Information Security Policy¶

Document ID: BD-ISMS-POLICY-001 Version: 1.0 Effective Date: 2026-03-17 Classification: Internal Use Only

1. Purpose & Objectives¶

This policy establishes BeDefended's information security framework and defines mandatory security requirements for all personnel, systems, and processes.

Objectives¶

Protect confidentiality, integrity, and availability of client and organizational data
Ensure compliance with GDPR, HIPAA, NIST 800-53, ISO 27001, SOC 2, and FedRAMP requirements
Establish security baselines for technical, operational, and management controls
Ensure business continuity and disaster recovery readiness
Create a security-first culture across the organization

2. Scope & Applicability¶

Applies to: - All BeDefended employees, contractors, and authorized partners - All information systems, databases, and networks (see docs/isms/scope.md) - All processing of client data and organizational information

3. Core Security Principles¶

3.1 Confidentiality¶

Objective: Ensure information is accessible only to authorized persons
Implementation: Encryption (AES-256-GCM at rest, TLS 1.3 in transit), RBAC, access logging
Responsibility: All staff

3.2 Integrity¶

Objective: Maintain accuracy and completeness of information
Implementation: Version control, HMAC request signing (desktop app), audit logging, backup verification
Responsibility: System administrators, developers

3.3 Availability¶

Objective: Ensure services are available when needed
Implementation: 99.9% uptime SLA, RTO 4 hours, RPO 1 hour, automated backup & restore
Responsibility: Infrastructure + Ops team

4. Mandatory Controls by Domain¶

4.1 Access Control (ISO 27001 A.9)¶

Authentication: Multi-factor authentication (TOTP) required for all internal staff
Authorization: Role-based access control (RBAC) with least privilege principle
Session Management: JWT token expiration (1 hour), token blacklist on logout
Account Lockout: Progressive backoff (5 attempts → 30s, 10 → 5min, 20 → 30min)
Password Policy: Min 12 chars, complexity (uppercase + digit + symbol), 90-day expiration

4.2 Cryptography (ISO 27001 A.10)¶

Encryption in Transit: TLS 1.3 (minimum), cert pinning on desktop app
Encryption at Rest: AES-256-GCM for sensitive data (passwords, API keys, audit logs)
Key Management: Keys stored in OS credential store (Keychain/DPAPI/libsecret), never in source code
Hash Algorithms: SHA-256 for data integrity, Argon2id for password hashing

4.3 Physical & Environmental Security (ISO 27001 A.11)¶

Data Centers: AWS managed facilities with SOC 2 Type II compliance
Office Access: Badge access with visitor logs
Equipment Disposal: Secure wiping of drives (NIST 800-88 standards)
Clean Desk Policy: No sensitive documents left unattended

4.4 Operations & Communications (ISO 27001 A.12)¶

Change Management: Formal change control (approval → testing → deployment)
Patch Management:
Critical: 30 days
High: 60 days
Medium/Low: 90 days
Backup & Recovery: Daily incremental + weekly full backups, tested quarterly
Incident Response: 72-hour breach notification (GDPR), RTO 4 hours, RCA required

4.5 Compliance Monitoring (ISO 27001 A.16)¶

Audit Logging: All API calls, auth events, data access, privilege changes logged with IP/user-agent
Security Scanning: Dependency audit (pip-audit, npm audit, Trivy) on every push
Penetration Testing: Annual internal + external pentest by third party
Vulnerability Management: CVE tracking, patch prioritization, remediation SLA

4.6 Human Resources Security (ISO 27001 A.8)¶

Onboarding: Security awareness training, NDA, background checks
Training: Annual security training, role-specific training (developers, admins)
Offboarding: Credential revocation, access removal, exit interview
Code Review: Peer review before merge, SAST scanning on all PRs

Right of Access: GET /api/v1/privacy/export provides JSON export of all personal data
Right to Erasure: DELETE /api/v1/privacy/erase soft-deletes account + anonymizes audit logs
Right to Rectification: Users can update their profile via dashboard
Data Portability: Export endpoint provides portable JSON format

