HeiChat

SECURITY POLICY

GENCYBERS INC

SECURITY POLICY

Document Control:

  • Document ID: SEC-POL-2025-003
  • Version: 1.4
  • Last Updated: January 14, 2025
  • Approved By: Chief Technology Officer Alex Wong
  • Review Frequency: Annual

INTRODUCTION

This Security Policy establishes the foundation for data transfers and protection at GenCybers INC. It outlines the organizational and technical controls implemented to protect our clients' and partners' sensitive data, maintain trust, and ensure regulatory compliance. SCOPE This policy applies to all GenCybers INC employees, contractors, consultants, temporary staff, and other workers including all personnel affiliated with third parties utilizing GenCybers INC systems and data. It covers all information assets owned, leased, or controlled by GenCybers INC, including cloud-based services hosted in AWS US East (N. Virginia) region.

1. INFORMATION SECURITY POLICIES

1.1 Information Security Framework

GenCybers INC has established a comprehensive information security framework as the baseline for daily operations to ensure data safety. This framework consists of:

  • Core security policies and procedures
  • Technical implementation standards
  • Security controls documentation
  • Risk assessment methodology
  • Compliance requirements

1.2 Policy Management

1.2.1 All security policies shall be:

  • Documented and communicated to all relevant personnel
  • Reviewed at planned intervals, at minimum annually
  • Updated when significant changes occur to the business or technology environment
  • Formally approved by the CTO, who is responsible for data security and protection of sensitive information 1.2.2 Version control shall be maintained for all security policies with documentation of:
  • Revision history
  • Approval signatures
  • Distribution lists
  • Review schedules 1.2.3 A centralized repository for all security policies shall be maintained with:
  • Role-based access controls
  • Change tracking capabilities
  • Notification system for policy updates

1.3 Roles and Responsibilities

1.3.1 The CTO is ultimately responsible for:

  • Approving security policies
  • Ensuring adequate resources for security implementation
  • Reviewing security metrics and incidents
  • Making risk acceptance decisions
  • Overseeing the company's overall security posture 1.3.2 Department Managers are responsible for:
  • Implementing security controls within their departments
  • Ensuring staff compliance with security policies
  • Reporting security incidents
  • Participating in security risk assessments 1.3.3 All Staff are responsible for:
  • Adhering to all security policies
  • Reporting security incidents or vulnerabilities
  • Participating in security training
  • Safeguarding company assets and information

2. NETWORK SECURITY

2.1 Network Segregation

2.1.1 GenCybers INC's network environment shall be segregated into the following zones:

  • Internet-facing zone (DMZ)
  • Internal production network
  • Development and testing network
  • Management network
  • Database network
  • User network 2.1.2 Network traffic between zones shall be controlled by:
  • Next-generation firewalls with application awareness
  • Access control lists (ACLs)
  • Intrusion prevention systems
  • Traffic filtering based on business requirements 2.1.3 Virtual Private Networks (VPNs) shall be implemented with:
  • Strong encryption (AES-256 or higher)
  • Certificate-based authentication
  • Split tunneling disabled
  • Automatic disconnection after 30 minutes of inactivity

2.2 Network Monitoring and Defense

2.2.1 Network Intrusion Detection/Prevention Systems (NIDS/NIPS) shall be implemented to:

  • Monitor for suspicious activities
  • Detect potential security violations
  • Block known attack patterns
  • Generate alerts for security team review 2.2.2 Host-based Intrusion Prevention Systems (HIPS) shall be deployed on all critical servers with:
  • Real-time monitoring
  • Behavior-based detection
  • File integrity monitoring
  • Privilege escalation detection 2.2.3 All network traffic shall be logged with:
  • Source and destination IP addresses
  • Protocol and port information
  • Timestamp information
  • User identification when possible
  • Retention for a minimum of 180 days 2.2.4 Network baselines shall be established and monitored for deviations that may indicate security incidents.

