Information Security Policy

Company: [RECKON DIGITAL] | Version: 1.0 | Owner: [Thomas Mouflard | Effective: [10/08/2025] | Next Review: [10/08/2026]

1. Purpose

This policy establishes administrative, technical, and physical safeguards to protect personal information and other confidential data handled by [Company Name] (“Company”) in connection with marketing and lead-generation services in the United States.

2. Scope

This policy applies to all employees, contractors, and third parties who access Company systems or data, including endpoints, servers, cloud environments, applications, data pipelines, and SaaS tools used to collect, store, or transmit personal information (“PI”).

3. Definitions

Personal Information (PI): Information that identifies or can reasonably be linked to a person or household (e.g., name, email, phone, address, IP).
Sensitive PI (SPI): Higher-risk data requiring stronger protection (e.g., government IDs, precise geolocation, financial account numbers). Company does not intentionally collect SPI; if received, treat as Restricted and purge per §14.
Breach: Unauthorized acquisition of unencrypted PI that compromises security or confidentiality.
Data Owner: Business lead responsible for accuracy, use, and classification of a dataset.

4. Roles & Responsibilities

Executive Management: Provide resources; approve policy.
Security Lead / CISO: Maintain policy, risk program, incident response, vendor security, training, and audits.
IT/Engineering: Implement controls, monitor systems, manage changes, backups, and recovery.
All Personnel: Follow this policy, complete training, report incidents promptly.

5. Legal & Regulatory Alignment

Company commits to maintaining reasonable security appropriate to the nature of PI and risk, consistent with:

US consumer protection principles (e.g., FTC Act §5 on unfair/deceptive practices).
State privacy and breach-notification requirements in the states where we operate or where consumers reside.
California CCPA/CPRA expectations for reasonable security and consumer rights.
Contractual and partner obligations.

Disclaimer: This policy is not legal advice. Counsel should review for your specific jurisdictions and data flows.

6. Risk Management

Maintain a risk register mapping threats, likelihood, impact, and treatment.
Perform an annual risk assessment and after material changes (new systems/vendors).
Track remediation owners, dates, and residual risk acceptance by management.

7. Data Classification

Classify and label data in systems/repositories:

Public: Intended for public release.
Internal: Routine business info, low risk.
Confidential (PI): Names, emails, phone, address, IP, lead metadata.
Restricted (SPI/Secrets): Auth secrets, access tokens, encryption keys, any unexpected SPI.

Default to Confidential if unsure.

8. Access Control & Identity

Least Privilege and Need-to-Know for all PI.
MFA required for all privileged and remote access; SSO where feasible.
Passwords: Minimum 12 characters; lockout; rotation for shared/service accounts.
Provisioning/De-provisioning: Complete within 24 hours of role change/termination.
Quarterly access reviews for systems containing PI.

9. Encryption & Key Management

In Transit: TLS 1.2+ for all traffic carrying PI.
At Rest: AES-256 (cloud-native encryption or managed KMS).
Separate prod vs. non-prod; never use live PI in dev without masking.
Store secrets in a secret manager; no secrets in code, tickets, or chat.

10. Network & Infrastructure Security

Segment networks; restrict inbound access with least-privilege security groups.
Harden servers/containers; disable unused services/ports.
Endpoint protection (EDR/AV), host firewalls, automatic OS/app patching.
Centralized logging with ≥ 90-day retention and integrity protections.
Backups: Daily for systems storing PI; test restores quarterly; maintain offline/immutable copies where feasible.

11. Application Security & SDLC

Security requirements in user stories; mandatory code reviews.
Dependency scanning & SAST on commits/builds; DAST / pen tests at least annually and after major changes.
Input validation, output encoding, CSRF protection, parameterized queries, authz checks, secure session management.
Privacy by design: collect minimum PI; limit retention; support opt-out and deletion workflows.

12. Vendor & Partner Management

Inventory all vendors handling PI (subprocessors, ad/analytics, CRM, call centers).
Contracts must include data-protection and breach-notification clauses; require reasonable security.
Perform security due diligence pre-onboarding and review annually (e.g., SOC 2/ISO 27001 or questionnaire).
Enforce secure transfer (TLS) and minimize fields shared.

13. Monitoring, Logging & Alerting

Monitor authentication, admin actions, data exports, anomaly traffic, and error spikes.
Time-sync logs; protect from alteration; retain per §16.
Alert on brute force, suspicious downloads, unusual partner API calls.

14. Data Minimization, Retention & Disposal

Collect only fields required to match consumers to providers. Avoid SPI.
Default retention for leads/PI: [e.g., 24 months] unless law/contract requires otherwise.
Define retention by system and data type in a Retention Schedule.
Secure disposal: cryptographic wipe, secure delete, or provider-verified destruction.
On opt-out/deletion requests, suppress or erase per Privacy Policy timelines; instruct vendors to do the same.

15. Physical & Remote Security

Restrict access to office/server/storage areas; visitor sign-in and escort.
Device encryption (full-disk); automatic screen lock ≤ 10 minutes.
BYOD: Allowed only with device encryption, passcode, and MDM or equivalent controls.
Prohibit storing PI locally unless approved with compensating controls.

16. Records Management

Maintain records of processing: categories of PI, purposes, sources, recipients, retention.
Preserve incident records, access reviews, risk assessments, vendor reviews, and training logs for at least [X years].

17. Security Awareness & Training

Mandatory training at hire and annually (phishing, data handling, passwords, incident reporting, privacy rights).
Targeted training for engineers (secure coding) and operations (least privilege, log handling).

18. Incident Response & Breach Notification

Maintain an IR Plan with roles, severity levels, runbooks, contact lists.
Report immediately to Security: security@[yourdomain].com.
IR phases: Identification → Containment → Eradication → Recovery → Lessons Learned.
Preserve evidence and logs; document timeline and decisions.

Breach Notification

If a breach of unencrypted PI is confirmed, notify affected individuals and, when required, regulators/AGs/consumer reporting agencies without unreasonable delay, consistent with applicable state breach-notification laws and any contractual requirements. Notices will describe the incident, types of data, actions taken, steps individuals can take, and our contact information. If a vendor is involved, require immediate notification and coordination.

19. Business Continuity & Disaster Recovery

Identify RTO/RPO for critical systems; document recovery procedures.
Test DR at least annually (tabletop + technical restore).
Keep critical runbooks, contacts, and credentials available offline/securely.

20. Privacy Controls

Honor opt-out, Do Not Sell/Share, and Global Privacy Control (GPC) signals where applicable.
Support data-subject access, deletion, and correction requests; verify identity; propagate to vendors.
Ensure marketing communications include unsubscribe links and suppression handling.

21. Audits & Continuous Improvement

Conduct annual internal audits of key controls; remediate findings.
Track security metrics (patch SLAs, phishing failure rate, MFA coverage, incident MTTR).
Review this policy at least annually or upon material changes.

22. Policy Exceptions

Exceptions must be risk-assessed, time-bound, documented, and approved by the Security Lead and Executive Sponsor.

23. Enforcement

Violations may result in disciplinary action up to and including termination and could expose individuals and the Company to legal or contractual liability.

Appendices

A. Systems & Data Inventory
B. Data Flow Diagrams (collection → storage → vendors → deletion)
C. Retention Schedule
D. Incident Response Plan (detailed)
E. Vendor List & Due Diligence Evidence
F. Secure Coding & Deployment Standards
G. Access Review Procedure