5.2 Data Retention¶

Audit Logs: 2 years (GDPR, HIPAA, NIST 800-53 requirement)
Engagement Data: 1 year after completion
Inactive Accounts: 90 days of inactivity triggers notification; 6 months triggers deletion
Script: dashboard/scripts/data-retention-purge.py with --dry-run default

Internal Notification: Breach discovered → notify CISO immediately
Authority Notification: 72 hours to EU DPA (if 10+ records impacted)
Individual Notification: 72 hours to affected individuals (if high risk)
Documentation: Root cause analysis, remediation steps, measures taken

Requirement: DPA signed before processing client personal data
Template: docs/legal/dpa-template.md (fillable for each engagement)
Sub-processors: Stripe, SendGrid, GitHub listed with their data processing practices

6. Supply Chain Security (OWASP A03:2025)¶

6.1 Dependency Management¶

Automated Updates: Dependabot configured for pip, npm, Docker, GitHub Actions
Vulnerability Scanning: Trivy + CodeQL on every push + nightly schedule
Review Process: Security team reviews all dependency updates before merge

6.2 Build & Deployment¶

Code Review: All code merged via PR with 1+ approval
CI/CD Security: GitHub Actions hardened, secrets managed via repository secrets
Image Scanning: Docker images scanned for CVEs before push to registry
Binary Integrity: Desktop app checksum verification via checksums.txt (SHA-256)

7. Vendor Management (OWASP A10:2025)¶

7.1 Vendor Assessment¶

Pre-Contract: Security questionnaire (data handling, controls, certifications)
Ongoing: Annual re-assessment, breach notification SLA
Key Vendors: Stripe (PCI-DSS), SendGrid (SOC 2), GitHub (security controls)

7.2 Incident Response with Vendors¶

If vendor experiences breach impacting BeDefended: immediate escalation to CISO
Client notification within 72 hours if personal data compromised

8. Security Roles & Responsibilities¶

Role	Responsibility
CISO	Policy approval, risk assessment, incident escalation
System Admin	Access control, patch deployment, backup testing
Developer	Secure coding, pre-commit checks, code review participation
Pentester	Non-destructive testing, finding verification, evidence cleanup
Compliance Officer	GDPR/HIPAA/NIST alignment, audit coordination, breach response
All Staff	Security awareness, incident reporting, credential protection

9. Security Incidents & Reporting¶

9.1 Incident Categories¶

P1 (Critical): Data breach, service outage >1 hour, ransomware
P2 (High): Unauthorized access attempt, failed auth controls
P3 (Medium): Configuration drift, unpatched vulnerability
P4 (Low): Policy violation, phishing email

9.2 Reporting Procedure¶

Detect: Any staff member observes potential incident
Report: Notify CISO / Compliance Officer immediately (do not delay)
Contain: Isolate affected system (if possible) to prevent spread
Investigate: Forensic analysis, timeline reconstruction
Notify: External parties per policy (GDPR 72h, HIPAA 60d)
Remediate: Root cause fix, compensating controls
Review: Post-incident review, lessons learned, process improvements

10. Policy Compliance & Audit¶

10.1 Monitoring¶

Monthly: Review audit logs for policy violations (failed auth, privileged escalation)
Quarterly: Full compliance audit against ISO 27001 controls
Annually: Third-party audit + penetration test

10.2 Violations & Disciplinary Action¶

First Violation: Verbal warning + retraining
Second Violation: Written warning
Third Violation: Suspension or termination (depending on severity)
Critical Violations (data theft, sabotage): Immediate termination + legal action

11. Policy Maintenance¶

Review Schedule¶

Annual Review: 2026-Q1 (every January)
Triggered Review: On significant security incident, regulatory change, or control failure

Approval¶

Role	Date
CISO / Security Lead	2026-03-17
Compliance Officer	2026-03-17
CEO	2026-03-17

Document Control - Owner: CISO - Last Updated: 2026-03-17 - Next Review: 2027-01-15 - Status: Approved