5. Safeguards

implements a comprehensive set of safeguards to protect its information environment:

• Asset Management: Maintain an up-to-date inventory of all assets (hardware, software, data).

• Access Control: Enforce MFA, role-based access, and periodic access reviews (aligned with A.5.16–A.5.18).

• Data Protection: Encrypt data at rest and in transit using approved cryptographic standards.

• Monitoring and Logging: Continuously monitor systems and maintain audit logs to detect and respond to threats (A.8.15–A.8.16).

• Security Awareness Training: Require annual training for all employees on security best practices and policy adherence.

• Incident Response: Maintain an incident management framework to log, investigate, and remediate security incidents (A.5.25–A.5.27).

• Third-Party Management: Vet vendors for security risks and include contractual security clauses in all agreements.

6. Roles and Responsibilities

• Chief Information Security Officer (CISO): Accountable for overseeing the ISMS and ensuring ongoing policy alignment with risk, compliance, and business objectives.

• Information Security Team: Implements technical controls, monitors compliance, manages incidents, and provides guidance.

• IT Department: Supports configuration, patching, and secure system deployment in line with security requirements.

• Managers: Ensure team-level compliance, approve access requests, and support awareness efforts.

• All Users: Must understand and comply with the Information Security Policy and report suspected security incidents immediately.

7. Compliance and Exceptions

will monitor compliance through regular internal audits, automated systems checks, and third-party assessments. Findings will be reported to executive leadership and remediation tracked.

Any exception to this policy must be formally documented, risk-assessed, and approved by the CISO. Exceptions must be reviewed at least annually or upon significant organizational change.

8. Enforcement

Non-compliance with this policy may result in disciplinary actions in accordance with ’s HR policies. These actions may include:

• Retraining and counseling

• Revocation of access privileges

• Formal disciplinary proceedings up to and including termination

• For third parties: contract termination and/or legal action

Incidents involving regulatory violations or data breaches may be reported to relevant authorities as required by law.

9. Related Policies/Documents

• POL-SEC-002: Access Control Policy

• POL-SEC-003: Acceptable Use Policy

• POL-SEC-004: Password Policy

• POL-SEC-005: Encryption Policy

• ISO 27001:2022 A.5.1–A.5.4

• SOC 2 Trust Services Criteria: CC1.1, CC1.2, CC6.1

10. Review and Maintenance

This policy shall be reviewed annually or following significant changes in the organization’s structure, regulatory environment, or threat landscape. The CISO is responsible for initiating the review cycle. All updates must follow ’s change control process and be communicated to all affected stakeholders.