especially in any public areas. Remote Working and Access Policy Remote working refers to any situation where organizational personnel operate from locations outside the company offices. This includes teleworking, telecommuting, flexible workplace, virtual work environments, and remote maintenance. Laptops and other computer resources that are used to access the company network must conform to the security requirements outlined in the company's Information Security Policies and adhere to the following standards:
Company rules shall be followed while working remotely including clear desk protocols, printing, disposal of assets, and information security event reporting to prevent mishandling or accidental exposure of sensitive information.
To ensure mobile devices do not connect a compromised device to the company network, Antivirus policies require the use and enforcement of client-side antivirus software on all computers.
On computers, antivirus software must be configured to detect and prevent or quarantine malicious software, perform periodic system scans, and have automatic updates enabled
Recommend the use of VPN when transmitting confidential information over public Wi-Fi to prevent potential eavesdropping or man-in-the-middle attacks.
When working from a home network, ensure that the default wifi settings are changed, such as name, password, and admin access.
Users must not connect to any outside network without a secure, up-to-date software firewall configured on the mobile computer.
On company-owned or issued computers, users are prohibited from changing or disabling any organizational security controls such as personal firewalls, antivirus software on systems used to access company resources
Use of remote access software and/or services (e.g., VPN client) is allowable as long as it is provided by the company and configured for multifactor authentication MFA
Unauthorized remote access technologies may not be used or installed on any company system
If you access company systems or data from a public computer (e.g., from a business center, hotel, etc.), log out of the session and don't save anything. Don't check "remember me", collect all printed materials, and do not download files to a non-company controlled system
Acceptable Use Policy Company proprietary and customer information stored on electronic and computing devices, whether owned or leased by the company, the employee, or a third party, remains the sole property of the company for the purposes of this policy. Employees and contractors must ensure through legal or technical means that proprietary information is protected in accordance with the Data Management Policy. The use of the company's cloud-based document storage service (such as Google Drive) for business file storage is required for users of laptops or company-issued devices. Storing important documents on the file share is how you "backup" your laptop. You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of company proprietary information or equipment. You may access, use, or share company proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties. Employees are responsible for exercising good judgment regarding the reasonableness of personal use of company-provided devices. For security and network maintenance purposes, authorized individuals within the company may monitor equipment, systems, and network traffic at any time. Company reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Unacceptable Use Employees are generally forbidden from engaging in certain activities, except when these activities are a part of their legitimate job duties and they have received explicit approval from Management. It's important to note that using company-owned resources or representing the company in any way to engage in activities that are illegal at the local, state, federal, or international level is strictly prohibited. The following list is not all-inclusive but aims to outline the types of activities that are considered unacceptable use. The following activities are strictly prohibited: Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the company Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the company or the end user does not have an active license Accessing company data, a server, or an account for any purpose other than conducting company business, even if you have authorized access, is prohibited Exporting software, technical information, encryption software, or technology, in violation of international or regional export control laws, is illegal. The appropriate management shall be consulted prior to the export of any material that is in question Introduction of malicious programs into the company network or systems (e.g., viruses, worms, Trojan horses, email bombs, etc.) Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home Using a company computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws Making fraudulent offers of products, items, or services originating from any company account
Making statements about warranty, expressly or implied, unless it is a part of normal job duties
Effecting security breaches or disruptions of network communication. Security breaches include but are not limited to, accessing data of which the employee is not an intended recipient, or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes Port scanning or security scanning is expressly prohibited unless prior notification to the company engineering team is made Executing any form of company network monitoring that will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty and/or is approved prior to doing it. Circumventing user authentication or security of any company host, network, or account Introducing honeypots, honeynets, or similar technology on the company network. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack) Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's session, via any means. Providing information about, or lists of company employees, contractors, partners, or customers to parties outside the company without authorization Using removable media to export or store company or customer data Email and Communication Activities When using company resources to access and use the Internet, users must realize they represent the company and act accordingly. The following activities are strictly prohibited: Sending unsolicited email or chat messages, including the sending of "junk mail", or other advertising material to individuals who did not specifically request such material (email spam) Any form of harassment via email, chat applications (ex: Slack, Teams, etc.), telephone, or text, whether through language, frequency, or size of messages Unauthorized use, or forging, of email header information Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies Creating or forwarding "chain letters", "Ponzi", or other "pyramid" schemes of any type Use of unsolicited email originating from within company networks or other service providers on behalf of, or to advertise, any service hosted by the company or connected via the company's network Additional Policies and Procedures Incorporated by Reference Personnel are responsible for reading and complying with all policies relevant to their roles and responsibilities. Policy Purpose
Access Control Policy To limit access to information and information processing systems, networks, and facilities to authorized parties in accordance with business objectives.
Asset Management Policy To identify organizational assets and define appropriate protection responsibilities.
Business Continuity & Disaster Recovery Plan To prepare the company in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame.
Cryptography Policy To ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information.
Data Management Policy To ensure that information is classified and protected in accordance with its importance to the organization.
Human Resources Policy To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.
Incident Response Plan Policy and procedures for suspected or confirmed information security incidents.
Operations Security Policy To ensure the correct and secure operation of information processing systems and facilities.
Physical Security Policy To prevent unauthorized physical access or damage to the organization's information and information processing facilities.
Risk Management Policy To define the process for assessing and managing the company's information security risks in order to achieve the company's business and information security objectives.
