Information Security Policy

Purpose

SectorFlow AI is committed to safeguarding sensitive and confidential data to prevent loss or compromise, thus avoiding negative impacts on our customers, compliance penalties, and reputational damage. While total elimination of data theft is challenging, this policy aims to increase awareness and prevent accidental loss by outlining requirements for SectorFlow AI's Data Privacy Policy.

Scope

In Scope: This policy applies to all customer, personal, or company data classified as Highly Confidential, Confidential, or Internal per SectorFlow AI’s Data Privacy Labeling Standards. It encompasses all systems handling such data, including devices used for email, web access, or other work-related tasks, and applies to every user interacting with SectorFlow AI systems.

Out of Scope: Publicly classified information per the Data Privacy Labeling Standards is exempt. Data may be excluded by leadership based on cost or complexity of protection.

Policy

1. General Access and User Identification

   • Each user is identified by a unique user ID for accountability.
   • Shared identities are limited to suitable scenarios, like training or service accounts.
   • Users must acknowledge understanding this policy through a signed statement.

2. Access Control Authorization

   • Access is provided through unique accounts and complex passwords.
   • Password policy requirements are detailed in the Password Policy.
   • Role-based access control (RBAC) is utilized as per the Role-Based Access Control Policy.

3. Network Access and Segregation

   • Network access aligns with business access control procedures.
   • Network segregation is implemented as per network security recommendations.
   • Firewall policies support the access control policy.

4. User Responsibilities

   • Users must secure their workstations and keep sensitive information confidential.
   • Passwords are to be kept confidential and not shared.

5. Application and Information Access

   • Access to systems and data is granted based on business need and role approval.
   • Sensitive systems are isolated to restrict access to authorized personnel.

6. Access to Confidential Information

   • Access to data labeled as Highly Confidential, Confidential, or Internal is limited to authorized persons.
   • The Security team implements access restrictions.

7. Technical Guidelines

   • Include auditing, role-based access, server rights, firewall permissions, encryption standards, and comprehensive access control across all platforms and devices.

8. Reporting Requirements

   • Incident reports are produced daily and weekly by the Security team.
   • High-priority incidents are escalated to the Chief Information Security Officer (CISO).

9. Ownership and Responsibilities

   • Data owners are responsible for the information they manage.
   • Security team members provide administrative security support.
   • All users with access to information resources are covered by this policy.

10. Policy Compliance

    • Violations lead to disciplinary actions, including warnings, suspensions, etc.

Audits and System Configuration

Systems at SectorFlow AI will be audited annually to ensure integrity and compliance with security policies.

Multi-Factor Authentication (MFA) Policy

MFA is implemented across all network and system access points to strengthen authentication.

Email Policy

Email usage aligns with ethical conduct and legal compliance, with specific guidelines for handling sensitive data.

Policy Compliance and Non-Compliance

Compliance will be verified through audits and any non-compliance results in disciplinary action.

This Information Security Policy is a living document and will evolve with SectorFlow AI’s growth and the changing cyber landscape.