Version 1.0, Effective February 15, 2026

    Information Security Policy & Procedures

    This policy establishes the framework for identifying, mitigating, and monitoring information security risks across all operations, systems, and client engagements.

    Section 1

    Purpose & Scope

    This Information Security Policy ("Policy") defines the security controls, procedures, and responsibilities that govern the protection of information assets managed by Brent Norris ("the Organization"). It applies to all systems, networks, applications, data, personnel, contractors, and third-party service providers that access, process, store, or transmit organizational or client data.

    The objectives of this policy are to:

    • Protect the confidentiality, integrity, and availability of information assets
    • Establish a risk-based approach to information security management
    • Define clear roles, responsibilities, and accountability structures
    • Ensure compliance with applicable legal, regulatory, and contractual obligations
    • Provide a framework for continuous improvement of security controls

    This policy applies to all information in any form: electronic, physical, or verbal, regardless of the medium or technology used.

    Section 2

    Governance & Roles

    The Information Security Officer (ISO) is responsible for the development, implementation, maintenance, and enforcement of this policy. Security governance includes the following accountability structure:

    Information Security Officer

    Oversees policy development, risk assessments, incident coordination, vendor security reviews, and annual policy revisions. Serves as the primary point of contact for all security-related matters.

    System Administrators

    Implement technical controls, manage access permissions, monitor infrastructure, apply patches and updates, and maintain system documentation.

    All Personnel & Contractors

    Comply with this policy, complete security awareness training, report suspected incidents immediately, and protect credentials and access tokens.

    Policy violations may result in disciplinary action, contract termination, or legal proceedings commensurate with the severity of the violation.

    Section 3

    Risk Management

    The Organization maintains a formal risk management program designed to identify, assess, mitigate, and monitor information security risks on a continuous basis. The risk management lifecycle includes:

    PhaseActivitiesFrequency
    IdentificationAsset inventory, threat modeling, vulnerability scanningContinuous
    AssessmentLikelihood/impact analysis, risk scoring (1-25 matrix)Quarterly
    MitigationControl implementation, risk acceptance/transfer decisionsAs identified
    MonitoringKRI tracking, control effectiveness testing, residual risk reviewMonthly
    ReportingRisk register updates, trend analysis, management reviewQuarterly

    Risk ratings are classified as Critical, High, Medium, or Low. Critical and High risks require documented mitigation plans within 30 and 90 days respectively. Risk acceptance requires documented justification and ISO approval.

    Section 4

    Access Control

    Access to information systems, applications, and data is governed by the principle of least privilege and need-to-know. The following controls are enforced:

    4.1 Authentication

    • Multi-factor authentication (MFA) required for all administrative access, remote access, and client-facing systems
    • Password policy: minimum 16 characters, complexity requirements, 90-day rotation for privileged accounts
    • Credential storage using cryptographic hashing (bcrypt/scrypt) with per-credential salts
    • Session tokens with configurable expiration and automatic invalidation on privilege changes

    4.2 Authorization

    • Role-based access control (RBAC) with defined roles: admin, user, read-only
    • Row-level security (RLS) policies enforced at the database layer for all client data
    • API access governed by scoped tokens with minimum necessary permissions
    • Quarterly access reviews with documented revocation of unnecessary privileges

    4.3 Account Lifecycle

    • Formal onboarding process with documented access provisioning
    • Immediate access revocation upon termination or role change
    • Dormant accounts disabled after 90 days of inactivity
    Section 5

    Data Protection

    5.1 Data Classification

    LevelDescriptionExamples
    RestrictedHighly sensitive, regulatory-protectedPHI, credentials, encryption keys
    ConfidentialBusiness-sensitive, client-specificClient data, financials, contracts
    InternalInternal operations, not for publicSOPs, internal reports, analytics
    PublicApproved for public accessWebsite content, marketing materials

    5.2 Encryption Standards

    • Data in transit: TLS 1.2+ enforced on all connections; HSTS headers with minimum 1-year max-age
    • Data at rest: AES-256-GCM encryption for stored credentials and sensitive configuration
    • Database-level encryption with transparent data encryption (TDE)
    • Key management through isolated vault services with automated rotation schedules

    5.3 Data Retention & Disposal

    • Retention schedules defined per data classification level and regulatory requirement
    • Automated purging of transient data (session logs, temporary files) after defined periods
    • Secure deletion using cryptographic erasure for decommissioned storage media
    • Audit trail maintained for all data disposal actions
    Section 6

    Network & Infrastructure Security

    • Network segmentation isolating client environments, management interfaces, and public-facing services
    • Web Application Firewall (WAF) with OWASP Top 10 ruleset on all public endpoints
    • DDoS mitigation through CDN-level protection with automatic scaling
    • CORS allowlisting restricting cross-origin access to approved domains only
    • Rate limiting on all API endpoints and form submissions to prevent abuse
    • SSL/TLS certificate monitoring with automated alerts at 30, 14, and 7 days before expiry
    • Infrastructure-as-code with version-controlled configurations and change approval workflows
    • Automated vulnerability scanning of dependencies with daily update checks
    Section 7

    Endpoint Security

    • Full-disk encryption required on all devices that access organizational or client data
    • Endpoint detection and response (EDR) software on all workstations
    • Automatic OS and application patching within 14 days of critical security updates
    • Screen lock enforced after 5 minutes of inactivity
    • USB storage devices disabled by policy; data transfer only through approved channels
    • Remote wipe capability for all mobile devices with organizational data access
    Section 8

    Incident Response

    The Organization maintains a documented Incident Response Plan (IRP) that defines procedures for detection, containment, eradication, recovery, and post-incident review. The IRP follows NIST SP 800-61 Rev. 2 guidelines.