Secure Development Policy To ensure that information security is designed and implemented within the development lifecycle for applications and information systems.
Third-Party Management Policy To ensure the protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.
Policy Compliance The company will measure and verify compliance with this policy through various methods, including but not limited to ongoing monitoring, and both internal and external audits. Policies will be reviewed on a regular basis, at a minimum annually. Exceptions Requests for an exception to this policy must be submitted to the Security Delegate for approval. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. Document History Version Date Description Written by Approved by
1.0.0 2025 04 14 Initial Version Ryan Rich Haili Coombe
Information Security Roles and Responsibilities Policy Statement of Policy The company is committed to conducting business in compliance with all applicable laws, regulations, and company policies. The company has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use. Objective This policy and associated guidance establish the roles and responsibilities within the Company, which is critical for effective communication of information security policies and standards. Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished. Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation. Applicability This policy is applicable to all Company infrastructure, network segments, systems, and employees and contractors who provide security and IT functions. Audience The audience for this policy includes all Company employees and contractors who are involved with the Information Security Program. Awareness of this policy applies to all other agents of the company with access to Company information and infrastructure. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred to collectively hereafter as "Company community". Roles and Responsibilities Roles Responsibilities
Senior Management Approves Capital Expenditures for ISP and ISMS. Oversees the execution of information security and privacy risk management. Aligns Information Security and Privacy Policy with the company's strategic objectives. Responsible for reviewing vendor service contracts and ensuring staff qualifications.
Engineering Leadership Develops and maintains development and cloud hosting security controls.
Security Officer Responsible for compliance with the company's contractual commitments Responsible for maintaining compliance with relevant data privacy and information security laws and regulations (e.g. GDPR, CCPA Responsible for adherence to company-adopted information security and data privacy standards and frameworks including SOC 2, ISO 27001 and Microsoft Supplier Data Protection Requirements DPR Responsible for oversight over third-party risk management process Ensuring appropriate testing and background checks are completed on Staff Ensuring that employees and relevant contractors are presented with company policies Ensuring that employees receive appropriate security training
Security Delegate Oversight over the implementation of information security controls for infrastructure and IT processes Responsible for the design, development, implementation, operation, maintenance, and monitoring of IT security controls Ensures IT puts into practice the Information Security Framework Responsible for conducting IT risk assessments, documenting identified threats, and maintaining the risk register Communicates information security risks to executive leadership Reports information security risks annually to company leadership and gains approvals to bring risks to acceptable levels Coordinates the development and maintenance of information security policies and standards Works with applicable executive leadership to establish an information security framework and awareness program Serve as liaison to the Board of Directors, Law Enforcement, Internal Audit and General Counsel Oversight over Identity Management and Access Control processes Responsible for the design and monitoring of development and commercial cloud hosting security controls Responsible for oversight over policy development related to systems and software under their control Responsible for implementing risk management in the development process aligned with company goals. Oversight over information security in the software development process
Application Owners Maintains confidentiality, integrity, and availability of their information systems. Approves technical access and change requests.
Staff Adheres to company policies and standards of conduct.
Reports incidents and anomalies.
Helps identify and minimize risks.
Policy Compliance The Security Officer will measure compliance with this policy through various methods, including, but not limited to reports, internal/external audits, and feedback to the policy owner. Exceptions to the policy must be approved by the Security Officer in advance. Non-compliance will be addressed with management and Human Resources and can result in disciplinary action in accordance with company procedures up to and including termination of employment. Document History Version Date Description Written by Approved by
1.0.0 2025 04 14 Initial Version Ryan Rich Haili Coombe
Operations Security Policy Purpose
To ensure the correct and secure operation of information processing systems and facilities. Scope All Company information systems that are business critical and/or process, store, or transmit company data. This Policy applies to all personnel, including employees and contractors, of the Company and other third-party entities with access to Company networks and system resources. Operations Security Documented Operating Procedures Both technical and administrative operating procedures shall be documented as needed and made available to all users who need them. Change Management Changes to the organization, business processes, information processing facilities, production software and infrastructure, and systems that affect information security in the production environment and financial systems shall be tested, reviewed, and approved prior to production deployment. All significant changes to in-scope systems and networks will be documented. 1. Change Documentation and Review:
All significant changes to systems, networks, and processing facilities must be documented (the use of automated documentation creation tools is permissible). This includes new regions used for cloud-based deployments.
The documentation must encompass the change's purpose, specification, potential impact considering dependencies, and deployment plan.
Significant changes should be tested and reviewed in environments segregated from both production and development (e.g., staging environments).
- Approval and Authorization:
Changes with substantial impact on information security and operational functionalities must obtain review before deployment (the use of automated review tools is permissible).
Emergency changes may be expedited but must undergo a retrospective review and authorization.
- Change Management Procedures:
Planning and Impact Assessment: Evaluate potential impacts of the changes considering system dependencies.
Authorization: Secure necessary approvals before initiating changes
Communication: Inform relevant internal and external stakeholders about the planned changes, schedules, and expected impact in advance.
Testing and Quality Control: Ensure changes are tested thoroughly and meet quality standards before implementation.
Implementation and Deployment: Execute changes in alignment with the planned deployment schedule
Documentation Maintenance: Ensure that the ticketing systems or the code repository platform store a record of changes, commits, and deployments. In lieu of code repository or ticketing
system documentation, text documents may also be used. 4. Continuity and Consistency:
Ensure that the business continuity plans, response, and recovery procedures are updated to remain appropriate and consistent with the changes made.