3. ENDPOINT PROTECTION

3.1 Antivirus and Anti-malware Protection

3.1.1 All endpoints (workstations, laptops, servers) shall have anti-virus/anti-malware software with:

  • Real-time scanning
  • Scheduled full-system scans at least weekly
  • Automatic updates of virus definitions
  • Centralized management and reporting
  • Ransomware protection capabilities 3.1.2 Anti-virus signature databases shall be updated at minimum daily, with critical updates applied immediately. 3.1.3 Anti-malware scan results shall be:
  • Logged centrally
  • Reviewed daily
  • Retained for at least 90 days
  • Used to generate trend reports 3.1.4 Specialized protection shall be implemented for:
  • Email attachments
  • Web downloads
  • Removable media
  • Network shares

3.2 Endpoint Security Configurations

3.2.1 All endpoints shall be hardened according to CIS benchmarks, including:

  • Removal of unnecessary applications and services
  • Disabling of unnecessary ports and protocols
  • Implementation of host-based firewalls
  • Application whitelisting for critical systems 3.2.2 Local administrator rights shall be restricted using:
  • Just-in-time administrative access
  • Privileged access management solutions
  • Time-limited elevation of privileges
  • Detailed logging of administrative actions 3.2.3 Regular security scans shall be conducted:
  • Weekly for vulnerability detection
  • Monthly for configuration compliance
  • Quarterly for comprehensive security assessment
  • After significant system changes

3.3 Endpoint Monitoring and Management

3.3.1 A centralized endpoint management system shall monitor:

  • Security agent status
  • Patch compliance levels
  • Configuration drift
  • Unauthorized software
  • Resource utilization anomalies 3.3.2 All detected security issues shall follow a documented remediation process with:
  • Severity classification
  • Response timelines based on severity
  • Escalation procedures
  • Verification of remediation effectiveness

4. SECURITY BASELINES

4.1 Password and Authentication Requirements

4.1.1 Passwords shall meet the following minimum requirements:

  • Minimum length of 12 characters
  • Complexity including uppercase, lowercase, numbers, and special characters
  • Maximum age of 90 days for sensitive systems
  • History of 12 previous passwords remembered (preventing reuse)
  • Lockout after 5 failed attempts, with a 30-minute lockout period 4.1.2 Multi-Factor Authentication (MFA) shall be required for:
  • All administrator accounts
  • Remote access to the network
  • Access to critical systems
  • Access to systems containing sensitive data
  • Cloud service administration 4.1.3 Authentication mechanisms shall be regularly reviewed and updated based on:
  • Industry best practices
  • Emerging threats
  • Compliance requirements
  • Security incident analysis

4.2 Workstation Security

4.2.1 All workstations shall be configured to:

  • Automatically lock after 15 minutes of inactivity
  • Display a legal notice at login stating that the system is for authorized use only
  • Disable autorun/autoplay features for removable media
  • Enforce device encryption
  • Apply group policies for security settings 4.2.2 Remote workstations shall have additional controls including:
  • VPN requirement for network connectivity
  • Asset tracking and remote wipe capability
  • Stricter authentication requirements
  • Restricted access to sensitive data

4.3 Security Awareness and Training

4.3.1 All employees shall receive security awareness training:

  • Upon hiring (within 30 days)
  • Annually thereafter
  • After significant security incidents
  • When new threats emerge 4.3.2 Security awareness training shall include:
  • Password security best practices
  • Phishing and social engineering awareness
  • Data handling procedures
  • Incident reporting procedures
  • Safe internet and email usage
  • Mobile device security
  • Physical security requirements
  • Compliance obligations 4.3.3 Effectiveness of training shall be measured through:
  • Pre and post-training assessments
  • Simulated phishing exercises
  • Security incident metrics
  • Compliance audit results

5. DATA PROTECTION

5.1 Data Classification

5.1.1 All company data shall be classified according to the following scheme:

  • Critical: Data that would cause severe harm if compromised
  • Confidential: Sensitive business or personal data with restricted access
  • Internal: Business data not intended for public disclosure
  • Public: Information approved for public distribution 5.1.2 Each classification level shall have defined:
  • Handling requirements
  • Storage requirements
  • Transmission requirements
  • Disposal procedures
  • Access restrictions 5.1.3 All data shall be labeled according to its classification when technically feasible.

