Information Security Policy & Procedures
This policy establishes the framework for identifying, mitigating, and monitoring information security risks across all operations, systems, and client engagements.
Purpose & Scope
This Information Security Policy ("Policy") defines the security controls, procedures, and responsibilities that govern the protection of information assets managed by Brent Norris ("the Organization"). It applies to all systems, networks, applications, data, personnel, contractors, and third-party service providers that access, process, store, or transmit organizational or client data.
The objectives of this policy are to:
- Protect the confidentiality, integrity, and availability of information assets
- Establish a risk-based approach to information security management
- Define clear roles, responsibilities, and accountability structures
- Ensure compliance with applicable legal, regulatory, and contractual obligations
- Provide a framework for continuous improvement of security controls
This policy applies to all information in any form: electronic, physical, or verbal, regardless of the medium or technology used.
Governance & Roles
The Information Security Officer (ISO) is responsible for the development, implementation, maintenance, and enforcement of this policy. Security governance includes the following accountability structure:
Information Security Officer
Oversees policy development, risk assessments, incident coordination, vendor security reviews, and annual policy revisions. Serves as the primary point of contact for all security-related matters.
System Administrators
Implement technical controls, manage access permissions, monitor infrastructure, apply patches and updates, and maintain system documentation.
All Personnel & Contractors
Comply with this policy, complete security awareness training, report suspected incidents immediately, and protect credentials and access tokens.
Policy violations may result in disciplinary action, contract termination, or legal proceedings commensurate with the severity of the violation.
Risk Management
The Organization maintains a formal risk management program designed to identify, assess, mitigate, and monitor information security risks on a continuous basis. The risk management lifecycle includes:
| Phase | Activities | Frequency |
|---|---|---|
| Identification | Asset inventory, threat modeling, vulnerability scanning | Continuous |
| Assessment | Likelihood/impact analysis, risk scoring (1-25 matrix) | Quarterly |
| Mitigation | Control implementation, risk acceptance/transfer decisions | As identified |
| Monitoring | KRI tracking, control effectiveness testing, residual risk review | Monthly |
| Reporting | Risk register updates, trend analysis, management review | Quarterly |
Risk ratings are classified as Critical, High, Medium, or Low. Critical and High risks require documented mitigation plans within 30 and 90 days respectively. Risk acceptance requires documented justification and ISO approval.
Access Control
Access to information systems, applications, and data is governed by the principle of least privilege and need-to-know. The following controls are enforced:
4.1 Authentication
- Multi-factor authentication (MFA) required for all administrative access, remote access, and client-facing systems
- Password policy: minimum 16 characters, complexity requirements, 90-day rotation for privileged accounts
- Credential storage using cryptographic hashing (bcrypt/scrypt) with per-credential salts
- Session tokens with configurable expiration and automatic invalidation on privilege changes
4.2 Authorization
- Role-based access control (RBAC) with defined roles: admin, user, read-only
- Row-level security (RLS) policies enforced at the database layer for all client data
- API access governed by scoped tokens with minimum necessary permissions
- Quarterly access reviews with documented revocation of unnecessary privileges
4.3 Account Lifecycle
- Formal onboarding process with documented access provisioning
- Immediate access revocation upon termination or role change
- Dormant accounts disabled after 90 days of inactivity
Data Protection
5.1 Data Classification
| Level | Description | Examples |
|---|---|---|
| Restricted | Highly sensitive, regulatory-protected | PHI, credentials, encryption keys |
| Confidential | Business-sensitive, client-specific | Client data, financials, contracts |
| Internal | Internal operations, not for public | SOPs, internal reports, analytics |
| Public | Approved for public access | Website content, marketing materials |
5.2 Encryption Standards
- Data in transit: TLS 1.2+ enforced on all connections; HSTS headers with minimum 1-year max-age
- Data at rest: AES-256-GCM encryption for stored credentials and sensitive configuration
- Database-level encryption with transparent data encryption (TDE)
- Key management through isolated vault services with automated rotation schedules
5.3 Data Retention & Disposal
- Retention schedules defined per data classification level and regulatory requirement
- Automated purging of transient data (session logs, temporary files) after defined periods
- Secure deletion using cryptographic erasure for decommissioned storage media
- Audit trail maintained for all data disposal actions
Network & Infrastructure Security
- Network segmentation isolating client environments, management interfaces, and public-facing services
- Web Application Firewall (WAF) with OWASP Top 10 ruleset on all public endpoints
- DDoS mitigation through CDN-level protection with automatic scaling
- CORS allowlisting restricting cross-origin access to approved domains only
- Rate limiting on all API endpoints and form submissions to prevent abuse
- SSL/TLS certificate monitoring with automated alerts at 30, 14, and 7 days before expiry
- Infrastructure-as-code with version-controlled configurations and change approval workflows
- Automated vulnerability scanning of dependencies with daily update checks
Endpoint Security
- Full-disk encryption required on all devices that access organizational or client data
- Endpoint detection and response (EDR) software on all workstations
- Automatic OS and application patching within 14 days of critical security updates
- Screen lock enforced after 5 minutes of inactivity
- USB storage devices disabled by policy; data transfer only through approved channels
- Remote wipe capability for all mobile devices with organizational data access
Incident Response
The Organization maintains a documented Incident Response Plan (IRP) that defines procedures for detection, containment, eradication, recovery, and post-incident review. The IRP follows NIST SP 800-61 Rev. 2 guidelines.