Ensure operating documentation and user procedures are modified to remain relevant.
- Security and Integrity:
Ensure that changes preserve and do not compromise the confidentiality, integrity, and availability CIA) of company systems and data. Capacity Management The use of processing resources and system storage shall be monitored and adjusted to ensure that system availability and performance meet company-documented standards and contractual requirements. Human resource skills, availability, and capacity shall be reviewed and considered as a component of capacity planning and as part of the annual risk assessment process. Scaling resources, including cloud resources, for additional processing or storage capacity, without changes to the system, can be done outside of the standard change management and code deployment process. Data Leakage Prevention To minimize the risk of leakage of sensitive information, the company shall:
Identify and classify information in accordance with the Data Management Policy
Provide awareness training to users including the appropriate use and handling of sensitive information
Separation of Production and Development environments Development and staging environments, when used, shall be segregated from production environments to reduce the risks of unauthorized access or changes to the operational environment. Confidential production customer data must not be used in development or test environments without the express approval of company management. Refer to the Data Management Policy for a description of Confidential data. If production customer data is approved for use in the course of development or testing, it shall be scrubbed of any such sensitive information whenever feasible. Systems and Network Configuration, Hardening, and Review Systems and networks shall be provisioned and maintained in accordance with the configuration and hardening standards described in Appendix A to this policy. Firewalls and/or appropriate network access controls and configurations shall be used to control network traffic to and from the production environment in accordance with this policy. Production network access configuration rules shall be reviewed at least annually. Tickets shall be created to obtain approvals for any needed changes; if ticketing systems are not feasible, text documents may be used. Protection from Malware In order to protect the company's infrastructure against the introduction of malicious software, detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. Anti-malware protections shall be utilized on all company-issued devices except for those running operating systems not normally prone to malicious software (ex: MacOS . Additionally, threat detection and response software shall be utilized for company email when feasible. The anti-malware protections utilized shall be capable of detecting common forms of malicious threats and performing the appropriate mitigation activity (such as removing, blocking or quarantining). Where feasible, the company will scan all files upon their introduction to systems, and continually scan files upon access, modification, or download except for those running operating systems not normally prone to malicious software. Anti-malware definition and engine updates should be configured to be downloaded and installed automatically whenever new updates are available. Known or suspected malware incidents must be reported as a security incident. It is a violation of company policy to disable or alter the configuration of anti-malware protections without the authorization of the Security Delegate. Information Backup The need for backups of company systems, databases, information, and data shall be considered and appropriate backup processes shall be designed, planned, and implemented. Backup procedures must include procedures for maintaining and recovering customer data in accordance with documented SLAs and other contractual obligations. Security measures to protect backups shall be designed and applied in accordance with the confidentiality or sensitivity of the data. Backup copies of company information, software, and system images shall be taken regularly to protect against loss of data. Backups must be stored separately from the production data location. This requirement can be achieved using backup capabilities of cloud infrastructure providers. The company does not regularly backup user devices like laptops. Users are expected to store critical files and information in company-sanctioned file storage repositories. Backups are configured to run on an ongoing basis on in-scope systems. The backup schedules are maintained within the backup application software. A backup restore test should be performed at least annually to validate the backup data and backup process. Logging & Monitoring Production company infrastructure shall be configured to produce detailed logs appropriate to the function served by the system or device. Event logs recording user activities, exceptions, faults, and information security events shall be produced, kept, and reviewed through manual or automated processes as needed. Appropriate alerts shall be configured for events that represent a significant threat to the confidentiality, availability, or integrity of production systems or Confidential data. Where feasible, logging should meet the following criteria for production applications and supporting infrastructure:
Log user log-in and log-out
Log CRUD (create, read, update, delete) operations on application and system users and objects
Log security settings changes (including disabling or modifying of logging)
Log application owner or administrator access to customer data (i.e. Access Transparency)
Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.
Logs must be stored for at least 30 days
Protection of Log Information Logging systems and log information shall be protected against tampering and unauthorized access. Administrator & Operator Logs System administrator and system operator activities shall be logged and reviewed and/or alerted in accordance with the system classification and criticality. Data Restore Logs If the company needs to restore production data containing PII from backups, either to provide services or for testing purposes, shall be logged or tracked in auditable tickets. Clock Synchronization The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to network time servers using reputable time sources. Control of Operational Software The installation of software on production systems shall follow the change management requirements defined in this policy. In some cases, in particular, the use of cloud services, and software installed or updated by the cloud service provider shall not follow change management requirements. Technical Vulnerability Management Information about technical vulnerabilities of company information systems being used shall be obtained in a timely fashion, the company's exposure to such vulnerabilities shall be evaluated, and appropriate measures taken to address the associated risk. A variety of methods shall be used to obtain information about technical vulnerabilities.
