Information Security Policy
1. Information Security Program:
We have a formally documented Information Security Program that covers governance, asset management, access control, threat detection, and business continuity. The program is approved by executive management and reviewed annually.
2. Network Protection:
Our IT infrastructure is segmented using VLANs and protected by enterprise-grade firewalls and intrusion detection/prevention systems (IDS/IPS). Network traffic is monitored 24/7 using SIEM tools to detect anomalies and unauthorized access attempts.
3. Antivirus Protection:
All company-managed devices are secured with centrally managed antivirus software. Devices are configured to receive automatic updates and threat signatures to ensure the latest protection.
4. Operational Security Measures:
Operational procedures include screen locking, enforced password complexity (minimum 12 characters, alphanumeric + special characters), time-based MFA for all admin accounts, a clear-desk policy, session timeouts, and role-based access reviews.
5. Access Control Policy:
Access is provisioned based on the principle of least privilege (PoLP). All access requests are logged and require approval. Regular audits are conducted to ensure only authorized personnel have access to sensitive data.
6. Data Classification and Encryption:
Data is classified as Public, Internal, Confidential, or Restricted. Confidential and Restricted data are encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encrypted backups are maintained in geographically diverse locations.
7. Incident Response Policy:
Our Incident Response Policy outlines a structured approach for identifying, responding to,
mitigating, and recovering from security incidents. The policy defines roles, communication
protocols, and escalation procedures. Regular tabletop exercises are conducted to ensure
preparedness.
8. Vulnerability and Patch Management:
We use automated tools to scan our systems for vulnerabilities weekly. Critical patches are applied within 48 hours, while others follow a scheduled patch cycle. Vulnerabilities are tracked through remediation tickets.
9. Security Certifications:
We follow ISO27001/27701 and SOC2 control frameworks. Our security practices are continuously evaluated to ensure alignment with industry standards, and we plan to obtain official certification within the next audit cycle.