_private/qwestly-docs/Policies/Information Security Policy.md

Table of Contents

Information Security Policy

Purpose

To protect Qwestly's information, systems, and data while supporting our talent marketplace platform and maintaining trust with candidates and customers.

Scope

This policy applies to all Qwestly team members (currently 3 employees) and covers:

  • All company data and systems
  • Cloud services (AWS, Google Workspace, etc.)
  • Personal and company devices used for work
  • Remote work activities
  • Third-party vendor relationships

Security Responsibilities

Everyone Must:

  • Follow security policies and report security concerns immediately
  • Use strong, unique passwords and enable multi-factor authentication
  • Keep software updated and devices secure
  • Protect confidential information (candidate data, customer information, company secrets)
  • Complete annual security training

CTO (Dominick):

  • Overall security program leadership
  • Technical security decisions and incident response
  • Security tool implementation and monitoring

CEO (Adam):

  • Business security decisions and customer communications
  • Security budget and resource allocation
  • Regulatory compliance oversight

Access Management

Account Security:

  • Multi-factor authentication (MFA) required for all business accounts
  • Unique passwords for every account (use 1Password password manager)
  • Google Workspace SSO for all business applications when possible
  • Immediate access removal when team members leave

Access Principles:

  • Least privilege: Only grant access needed for job functions
  • Regular reviews: Quarterly review of who has access to what
  • Business justification: Document why access is needed
  • Time limits: Temporary access expires automatically

Device Security

Company Devices:

  • Full disk encryption required on all laptops
  • Automatic screen lock after 5 minutes maximum
  • Security updates installed within 7 days
  • Antivirus software installed and updated
  • Remote wipe capability enabled

Personal Devices (BYOD):

Allowed for:

  • Google Workspace (email, calendar, drive)
  • Video calls and messaging
  • Web-based business applications

Required security:

  • Screen lock with PIN/password/biometric
  • Operating system updates installed
  • Report lost/stolen devices immediately

Not allowed:

  • Direct access to production systems or databases
  • Storing customer/candidate data locally
  • Installing company software

Cloud and System Security

AWS Infrastructure:

  • MFA required for console access
  • Least privilege IAM policies
  • CloudTrail logging enabled
  • Regular security group reviews
  • All data encrypted at rest

Business Applications:

  • SSO through Google Workspace when possible
  • MFA for all applications with sensitive data
  • Regular review of app permissions
  • Data Processing Agreements with vendors

Development:

  • All code changes require pull request review
  • Automated security scanning in CI/CD pipeline
  • Separate staging and production environments
  • Never use real customer data in development

Data Protection

Data Classification:

  • Candidate personal data: Highest protection, access logged
  • Customer confidential data: High protection, need-to-know basis
  • Company confidential: Standard protection, employee access only
  • Public information: Minimal restrictions

Data Handling:

  • Encrypt sensitive data in transit and at rest
  • No personal storage of customer/candidate data
  • Secure deletion when data no longer needed
  • Regular backups with encryption and testing

AI/ML Data:

  • Secure training data storage and access
  • Anonymization of personal data where possible
  • Monitor AI systems for bias and performance
  • Document AI decision-making processes

Remote Work Security

Home Office:

  • Dedicated workspace when possible
  • Lock devices when stepping away
  • Secure WiFi (WPA3 encryption, strong password)
  • Privacy during video calls
  • Secure disposal of printed confidential materials

Travel and Public Spaces:

  • Use VPN for public WiFi
  • Don't leave devices unattended
  • Use hotel safes for equipment
  • Assess security of temporary workspaces
  • No confidential work in earshot of others

Communication Security

Email:

  • Use company email for business communications
  • Don't forward company emails to personal accounts
  • Encrypt emails with sensitive information
  • Be cautious of phishing attempts

Video Calls and Messaging:

  • Use approved platforms (Zoom, Google Meet, Slack)
  • Verify meeting participants
  • Professional conduct in all communications
  • Secure sensitive discussions in private channels

Incident Response

Report Immediately:

  • Suspected security breaches or data exposure
  • Lost, stolen, or compromised devices
  • Phishing attempts or suspicious emails
  • Unusual system behavior or unauthorized access
  • Any security concerns or policy violations

Contact Information:

Response Process:

  1. Immediate (0-1 hour): Contain the incident, assess impact
  2. Short-term (1-24 hours): Investigate, document, notify stakeholders
  3. Recovery (24+ hours): Fix issues, improve security, document lessons learned

Acceptable Use

Approved Activities:

  • Business communications and collaboration
  • Professional development and learning
  • Reasonable personal use during non-business hours
  • Security testing with prior approval

Prohibited Activities:

  • Personal commercial activities or side businesses
  • Cryptocurrency mining on company resources
  • Accessing inappropriate or illegal content
  • Circumventing security controls
  • Installing unauthorized software

Vendor Management

New Vendors:

  • Security questionnaire required
  • Review vendor security certifications
  • Data Processing Agreements for vendors handling personal data
  • Document data sharing purposes and access levels

Ongoing Management:

  • Annual security reviews for critical vendors
  • Monitor vendor security incidents
  • Regular access reviews
  • Contract updates for security requirements

Training and Awareness

Required Training:

  • Security awareness training during onboarding
  • Annual security training refresh
  • Monthly team security discussions
  • Incident response procedures

Ongoing Awareness:

  • Regular security tips and updates
  • Threat intelligence sharing
  • Recognition for good security practices
  • Integration of security into daily work

Compliance

SOC 2 Requirements:

  • Document all security controls
  • Regular access reviews
  • Maintain audit logs
  • Annual security assessments
  • Customer security reports

Privacy Laws (GDPR/CCPA):

  • Lawful basis for data processing
  • Data subject rights procedures
  • Privacy impact assessments
  • Cross-border transfer safeguards
  • Breach notification procedures

Policy Violations

Investigation:

  • All violations investigated promptly
  • Documentation of findings and actions
  • Root cause analysis and improvements

Consequences:

  • Minor violations: Additional training, counseling
  • Serious violations: Disciplinary action, access suspension
  • Willful violations: Termination, possible legal action

Emergency Procedures

Emergency Access:

  • CTO can authorize emergency system access
  • Document all emergency actions within 24 hours
  • Post-emergency security review required

Business Continuity:

  • Backup systems and data recovery procedures
  • Alternative communication methods
  • Customer notification procedures
  • Vendor emergency contact information

Policy Management

Review and Updates:

  • Annual policy review and updates
  • Immediate updates for security incidents or regulatory changes
  • Team feedback integration
  • Communication of policy changes

Exceptions:

  • Written business justification required
  • Risk assessment and compensating controls
  • CTO approval for technical exceptions
  • CEO approval for business process exceptions

Document History

Version Date Description Written by Approved by
1.0.0 6/13/25 Dominick Pham Adam Boender