Vulnerability scans shall be performed on public-facing systems in the production environment at least quarterly. The company shall evaluate the severity of vulnerabilities identified from any source, and if it is determined to be a risk-relevant critical or high-risk vulnerability, a service ticket will be created. Tickets are assigned to the system, application, or platform owners for further investigation and/or remediation. In place of tickets, text documents may be used. Assessed vulnerabilities shall be patched or remediated in the following timeframes: Determined Severity Remediation Time
Critical 30 Days
High 60 Days
Medium 120 Day
Low As needed
Informational As needed
Service tickets or other forms of vulnerability remediation tracking for any vulnerability that cannot be remediated within the standard timeline must show a risk acceptance plan or planned remediation timeline. Restrictions on Software Installation Rules governing the installation of software by users shall be established and implemented in accordance with the Company Information Security Policy. Systems Security Assessment & Requirements Risks shall be considered prior to the acquisition of, or significant changes to, company systems, technologies, or facilities. The acquisition of new suppliers and services shall be made in accordance with the Third-Party Management Policy. Exceptions Requests for an exception to this policy must be submitted to the Security Delegate for approval. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. APPENDIX A Configuration and Hardening Standards Servers and Virtual Machines (for production systems) This is the standard for system-level server and virtual server VM) configuration hardening. Some customization to these settings may be required to configure the system for its specific target environment, such as setting the proper names, groups, authentication settings, and other personalization options. In addition to the requirements to secure systems to the baseline outlined above, all physical and virtual systems must adhere to the following technical requirements:
All vendor default passwords (including default passwords on operating systems, software providing security services, application and system accounts, Simple Network Management Protocol SNMP) community strings, etc.) must be changed before a system is installed on the network.
Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, SNMP, etc.) must be removed or disabled before a system is installed on the network.
Only necessary services, protocols, daemons, etc., may be enabled, and only as required for the function of the system. All unnecessary functionality (such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers) must be disabled.
All security patches identified as critical and high must be applied to systems within SLAs established in this policy.
Network Standards (for production systems)
Management of network rules and settings may only be performed by authorized members of the development team and all changes must comply with change Management procedures defined in the Operations Security Policy.
Management of production network systems is accomplished through the use of AWS network tooling.
Defined rules and configurations must be enforced to control traffic from untrusted networks
(e.g. publicly available services) to internal production networks
Network control systems must be configured to use default Network Address Translation to prevent the disclosure of internal IP addresses to the Internet.
Mobile devices connecting to production networks must meet the requirements of the Mobile Device Policy found in the Information Security Policy.
All network control systems must be configured with default antispoofing rules to block or deny inbound internal addresses originating from the Internet
External configurations must limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
Use of insecure services and protocols without justification and documentation of additional security features implemented to mitigate risk is prohibited.
Remote access sessions must be configured to enforce timeout after a specified period of 8 hours
Remote-access technologies for vendors and business partners used to access production systems must be enabled only when needed for business purposes and immediately deactivated after use. Document History Version Date Description Written by Approved by
1.0.0 2025 Initial Version Ryan Rich Haili Coombe
Physical Security Policy Purpose
To prevent unauthorized physical access or damage to the organization's information and information processing facilities, if and when such facilities are acquired by the company.
To ensure appropriate shared responsibility for cloud infrastructure.
Scope This policy applies to all employees and external parties with physical access to any future company-owned, leased, or rented facilities, including co-working spaces. The company is currently remote-first and does not rent, lease, or own any physical locations at this time. The remainder of this physical security policy is a contingency and shall govern how employees work from physical locations owned by the company only when and if the company were to buy, lease, or rent a location in the future. Policy Physical Security Perimeter If the company acquires physical offices or information processing facilities, they shall meet all local building codes for construction materials for walls, windows, doors, and access control mechanisms. Some interior zones may be identified as secure areas where physical access is further restricted to a subset of company personnel, such as private offices, wiring closets, print and server rooms, and server racks. Physical Entry Controls If the company acquires secure areas, they shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Where possible, company access control systems shall be tied to a centralized system that provides granular access control for individual personnel. Access events shall be appropriately logged and reviewed as needed according to risk. Cameras and intrusion detection systems shall be used at facilities that store or process production or sensitive internal company data. Securing Offices, Rooms & Facilities If the company acquires physical offices, rooms, or facilities, physical security shall be designed and applied to protect from theft, misuse, environmental threats, unauthorized access, and other threats to the confidentiality, integrity, and availability of classified data and systems. Protecting Against External & Environmental Threats If the company acquires physical facilities, protection against natural disasters, malicious attacks, or accidents shall be designed and applied. Secure areas shall be monitored through the use of appropriate controls, such as intrusion detection systems, alarms, and/or video surveillance systems, where feasible. Visitor and third-party access to secure areas shall be restricted to reduce the risk of information loss and theft. If the company acquires production processing facilities, they shall be equipped with appropriate environmental and business continuity controls including fire-suppression systems, climate control and monitoring systems, and emergency backup power systems. Physical information system hardware and supporting infrastructure shall be regularly serviced and maintained in accordance with the manufacturer's recommendations. Working in Secure Areas / Visitor Management If the company acquires secure areas, visitors, delivery personnel, outside support technicians, and other external agents shall not be permitted access without escort and/or appropriate oversight. Third parties in secure areas shall sign in and out on a visitor log and shall be escorted or monitored by company personnel. Company personnel observing unescorted visitors should approach the visitor, confirm their status, and ensure they return to approved areas, or report the observation to the responsible authority as needed. External party access to secure areas shall be confirmed with appropriate company personnel prior to being granted access. Company personnel providing access to external parties into secure areas are responsible for ensuring that the third-party personnel adhere to all security requirements, and are accountable for all actions taken by outsiders they provide with access. Visitors may be allowed to work unescorted provided that the company sponsoring party can ensure that they will not have unauthorized access to company information systems, networks, or data. Delivery & Loading Areas If the company acquires secure areas with access points such as delivery and loading areas, these points shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. Supplier, Vendor, and Third-Party Security Suppliers, vendors, and third parties shall comply with company physical security and environmental controls requirements when feasible. The company shall assess the adequacy of third-party physical security controls as part of the vendor management process, in accordance with the Third-Party Management Policy. Exceptions Requests for an exception to this policy must be submitted to the Security Delegate for approval. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. Document History Version Date Description Written by Approved by
1.0.0 2025 04 14 Initial Version Ryan Rich Haili Coombe
Risk Management Policy Purpose: This policy is designed to outline proactive measures for managing information security risks and seizing opportunities to enhance our security posture. It establishes a comprehensive plan aimed at achieving our objectives related to information security and privacy, ensuring a resilient and secure operational environment Scope:
All company IT systems that process, store, or transmit confidential, private, or business-critical data.
