Purpose

The purpose of this policy is to establish an Information Security Program which protects the confidentiality, integrity, and availability of Zuar, Inc.'s data and assets.

The program defines and implements safeguards that help Zuar, Inc. prevent unauthorized access, disclosure, loss, or inappropriate use of data. It aims to ensure that data is protected, both during transmission and at rest, from internal, external, accidental, and deliberate threats.

Scope

The policy applies to all employees of Zuar, Inc., and all systems and data owned by it.

Ownership

Whitney Myers is responsible for implementing and maintaining this policy.

Policy Statement

The Information Security Program institutes technical, physical, and administrative safeguards to protect data and assets from unauthorized access, disclosure, or inappropriate use. The program establishes requirements and standards, and organizes them into Policy documents. Policies encompass, but are not limited to the areas listed below.

Backup

Zuar, Inc.'s backup procedures are documented in its Backup Policy. The purpose of this policy is to institute the necessary controls to mitigate the accidental loss of Zuar, Inc. data. These controls assume that events such as accidental data corruption, deletion, or destruction will occur, and mitigate the impact of such events by maintaining reliable backup copies from which data can be readily restored.

Encryption

Encryption practices are documented in Zuar, Inc.'s Encryption Policy. The purpose of this policy is to establish practices for protecting Zuar, Inc. data in the event of unauthorized access through the use of encryption. The policy describes the different components that can be configured to utilize encryption, the algorithm that must be used for each, and how encryption keys should be managed.

Change Management

Zuar, Inc.'s change management process is documented in its Change Management Policy. The purpose of this policy is to provide guidance on the process of managing change across Zuar, Inc.'s critical systems and products in order to ensure that sufficient checks and balances are in place to mitigate the risks inherent in continuous product development.

Vulnerability Management

Zuar, Inc.'s Vulnerability Management program is documented in the Vulnerability Management Policy. The purpose of this policy is to establish vulnerability management controls and provide guidelines for their implementation. Vulnerability management encompasses source code, operating systems, runtimes, and devices, and vulnerability scans are performed externally via penetration testing and web application scans.

Access Control

Zuar, Inc.'s access control practices are documented in its Access Control Policy. The purpose of this policy is to establish the principles and guidelines for controlling access to systems owned by Zuar, Inc.

Authentication and Password

Zuar, Inc.'s approach to authentication and password management is documented in Zuar, Inc.'s Authentication and Password Policy. This policy describes Zuar, Inc.'s requirements with regards to account authentication, including how passwords should be generated, used, and protected.

Security Incident Response

Zuar, Inc.'s procedures for handling security incidents are documented in its Security Incident Management Policy. The purpose of this policy is to establish requirements and plans for reporting and responding to security incidents impacting Zuar, Inc. 's corporate or customer systems.

Business Continuity

Zuar, Inc.'s business continuity plan is documented in the Business Continuity Policy. The purpose of this policy is to establish requirements and plans to recover Zuar, Inc. operations following a disruption due to causes such as natural disaster, loss of access to premises, pandemic, or malicious activity from external or internal sources.

Risk Management

Zuar, Inc. maintains a risk management program to identify, prioritize, and mitigate risk to acceptable levels. The program consists of regularly performed risk assessments, which identify and prioritize security and compliance gaps, and recommend additional security controls needed to mitigate the risk carried by the gaps.

Policy Management

The company develops and maintains formal policies that govern information security within the company. The policies are formally reviewed and approved at least once a year, and are communicated to all employees.

Policy Creation

Zuar, Inc.'s management team is responsible for creating policies and supporting any relevant requirements and activities through sufficient staffing and budget allocation. The management team is also responsible for ensuring that Zuar, Inc.'s staff is trained to understand and remain familiar with all relevant policies, and for keeping policies available for review both internally and externally by customers and partners.

Policy Reviews

Whitney Myers is responsible for ensuring all Zuar, Inc. information security policies are reviewed at least annually by Zuar, Inc. management, and re-approved or updated as necessary.

Existing policies may be updated and new policies may be created for reasons including:

  • Complying with applicable laws and regulations
  • Complying with new requirements for certification and governance by the company or its customers
  • Addressing new threats
  • Technological or business requirements

Security Awareness Training

Security awareness training is provided to new employees, and to all employees on a recurring basis, to promote strong security practices for the whole company.

All workforce members are required to complete Security Awareness Training shortly after they join the company. On a periodic basis, typically annually, the company will provide additional trainings. In addition, they may be asked to complete further training as dictated by operational or environmental changes.

Changes that might lead to adjustment of the training program include:

  • A security incident retrospective determining that additional training is required
  • Adoption of new technology by the company
  • Material changes in organizational policies

Whitney Myers is responsible for creating the training program, and for selecting and updating training material over time. The program may be delivered internally, by qualified personnel, or by a third-party vendor.

Security Council

Management and the Board of Directors consider requirements relevant to security, availability, processing integrity, and confidentiality. These considerations are documented in the company's Information Security Policy, which specifically delegates the overall responsibility of security to the Security Council.

The Security Council consists of the CEO, President, CFO and VP, Engineering . As such, this Council is responsible for creating, approving, and enforcing security policies and procedures, leading the monitoring, vulnerability management, and incident detection and response initiatives, and tracking and reducing risk across the organization.

The Security Council and their supporting team are responsible for setting the direction of and taking the authoritative role in Zuar, Inc. 's Information Security Program and related activities, including:

  • Coordinating internal and external assessments
  • Designing and implementing security controls
  • Leading security incident response activities
  • Monitoring systems and networks to detect vulnerabilities and misconfigurations, and to promptly resolve them
  • Regular testing of all security controls
  • Security Awareness Training
  • Security Officer
  • Policy Management