    8.1 Incident Severity Classification

    SeverityCriteriaResponse Time
    P1 - CriticalActive data breach, system compromise, ransomwareImmediate (≤1 hour)
    P2 - HighUnauthorized access attempt, credential exposure≤4 hours
    P3 - MediumPolicy violation, suspicious activity, failed controls≤24 hours
    P4 - LowMinor anomalies, informational events≤72 hours

    8.2 Response Procedures

    • Detection: Automated monitoring, log analysis, anomaly detection, and user reporting
    • Containment: Immediate isolation of affected systems; credential rotation; forensic evidence preservation
    • Eradication: Root cause analysis, malware removal, vulnerability patching
    • Recovery: System restoration from verified backups; enhanced monitoring during recovery period
    • Post-Incident: Lessons learned documentation; control improvements; stakeholder communication

    8.3 Breach Notification

    In the event of a confirmed data breach involving personal or protected health information, affected parties will be notified within 72 hours in accordance with applicable regulations (HIPAA, state breach notification laws). Notification will include the nature of the breach, types of data affected, remediation steps taken, and contact information for further inquiries.

    Section 9

    Vendor & Third-Party Management

    All third-party service providers that access, process, or store organizational or client data are subject to security assessment prior to engagement and on an ongoing basis.

    • Vendor security questionnaire and risk assessment prior to onboarding
    • Contractual security requirements including data handling, encryption, and breach notification clauses
    • Business Associate Agreements (BAA) executed with all vendors handling PHI
    • Annual vendor security reviews with documented risk ratings
    • Right-to-audit clauses included in all critical vendor agreements
    • Vendor access limited to minimum necessary scope with dedicated service accounts
    • Exit procedures ensuring complete data return/deletion upon contract termination

    Key Vendor Categories

    Infrastructure hosting, DNS and domain services, email delivery, payment processing, monitoring and uptime services, SSL certificate authorities, and analytics platforms. Each category has defined minimum security requirements and review schedules.

    Section 10

    Business Continuity & Disaster Recovery

    • Automated daily backups with geographic redundancy across multiple regions
    • Point-in-time recovery capability with maximum 24-hour recovery point objective (RPO)
    • Recovery time objective (RTO) of 4 hours for critical systems
    • Quarterly backup restoration testing with documented results
    • Failover procedures documented and tested semi-annually
    • Client data segregation ensuring single-client incidents do not affect other clients
    • Communication plan for notifying clients of service disruptions within 1 hour of confirmed impact
    Section 11

    Monitoring, Logging & Audit

    The Organization maintains comprehensive monitoring and logging to detect security events, support incident investigation, and demonstrate compliance.

    • Security audit logging for all authentication events, administrative actions, and data access operations
    • Privacy-preserving IP address hashing (SHA-256) in audit logs to support investigation without storing PII
    • Log retention of 90 days for operational logs, 1 year for security audit logs
    • Real-time uptime monitoring with automated alerting for all client-facing services
    • Automated health checks covering SSL validity, performance metrics, SEO integrity, and broken link detection
    • Weekly health digest reports with actionable findings for managed hosting clients
    • Log integrity protections preventing tampering or unauthorized deletion

    Operationalized Monitoring Controls

    The following automated systems are actively deployed: 5-factor weighted health scoring (uptime, SSL, performance, link health, SEO), UptimeRobot integration for real-time availability monitoring, PageSpeed Insights integration for Core Web Vitals tracking, automated SSL certificate expiry alerting, and comprehensive security audit logging with tamper-evident storage.

    Section 12

    Acceptable Use

    All authorized users of organizational systems must adhere to the following acceptable use requirements:

    • Systems shall be used only for authorized business purposes
    • Sharing of credentials, access tokens, or API keys is strictly prohibited
    • Personal devices used for business must meet minimum endpoint security requirements
    • Installation of unauthorized software on organizational systems is prohibited
    • All suspected security incidents must be reported immediately to the ISO
    • Client data shall not be stored on personal devices or unauthorized cloud services
    Section 13

    Email & Communications Security

    • Email delivery through authenticated transactional email services with SPF, DKIM, and DMARC enforcement
    • Email suppression management to honor bounces, complaints, and unsubscribe requests
    • Delivery tracking and logging of all system-generated emails for audit purposes
    • No transmission of restricted or confidential data via unencrypted email
    • Anti-phishing awareness integrated into security training for all personnel
    Section 14

    Regulatory Compliance

    The Organization maintains compliance with the following regulatory frameworks as applicable to client engagements and operational requirements:

    • HIPAA: Security Rule, Privacy Rule, and Breach Notification Rule compliance for clients handling protected health information (PHI)
    • State Data Breach Laws: Compliance with breach notification requirements in all applicable jurisdictions
    • PCI DSS: Payment card data security through certified third-party payment processors; no direct card data handling
    • CCPA/CPRA: Consumer privacy rights protections for California residents as applicable
    • CAN-SPAM: Compliance with email marketing regulations including opt-out mechanisms and accurate sender identification

    Compliance obligations are reviewed annually and updated when new regulations or client requirements are identified. Client-specific compliance requirements are documented in individual service agreements.

    Section 15

    Policy Management

    • This policy is reviewed and updated at minimum annually, or upon significant operational changes
    • All revisions are version-controlled with documented change history
    • Policy awareness is required for all personnel with access to organizational systems
    • Exception requests must be documented, risk-assessed, time-limited, and approved by the ISO

    Document Control

    Version:1.0
    Effective Date:February 15, 2026
    Next Review:February 15, 2027
    Owner:Information Security Officer

    Questions About This Policy

    For questions regarding this Information Security Policy or to report a security concern, contact the Information Security Officer.

    This policy is a public document provided for transparency. It does not create contractual obligations beyond those specified in individual service agreements.