Risks that could affect the medium to long-term goals of the business should be considered as well as risks that will be encountered in the day-to-day delivery of services.
The company's risk management systems and processes will be targeted to achieve maximum benefit without increasing the bureaucratic burden and ultimately affecting core service delivery to the organization.
The company will therefore consider the materiality of risk in developing systems and processes to manage risk.
This Policy applies to all employees and to all relevant external parties, including but not limited to consultants and contractors, business partners, vendors, suppliers, outsource service providers, and other third party entities with access to company networks and system resources.
Risk Management Statement The organization acknowledges that insufficient IT risk management poses substantial threats, including the potential compromise of business or customer network systems, services, and information, exposure to cyber-attacks, and the emergence of contractual or legal complications. To counteract these risks, the company commits to embedding risk management as a core component of its governance and operational framework, both at strategic and operational levels. The objective of our risk management policy is to safeguard the organization's ability to achieve its business plan aims and objectives, thereby ensuring the continuity and security of our operations and the protection of all stakeholders. Risk Management Strategy The company has developed processes to identify those risks that will hinder the achievement of its strategic and operational objectives. The company will therefore ensure that it has in place the means to identify, analyze, control, and monitor the strategic and operational risks it faces using this risk management policy based on best practices. The company will ensure the risk management strategy and policy are reviewed regularly and that internal audit functions are responsible for ensuring:
The risk management policy is applied to all applicable areas of the business
The risk management policy and its operational application are regularly reviewed
Non-compliance is reported to appropriate company officers and authorities Practical Application of Risk Management The company has adopted a standard format for use in the identification of risks, their classification, and evaluation. The format is based on the following NIST and ISO standards and frameworks:
ISO 27005 NIST 800 30 NIST 800 37
Risks are assessed and ranked according to their impact and their likelihood of occurrence. A formal Risk Assessment will be performed at least annually and shall take into consideration the results of any technical vulnerability management activities performed in accordance with the Operations Security Policy. Risk Categories The company will consider and assess risks across the organization. Risk categories that should be considered for evaluation include:
Reputational Contractual Regulatory/Compliance Economic/Financial Fraud Privacy
Environmental & Sustainability
Impact on People
Use of Cloud Services
Operational Capacity
Each risk will be assessed as to its likelihood and impact. Both impact and likelihood are assessed on a scale of 1 5. The impact can range from 1 ("Very low impact") to 5 ("Very high impact") and likelihood can range from 1 ("Very unlikely") to 5 ("Very likely"). Risk Criteria The criteria for determining risk is the combined likelihood and impact of an event adversely affecting the confidentiality, availability, integrity, or privacy of organizational and customer information, personally identifiable information PII , or business information systems. For all risk inputs such as risk assessments, vulnerability scans, penetration test, bug bounty programs, etc., Company management shall reserve the right to modify risk rankings based on its assessment of the nature and criticality of the system processing, as well as the nature, criticality, and exploitability (or other relevant factors and considerations) of the identified vulnerability. Risk Response, Treatment, and Tracking Risk will be prioritized and maintained in a risk register where they will be prioritized and mapped using the approach contained in this policy. The following responses to risk should be employed:
Mitigate: the company may take actions or employ strategies to reduce the risk.
Accept: the company may decide to accept and monitor the risk at the present time. This may be necessary for some risks that arise from external events.
Transfer: the company may decide to pass the risk on to another party. For example, contractual terms may be agreed to ensure that the risk is not borne by the company or insurance may be appropriate for protection against financial loss.
Avoid: the risk may be such that the company could decide to cease the activity or to change it in such a way as to end the risk. Where the company chooses a risk response other than "Accept" or "Avoid" it shall develop a Risk Treatment Plan. Risk Management Procedures The procedure for managing risk will meet the following criteria:
The company will maintain a Risk Register and Treatment Plan.
Risks are ranked by likelihood' and severity/impact' as critical, high, medium, low, and negligible.
Overall risk shall be determined through a combination of likelihood and impact.
Risks may be evaluated to estimate potential monetary loss where possible.
The company will respond to risks in a prioritized fashion based on risk level and available resources. Remediation priority will consider the risk likelihood and impact, cost, work effort, and availability of resources. Multiple remediations may be undertaken simultaneously
Regular reports will be made to senior management to ensure risks are being mitigated appropriately and in accordance with business priorities and objectives.