8.1 Incident Severity Classification
| Severity | Criteria | Response Time |
|---|---|---|
| P1 - Critical | Active data breach, system compromise, ransomware | Immediate (≤1 hour) |
| P2 - High | Unauthorized access attempt, credential exposure | ≤4 hours |
| P3 - Medium | Policy violation, suspicious activity, failed controls | ≤24 hours |
| P4 - Low | Minor anomalies, informational events | ≤72 hours |
8.2 Response Procedures
- Detection: Automated monitoring, log analysis, anomaly detection, and user reporting
- Containment: Immediate isolation of affected systems; credential rotation; forensic evidence preservation
- Eradication: Root cause analysis, malware removal, vulnerability patching
- Recovery: System restoration from verified backups; enhanced monitoring during recovery period
- Post-Incident: Lessons learned documentation; control improvements; stakeholder communication
8.3 Breach Notification
In the event of a confirmed data breach involving personal or protected health information, affected parties will be notified within 72 hours in accordance with applicable regulations (HIPAA, state breach notification laws). Notification will include the nature of the breach, types of data affected, remediation steps taken, and contact information for further inquiries.
Vendor & Third-Party Management
All third-party service providers that access, process, or store organizational or client data are subject to security assessment prior to engagement and on an ongoing basis.
- Vendor security questionnaire and risk assessment prior to onboarding
- Contractual security requirements including data handling, encryption, and breach notification clauses
- Business Associate Agreements (BAA) executed with all vendors handling PHI
- Annual vendor security reviews with documented risk ratings
- Right-to-audit clauses included in all critical vendor agreements
- Vendor access limited to minimum necessary scope with dedicated service accounts
- Exit procedures ensuring complete data return/deletion upon contract termination
Key Vendor Categories
Infrastructure hosting, DNS and domain services, email delivery, payment processing, monitoring and uptime services, SSL certificate authorities, and analytics platforms. Each category has defined minimum security requirements and review schedules.
Business Continuity & Disaster Recovery
- Automated daily backups with geographic redundancy across multiple regions
- Point-in-time recovery capability with maximum 24-hour recovery point objective (RPO)
- Recovery time objective (RTO) of 4 hours for critical systems
- Quarterly backup restoration testing with documented results
- Failover procedures documented and tested semi-annually
- Client data segregation ensuring single-client incidents do not affect other clients
- Communication plan for notifying clients of service disruptions within 1 hour of confirmed impact
Monitoring, Logging & Audit
The Organization maintains comprehensive monitoring and logging to detect security events, support incident investigation, and demonstrate compliance.
- Security audit logging for all authentication events, administrative actions, and data access operations
- Privacy-preserving IP address hashing (SHA-256) in audit logs to support investigation without storing PII
- Log retention of 90 days for operational logs, 1 year for security audit logs
- Real-time uptime monitoring with automated alerting for all client-facing services
- Automated health checks covering SSL validity, performance metrics, SEO integrity, and broken link detection
- Weekly health digest reports with actionable findings for managed hosting clients
- Log integrity protections preventing tampering or unauthorized deletion
Operationalized Monitoring Controls
The following automated systems are actively deployed: 5-factor weighted health scoring (uptime, SSL, performance, link health, SEO), UptimeRobot integration for real-time availability monitoring, PageSpeed Insights integration for Core Web Vitals tracking, automated SSL certificate expiry alerting, and comprehensive security audit logging with tamper-evident storage.
Acceptable Use
All authorized users of organizational systems must adhere to the following acceptable use requirements:
- Systems shall be used only for authorized business purposes
- Sharing of credentials, access tokens, or API keys is strictly prohibited
- Personal devices used for business must meet minimum endpoint security requirements
- Installation of unauthorized software on organizational systems is prohibited
- All suspected security incidents must be reported immediately to the ISO
- Client data shall not be stored on personal devices or unauthorized cloud services
Email & Communications Security
- Email delivery through authenticated transactional email services with SPF, DKIM, and DMARC enforcement
- Email suppression management to honor bounces, complaints, and unsubscribe requests
- Delivery tracking and logging of all system-generated emails for audit purposes
- No transmission of restricted or confidential data via unencrypted email
- Anti-phishing awareness integrated into security training for all personnel
Regulatory Compliance
The Organization maintains compliance with the following regulatory frameworks as applicable to client engagements and operational requirements:
- HIPAA: Security Rule, Privacy Rule, and Breach Notification Rule compliance for clients handling protected health information (PHI)
- State Data Breach Laws: Compliance with breach notification requirements in all applicable jurisdictions
- PCI DSS: Payment card data security through certified third-party payment processors; no direct card data handling
- CCPA/CPRA: Consumer privacy rights protections for California residents as applicable
- CAN-SPAM: Compliance with email marketing regulations including opt-out mechanisms and accurate sender identification
Compliance obligations are reviewed annually and updated when new regulations or client requirements are identified. Client-specific compliance requirements are documented in individual service agreements.
Policy Management
- This policy is reviewed and updated at minimum annually, or upon significant operational changes
- All revisions are version-controlled with documented change history
- Policy awareness is required for all personnel with access to organizational systems
- Exception requests must be documented, risk-assessed, time-limited, and approved by the ISO
Document Control
Questions About This Policy
For questions regarding this Information Security Policy or to report a security concern, contact the Information Security Officer.
This policy is a public document provided for transparency. It does not create contractual obligations beyond those specified in individual service agreements.