Cybersecurity Policy

1. Data Classification and Handling

Information assets are classified according to their sensitivity, criticality, and legal requirements. Appropriate handling and protection measures are applied based on classification level.

• Public Information: Data intended for public release. No access restrictions but integrity controls apply to prevent unauthorized modification.
• Internal Information: Operational data used within the organization. Access is granted on a business-need basis.
• Confidential Information: Sensitive data including personal information, business strategies, credentials, and proprietary data. Strict access controls, encryption, and audit logging are required.
• Restricted / Highly Sensitive: Data subject to regulatory compliance or high-risk exposure. Enhanced safeguards, segregation, and privileged access controls apply.

Data owners are responsible for classification, retention, and secure disposal. All personnel must handle information in accordance with its classification and report any mishandling incidents promptly.

2. Access Control and Privileged Access Management

Access to systems, applications, and data is granted based on the principle of least privilege and role-based access controls (RBAC). Access rights are reviewed periodically to ensure appropriateness.

• Authentication: Strong authentication methods, including multi-factor authentication (MFA), are required for all administrative access, remote connections, and sensitive systems.
• Privileged Accounts: Elevated access is strictly controlled, monitored, and subject to additional oversight. Privileged accounts are used only for authorized administrative tasks and are reviewed regularly.
• User Lifecycle Management: Access is provisioned based on job function and promptly revoked upon role changes or termination.
• Credential Security: Passwords, API keys, and secrets are managed securely, never hardcoded or shared in plaintext. Credential rotation policies are enforced where applicable.

3. Encryption of Data at Rest and in Transit

Cryptographic controls protect data throughout its lifecycle to prevent unauthorized disclosure or alteration.

• Data in Transit: All network communications, including internal and external transmissions, are secured using strong encryption protocols (such as TLS). Remote access and administrative connections require encrypted channels.
• Data at Rest: Sensitive and confidential data stored on servers, databases, endpoints, and backup media is encrypted using industry-standard algorithms. Encryption keys are managed securely with defined rotation and access policies.
• Endpoint Protection: Mobile devices, laptops, and removable media containing sensitive data are encrypted to protect against physical loss or theft.

Encryption implementations follow recognized standards and are reviewed periodically to address evolving threats.

4. Vulnerability Management and Patch Management

A proactive approach to identifying, assessing, and remediating security vulnerabilities ensures systems remain resilient against threats.

• Vulnerability Assessment: Regular automated and manual vulnerability scans are conducted across infrastructure, applications, and networks. Findings are prioritized based on risk severity.
• Patch Management: Security patches and critical updates are applied according to established timelines. A structured process ensures testing, deployment, and verification of patches across all systems.
• Penetration Testing: Periodic security assessments, including penetration testing, are performed to validate security controls and identify exploitable weaknesses.
• Continuous Improvement: Lessons learned from vulnerabilities and assessments drive enhancements to security posture.

Exceptions to patching or remediation require formal risk acceptance and compensating controls.

5. Incident Response and Disaster Recovery

Preparedness for security incidents and operational disruptions ensures timely response, containment, and restoration of services.

• Incident Response Plan: A documented plan defines roles, responsibilities, and procedures for detecting, analyzing, containing, and recovering from security incidents.
• Incident Classification: Incidents are categorized by severity, with corresponding escalation paths and response timelines.
• Notification and Reporting: Relevant stakeholders, including affected parties and regulatory authorities, are notified in accordance with legal and contractual obligations.
• Disaster Recovery and Business Continuity: Recovery strategies ensure critical systems and data can be restored within defined recovery objectives. Regular testing validates effectiveness.
• Post-Incident Review: After-action reviews identify root causes and drive improvements to prevent recurrence.

6. Physical Security

Physical safeguards protect facilities, equipment, and assets from unauthorized access, damage, or interference. These controls apply to office locations, data centers, and any physical infrastructure supporting operations.

• Facility Access: Access to sensitive areas is restricted via secure entry mechanisms, with visitor logs and supervised access for non-employees.
• Workstation and Device Security: End-user devices are secured with screen locks, endpoint protection, and physical controls to prevent unauthorized use.
• Data Center and Infrastructure: Where physical infrastructure is utilized, environmental controls, monitoring, and access logs are maintained. Cloud service providers are evaluated for equivalent physical security controls.
• Asset Disposal: Equipment containing sensitive data is securely wiped or destroyed before disposal or repurposing.

Remote work environments adhere to comparable security standards, including secure connectivity and device management.

7. Vendor Risk Management

Third-party vendors, partners, and service providers are assessed to ensure they meet security and compliance requirements commensurate with the risk they introduce.

• Risk Assessment: Vendors with access to sensitive data, critical systems, or infrastructure undergo due diligence reviews prior to engagement.
• Contractual Requirements: Agreements include security obligations, incident notification provisions, and rights to audit or review security practices.
• Ongoing Monitoring: Vendor security posture is periodically reassessed to identify changes in risk profile. Critical vendors are subject to continuous oversight.
• Supply Chain Considerations: Subcontractors and downstream dependencies are evaluated as part of the vendor management program.

The organization maintains an inventory of key vendors and applies tiered oversight based on risk classification.

8. Security Awareness and Training

All personnel receive security awareness training upon onboarding and periodically thereafter. Training covers topics such as phishing recognition, social engineering, data protection, and incident reporting. Role-specific training is provided for personnel with elevated access or specialized responsibilities.

Regular communications and simulated exercises reinforce a culture of security mindfulness.

9. Policy Compliance and Enforcement

Adherence to this Cybersecurity Policy is mandatory. Violations may result in disciplinary action, up to and including termination of employment or contractual relationships. Suspected violations or security concerns must be reported through designated channels.

This policy is reviewed and approved by leadership to ensure alignment with organizational objectives and evolving threats.