Information security in project management the company shall consider information security risk as a part of all projects that are technical in nature or that can pose a risk to the company, regardless of size, duration, or domain. From the initial planning, through the completion of a project, appropriate assessment and mitigation of information security risks is essential, involving:
initial information security risk assessments,
early identification and addressing of information security requirements, and
ongoing assessment and management of risks, especially concerning internal and external project communications.
Roles and Responsibilities The following table outlines the specific risk management activities and responsibilities associated with each role. Role Responsibility
CEO Responsible for the acceptance and/or treatment of any risks to the organization.
Engineering Leadership Can approve the avoidance, remediation, transference, or acceptance of any risk cited in the Risk Register. This person shall be responsible for communicating risks to top management and adopting risk treatments in accordance with executive direction.
Security Analyst Shall be responsible for the identification and treatment plan development of all Information Security related risks.
Other Resources ISO 27001 / 27701 Coverage ISO 27001 6.1; 6.2 APPENDIX A Risk Assessment Process The following is a high-level overview of the process used to assess and manage information security-related risks. The process discussed below is based on NIST 800 30 and provides guidance on how to:
Prepare and conduct an effective risk assessment.
Communicate and share the assessment results and risk-related information as defined above based on roles.
Manage and maintain risks on an ongoing basis; revisiting at least annually.
The risk assessment process is comprised of the following steps:
Prepare for the assessment
Conduct the assessment
Communicate the assessment
Maintain the assessment
Step 1 Prepare for the Assessment In this step, the objective is to establish the context for the risk assessment. This can be accomplished by performing the following:
Identify the purpose of the assessment
Determine the information that the assessment is intended to produce and the decisions the assessment is intended to support.
Identify the scope of the assessment
Determine the organizational function or process that is applicable, the associated time frame, and any applicable architectural or technological considerations.
Identify any assumptions or constraints associated with the assessment
Determine assumptions in key areas relevant to the risk assessment including: Organizational priorities Business objectives Resource availability Skills and expertise of the risk assessment team
Identify sources of information
Architectural/technological diagrams and system configurations
Legal and regulatory requirements
Threat Sources
Threat Events
Vulnerabilities and influencing conditions
Potential Impacts
Existing Controls
Step 2 Conduct the Assessment In this step, the objective is to produce a list of information security-related risks that can be prioritized by risk level and used to inform risk response decisions. This can be accomplished by performing the following:
Identify Threat Sources
Determine and characterize threat sources relevant to and of concern to the business,
including but not limited to: Human Intentional or Unintentional / Internal or External) Environmental Natural System or Equipment
Consider the following when identifying threat sources: Capability Motive / Intent Intentionally targeted people, processes, and/or technologies
Unintentionally targeted people, processes, and/or technologies
Identify Threat Events
Determine what threat events could be produced by the identified threat sources that have the potential to impact the business.
Consider the relevance of the events and the sources that could initiate the events.
Identify Vulnerabilities
Determine the vulnerabilities associated with people, processes, and technologies that the identified threat sources and threat events could exploit.
Consider any influencing conditions that could affect and aid in successful exploitation.
Determine Likelihood
Determine the likelihood that the identified threat sources would initiate the identified threat events and could successfully exploit any identified vulnerabilities.
Consider the following when determining the likelihood:
Characteristics of the threat sources that could initiate the events. Capability Motive/Intent Opportunity The vulnerabilities and/or influencing conditions identified The company's exposure based on any safeguards/countermeasures planned or implemented to prevent or mitigate such events.
Determine Impact
Determine the impact on business objectives, operations, assets, individuals, customers,
and/or other organizations by considering the following: Business / Operational Impacts Financial Damage Reputation Damage Legal or Regulatory Issues
When determining impact, also take into consideration any safeguards/countermeasures planned or implemented by the business that would mitigate or lessen the impact.
Determine Risk
Determine the overall information security-related risks to the business by combining the
following: The likelihood of the event occurring. The impact that would result from the event.
The risk to the business is proportional to the likelihood and impact of an event. Higher Risk Event: Is more likely to occur and the resulting impact will be greater. Lower Risk Event: Is less likely to occur and the resulting impact will be minimal if any.
Step 3 Communicate and Share the Risk Assessment Results In this step, the objective is to ensure that decision-makers across the organization and executive leadership have the appropriate risk-related information needed to inform and guide risk decisions.
Communicate the Results
Communicate the risk assessment results to company decision maker and executive leadership as described in the above roles section to help drive risk-based decisions and obtain the necessary support for the risk response.
Share the risk assessment and risk-related information with the appropriate personnel to help support the risk response and mitigation efforts.
Step 4 Maintain the Assessment In this step, the objective is to keep current, the specific knowledge related to the risks that the business incurs. The results of the assessments inform, and drive risk-based decisions and guide ongoing risk response efforts.
Monitor Risk Factors
Conduct ongoing monitoring of the risk factors that contribute to changes in risk to the business objectives, operations, assets, individuals, customers, and/or other organizations.
Maintain and Update the Assessment
Update existing risk assessments using the results from ongoing monitoring of risk factors and by conducting additional assessments, at minimum annually. APPENDIX B Risk Assessment Matrix and Description Key RISKLIKELIHOOD IMPACT LIKELIHOOD
IMPACT Very unlikely: 1 Unlikely: 2 Somewhat likely: 3 Likely: 4 Very likely: 5
Very high impact: 5 5 10 15 20 25
High impact: 4 4 8 12 16 20
Medium impact: 3 3 6 9 12 15
Low impact: 2 2 4 6 8 10
Very low impact: 1 1 2 3 4 5
RISK LEVEL RISK DESCRIPTION
Low 1 A threat event could be expected to have a limited adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations.