5.2 Data Encryption

5.2.1 All personal and sensitive data at rest shall be encrypted using:

  • AES-256 or higher for symmetric encryption
  • RSA-2048 or higher for asymmetric encryption
  • Proper key management procedures 5.2.2 All data in transit shall be encrypted using:
  • TLS v1.2 or above for all web applications
  • Secure file transfer protocols (SFTP, FTPS)
  • VPN tunnels for remote connections
  • End-to-end encryption for sensitive communications 5.2.3 Encryption key management shall include:
  • Secure key generation procedures
  • Key rotation at least annually
  • Separation of duties for key custodians
  • Secure key backup and recovery procedures
  • Documented key destruction process

5.3 Data Retention and Disposal

5.3.1 Data retention periods shall be defined based on:

  • Legal and regulatory requirements
  • Business operational needs
  • Contractual obligations
  • Risk assessment outcomes 5.3.2 Data disposal shall follow secure procedures including:
  • Secure deletion using industry-standard wiping tools
  • Physical destruction of storage media when appropriate
  • Documented chain of custody for media containing sensitive information
  • Verification of successful data destruction 5.3.3 Third-party disposal services shall be:
  • Contractually bound to follow our security requirements
  • Certified for secure data destruction
  • Required to provide certificates of destruction

6. ACCESS CONTROL

6.1 Access Control Policy

6.1.1 Access to information systems shall be granted based on:

  • "Need-to-know" principle - users have access only to the information required to perform their job functions
  • "Least-privilege" principle - users are granted minimum necessary privileges to perform their job functions 6.1.2 The Access Control Policy shall be published and communicated to all employees, and shall include:
  • Access request and approval processes
  • Role-based access control framework
  • Segregation of duties requirements
  • Privileged access management
  • Third-party access controls 6.1.3 Access rights for all users shall be:
  • Documented in an access management system
  • Approved by appropriate data owners
  • Provisioned through a formal process
  • Regularly reviewed and revalidated

6.2 Access Management

6.2.1 User account management shall include:

  • Formal user registration and de-registration procedures
  • Unique user identification for accountability
  • Privileged account inventories
  • Regular privilege reviews
  • Automated disabling of inactive accounts after 90 days 6.2.2 Role-based access control shall be implemented with:
  • Clearly defined roles aligned with job functions
  • Documented access rights for each role
  • Approval workflows for role assignments
  • Regular role definition reviews 6.2.3 Segregation of duties shall be enforced to:
  • Prevent conflicts of interest
  • Reduce opportunities for unauthorized modifications
  • Detect unauthorized activities
  • Prevent administrator self-provisioning of elevated privileges

6.3 Access Monitoring and Review

6.3.1 System access logs shall capture:

  • User identification
  • Date and time of access
  • System/data accessed
  • Type of access (read, write, modify, delete)
  • Success or failure of access attempts 6.3.2 Access logs shall be:
  • Protected from unauthorized modification or deletion
  • Stored for a minimum of one year
  • Regularly reviewed for suspicious activities
  • Incorporated into security monitoring systems 6.3.3 User privileges shall be formally reviewed:
  • At least annually for all systems
  • Quarterly for critical systems
  • When users change roles
  • After significant system changes
  • After security incidents

