Information Security Policy

SectorFlow AI prioritizes the protection of sensitive and confidential data, aiming to prevent accidental losses and unauthorized access. This policy applies to all data classified as Highly Confidential, Confidential, or Internal and covers every system and user within the organization.

SectorFlow AI is committed to safeguarding sensitive and confidential data to prevent loss or compromise, thus avoiding negative impacts on our customers, compliance penalties, and reputational damage. While total elimination of data theft is challenging, this policy aims to increase awareness and prevent accidental loss by outlining requirements for SectorFlow AI's Data Privacy Policy.

In Scope: This policy applies to all customer, personal, or company data classified as Highly Confidential, Confidential, or Internal per SectorFlow AI's Data Privacy Labeling Standards. It encompasses all systems handling such data, including devices used for email, web access, or other work-related tasks, and applies to every user interacting with SectorFlow AI systems.

Out of Scope: Publicly classified information per the Data Privacy Labeling Standards is exempt. Data may be excluded by leadership based on cost or complexity of protection.

1. User Identification and Authentication

• Each user is identified by a unique user ID for accountability.
• Shared identities are limited to suitable scenarios, like training or service accounts.
• Users must acknowledge understanding this policy through a signed statement.

2. Access Control

• Access is provided through unique accounts and complex passwords.
• Password policy requirements are detailed in the Password Policy.
• Role-based access control (RBAC) is utilized as per the Role-Based Access Control Policy.

3. Network Access Control

• Network access aligns with business access control procedures.
• Network segregation is implemented as per network security recommendations.
• Firewall policies support the access control policy.

4. User Responsibilities

• Users must secure their workstations and keep sensitive information confidential.
• Passwords are to be kept confidential and not shared.

5. System and Application Access Control

• Access to systems and data is granted based on business need and role approval.
• Sensitive systems are isolated to restrict access to authorized personnel.

6. Information Access Restriction

• Access to data labeled as Highly Confidential, Confidential, or Internal is limited to authorized persons.
• The Security team implements access restrictions.

7. Technical Controls

• Include auditing, role-based access, server rights, firewall permissions, encryption standards, and comprehensive access control across all platforms and devices.

8. Security Monitoring

• Incident reports are produced daily and weekly by the Security team.
• High-priority incidents are escalated to the Chief Information Security Officer (CISO).

9. Roles and Responsibilities

• Data owners are responsible for the information they manage.
• Security team members provide administrative security support.
• All users with access to information resources are covered by this policy.

10. Enforcement

• Violations lead to disciplinary actions, including warnings, suspensions, etc.

Compliance and Auditing

Systems at SectorFlow AI will be audited annually to ensure integrity and compliance with security policies.

Multi-Factor Authentication (MFA)

MFA is implemented across all network and system access points to strengthen authentication.

Email Security

Email usage aligns with ethical conduct and legal compliance, with specific guidelines for handling sensitive data.

Compliance Verification

Compliance will be verified through audits and any non-compliance results in disciplinary action.

Policy Evolution

This Information Security Policy is a living document and will evolve with SectorFlow AI's growth and the changing cyber landscape.

Last Updated: May 2024