Medium 5 A threat event could be expected to have a serious adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations
High 1525 A threat event could be expected to have a severe adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations.
LIKELIHOOD LEVEL LIKELIHOOD DESCRIPTION RATING NUMERICAL
Very unlikely 1 A threat event is so unlikely that it can be assumed that its occurrence may not be experienced. A threat source is not motivated or has no capability, or controls are in place to prevent or significantly impede the vulnerability from being exploited. 1
Unlikely 2 A threat event is unlikely, but there is a slight possibility that its occurrence may be experienced. A threat source lacks sufficient motivation or capability, or controls are in place to prevent or impede the vulnerability from being exploited. 2
Somewhat likely 3 A threat event is likely, and it can be assumed that its occurrence may be experienced. A threat source is motivated or poses the capability, but controls are in place that may significantly reduce or impeded the successful exploitation of the vulnerability. 3
Likely 4 A threat event is likely, and it can be assumed that its occurrence will be experienced. A threat source is highly motivated or poses sufficient capability and resources, but some controls are in place that may reduce or impede the successful exploitation of the vulnerability. 4
Very likely 5 A threat event is highly likely, and it can be assumed that its occurrence will be experienced. A threat source is highly motivated or poses sufficient capability or resources, but no controls are in place or controls that are in place are ineffective and do not prevent or impede the successful exploitation of the vulnerability. 5
IMPACT LEVEL IMPACT DESCRIPTION RATING NUMERICAL
Very low impact 1 A threat event could be expected to have almost no adverse effect on organizational operations, mission capabilities, assets, individuals, customers other or organizations 1
Low impact 2 A threat event could be expected to have a limited adverse effect, meaning: degradation of mission capability yet primary functions can still be performed; minor damage; minor financial loss; or range of effects is limited to some cyber resources but no critical resources. 2
Medium impact 3 A threat event could be expected to have a serious adverse effect, meaning: significant degradation of mission capability yet primary functions can still be performed at a reduced capacity; minor damage; minor financial loss; or range of effects is significant to some cyber resources and some critical resources. 3
High impact 4 A threat event could be expected to have a severe or catastrophic adverse effect, meaning: severe degradation or loss of mission capability and one or more primary functions cannot be performed; major damage; major financial loss; or range of effects is extensive to most cyber resources and most critical resources. 4
Very high impact 5 A threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, assets, individuals, other organizations, or the Nation. Range of effects is sweeping, involving almost all cyber resources. 5
Document History Version Date Description Written by Approved by
1.0.0 2025 Initial Version Ryan Rich Haili Coombe
Secure Development Policy Purpose
To ensure that information security is designed and implemented within the development lifecycle for applications and information systems.
To develop standards for how software developers operate at the company.
Scope All Company applications and information systems that are business critical and/or process, store, or transmit Confidential data. This policy applies to all internal and external engineers and developers of Company software and infrastructure. Policy This policy describes the rules for the acquisition and development of software and systems that shall be applied to developments within the company. System Change Control Procedures Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. Change control procedures and requirements are described in the Company Operations Security Policy. Significant code changes must be reviewed and approved before being merged into any production branch. This can include the use of automated review tools. Change control procedures shall ensure that the development, testing, and deployment of changes shall not be performed by a single individual without approval and oversight. Software Version Control All Company software is version-controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee's role. All code is written, tested, and saved in a local repository before being synced to the origin repository. Technical Review of Applications after Operating Platform Changes When operating platforms or cloud services are changed, business-critical applications shall be reviewed and tested to ensure that there is no adverse impact on organizational operations or security. Restrictions on Changes to Software Packages Modifications to third-party business application packages shall be discouraged, and limited to necessary changes, and all changes shall be strictly controlled. Secure System Engineering Principles Principles for engineering secure systems shall be established, documented, maintained, and applied to any information system implementation efforts. At a minimum, the following secure-by-design and privacy-by-design principles shall be applied wherever and whenever feasible: Secure-by-design principles: Minimize attack surface area Establish secure defaults The principle of Least privilege
The principle of defense-in-depth
Fail securely Don't trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Privacy-by-design principles: Proactive not Reactive; Preventative not Remedial Privacy as the Default Setting
Privacy Embedded into Design
Full Functionality -Positive-Sum, not Zero-Sum End-to-End Security -Full Lifecycle Protection Visibility and Transparency -Keep it Open Respect for User Privacy -Keep it User-Centric Software developers are expected to adhere to the company's coding standards throughout the development cycle, including standards for quality, commenting, and security. Secure Development Environment The company shall establish and appropriately protect environments for system development and integration efforts that cover the entire system development life cycle. When feasible and appropriate, the following environments shall be logically or physically segregated:
Production
Development (inclusive of test, staging, etc.) Outsourced Development The company shall supervise and monitor the activity of outsourced system development. Outsourced development shall adhere to Company standards and policies. System Security Testing Testing of security functionality shall be performed at defined periods during the development life cycle. Acquisition of Third-Party Systems and Software The acquisition of third-party systems and software shall be done in accordance with the requirements of the company's Third-Party Management Policy. Exceptions Requests for an exception to this Policy must be submitted to the Security Delegate. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. Document History Version Date Description Written by Approved by
1.0.0 2025 Initial Version Ryan Rich Haili Coombe
Third-Party Management Policy Purpose
To ensure the protection of the company's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.