7. VULNERABILITY MANAGEMENT

7.1 Vulnerability Assessment

7.1.1 Vulnerability scanning shall be conducted:

  • Monthly for external-facing systems
  • Quarterly for internal systems
  • After significant infrastructure changes
  • When new vulnerabilities are published that may affect our systems 7.1.2 Vulnerability scanning tools shall:
  • Be maintained with current vulnerability definitions
  • Cover all network segments and critical assets
  • Be configured to minimize operational impact
  • Generate detailed reports for remediation teams 7.1.3 Vulnerability assessment reports shall be:
  • Reviewed by security personnel within 24 hours of generation
  • Prioritized based on risk levels
  • Documented in a vulnerability tracking system
  • Retained for at least two years

7.2 Penetration Testing

7.2.1 Penetration testing shall be conducted:

  • Annually for all production environments
  • After significant architectural changes
  • Before new applications are deployed to production
  • Using a combination of automated and manual techniques 7.2.2 Penetration testing scope shall include:
  • Network infrastructure
  • Web applications
  • Mobile applications
  • Cloud configurations
  • API endpoints
  • Social engineering (with appropriate approvals) 7.2.3 Penetration testing shall be performed by:
  • Qualified third-party security professionals
  • Internal security teams with appropriate skills
  • Personnel independent from those responsible for the systems being tested

7.3 Vulnerability Remediation

7.3.1 Vulnerabilities shall be remediated according to the following timeframes:

  • Critical: 24 hours
  • High: 7 days
  • Medium: 30 days
  • Low: 90 days 7.3.2 Exceptions to remediation timeframes shall:
  • Be documented with business justification
  • Include compensating controls
  • Be approved by the CTO
  • Have a defined expiration date 7.3.3 Vulnerability remediation shall be verified through:
  • Follow-up scanning
  • Manual testing
  • Change management documentation review
  • Security control validation

8. INCIDENT MANAGEMENT

8.1 Incident Response Policy

8.1.1 An Incident Response Policy shall be published and communicated to all employees, containing:

  • Incident classification criteria
  • Roles and responsibilities
  • Escalation procedures
  • Communication protocols
  • Evidence collection guidelines
  • Reporting requirements 8.1.2 The incident response team shall include representatives from:
  • Information Security
  • IT Operations
  • Legal Department
  • Human Resources
  • Corporate Communications
  • Relevant business units 8.1.3 Incident response procedures shall address:
  • Identification and triage
  • Containment strategies
  • Eradication methods
  • Recovery procedures
  • Post-incident activities

8.2 Incident Response Testing

8.2.1 Incident response drills shall be conducted:

  • At least annually
  • For various incident scenarios
  • With participation from all relevant stakeholders
  • With minimal advance notice when appropriate 8.2.2 Tabletop exercises shall test:
  • Team coordination
  • Decision-making processes
  • Communication effectiveness
  • Technical response capabilities
  • Recovery time objectives 8.2.3 Results from incident response tests shall be:
  • Documented in after-action reports
  • Used to identify improvement opportunities
  • Incorporated into updated procedures
  • Shared with senior management

8.3 Incident Documentation and Analysis

8.3.1 All security incidents shall be documented with:

  • Initial detection details
  • Scope and impact assessment
  • Chronology of response actions
  • Evidence preservation methods
  • Resolution and recovery steps
  • Root cause analysis 8.3.2 Post-incident reviews shall:
  • Be conducted within two weeks of incident closure
  • Identify lessons learned
  • Document required control improvements
  • Assign action items with deadlines
  • Include stakeholder sign-off 8.3.3 Incident metrics shall be maintained to:
  • Track incident trends
  • Measure response effectiveness
  • Identify recurring issues
  • Support resource allocation decisions
  • Demonstrate continuous improvement

COMPLIANCE AND ENFORCEMENT

This policy shall be enforced by the GenCybers INC CTO and security team. Violations may result in disciplinary action, up to and including termination of employment or business relationship. All employees are required to acknowledge receipt and understanding of this policy upon hire and annually thereafter. POLICY REVIEW This Security Policy shall be reviewed annually and updated as necessary to reflect changes in technology, business practices, regulatory requirements, or the threat landscape.

APPROVED BY:Alex Wong

Chief Technology Officer GenCybers INC DATE: January 14, 2025