To outline a baseline of security controls that the Company expects partners and other third-party companies to meet when interacting with Company Confidential data.
Scope All data and information systems owned, leased, or used by the company that are business critical and/or process, store, or transmit Confidential data. This policy applies to all employees of the company and to all external parties, including but not limited to Company consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers, and other third-party entities with access to Company data, systems, networks, or system resources. Policy Information security requirements between the company and 3rd parties shall be agreed upon and documented. For all service providers who may access Company Confidential data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities. Information shall be maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by Company as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI DSS, CCPA, GDPR, or other frameworks, compliance standards, or regulations. Information Security in Third-Party Relationships Addressing Security in Agreements Relevant information security requirements shall be established and agreed upon with each supplier that may access, process, store, transmit, or impact the security of company Confidential data and systems, or provide physical or virtual IT infrastructure components for the company. For all service providers who may have access to Company production systems, or who may impact the security of the Company production environment, written agreements shall be maintained that include the service provider's acknowledgment of their responsibilities for the confidentiality of company and customer data, and any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that Company has established in accordance with Company's information security program or any relevant framework. Technology Supply Chain The company will consider and assess risks associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain. Third-Party Service Delivery Management Monitoring & Review of Third-Party Services The company shall regularly monitor, review, and audit supplier service delivery. Supplier security and service delivery performance shall be reviewed at least annually. Management of Changes to Third-Party Services Changes to the provision of services by suppliers, including changes to agreements, services, technology, policies, procedures, or controls, shall be managed, taking into account the criticality of the business information, systems, and processes involved. The company shall assess the risk of any material changes made by suppliers and make appropriate modifications to agreements and services accordingly. Third-Party Risk Management The company will ensure that potential risks posed by sharing Confidential data or providing access to company systems are identified, documented, and addressed according to this policy. Risk management plays an integral part in the governance and management of the organization at a strategic and operational level. The company shall not share or transmit Confidential data to a third party without first performing a third-party risk assessment and fully executing a written contract, statement of work, or service agreement that describes expected service levels and any specific information security requirements. Information security for use of cloud services This section outlines the fundamental parameters for managing and mitigating risks related to cloud service usage. Responsibilities and Risk Management:
Roles and responsibilities related to the use and management of cloud services can be found in the Roles and Responsibilities Policy.
Information security risks associated with cloud services use shall be managed in accordance with this policy and the Risk Management Policy.
Security Requirements and Control:
The company shall be responsible for all customer controls as defined in cloud service providers' responsibility matrices. Service Selection and Usage Scope:
Reviews of cloud service agreements for inherently high-risk providers shall be performed annually to ensure they align with company requirements. Incident Management:
Information security incidents related to cloud services are managed in accordance with the Incident Response Plan. Service Review and Exit Strategy:
Risks related to exit and vendor lock-in should be evaluated prior to the acquisition as part of the vendor security assessment. Provider and Customer Agreement:
Agreements with cloud service providers will specify protections for the company's data and service availability, even though they might be predefined and non-negotiable.
Where possible, the company will seek advance notification from providers concerning substantive changes in service delivery, including changes in technical infrastructure, data storage location, or usage of sub-contractors.
Ongoing Management and Assurance:
Information regarding how to obtain and utilize information security capabilities provided by the cloud service provider should be assessed as part of the vendor review at the time of acquisition. Third-Party Security Standards All third parties must maintain reasonable organizational and technical controls as assessed by the company. Assessment of third parties that receive, process, or store Confidential data or access the company's resources shall consider the following controls as applicable based on the service provided and the sensitivity of data stored, processed, or exchanged. In place of the following controls, the company may opt to review and accept 3rd party assessments such as audit reports, SOC 2 reports, and ISO certifications as a means of mitigating the information security risk associated with the 3rd party having access to company confidential information. Information Security Policy Third parties maintain information security policies supported by their executive management, which are regularly reviewed. Risk Assessment & Treatment Third parties maintain programs that assess, evaluate, and manage information and technology risks. Operations Security Third parties implement commercially reasonable practices and procedures designed, as appropriate, to maintain operations security. Protections may include:
Technical testing
Protection against malicious software
Network protection and management
Technical vulnerability management
Logging and monitoring
Incident response
Business continuity planning
Access Control Third parties maintain a technical access control program. Secure System Development Third parties maintain a secure development program consistent with industry software and systems development best practices including risk assessment, formal change management, code standards, code review, and testing. Physical & Environmental Security If third parties are storing or processing confidential data, their physical and environmental security controls should meet the requirements of the company's Physical Security Policy. Human Resources Third parties maintain human resource policies and processes which include criminal background checks for any employees or contractors who access Company confidential information unless prohibited by local statute. Compliance & Legal Company shall consider all applicable regulations and laws when evaluating suppliers and third parties who will access, store, process, or transmit Company confidential data. Third-party assessments should consider the following criteria:
Protection of customer data, organizational records, and records retention and disposition
Privacy of Personally Identifiable Information PII
Exceptions Requests for an exception to this Policy must be submitted to the Security Delegate. Violations & Enforcement Any known violations of this policy should be reported to the Security Delegate. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment. Document History Version Date Description Written by Approved by
1.0.0 2025 Initial Version Ryan Rich Haili Coombe