Security Policy
Purpose of the Information Security Policy
The policy safeguards the confidentiality, integrity, and availability of Devox Software Inc.’s information assets so the Company can operate reliably, meet legal and contractual obligations, and maintain stakeholder trust. It establishes high-level requirements that guide every function and serves as the foundation for supporting standards, procedures, and technical controls.
Implementation of Information Security
Security is integrated across all business processes and the secure-development lifecycle (SDLC). Controls are selected using a risk-based approach aligned with ISO 27001 and NIST SP 800-53. Layered technical, administrative, and cultural measures create defense-in-depth.
Risk Assessment
Risks are identified, analysed, and documented at least annually, or whenever major changes occur. Each new system undergoes a formal risk assessment; residual risks are accepted only by the system owner and logged in the central risk register.
Data Classification and Processing
Information is classified as Public, Internal, Confidential, or Restricted. Handling rules cover storage, transmission, access, and disposal. Encryption in transit and at rest is mandatory for Confidential and Restricted data.
Processing of Personal Data
We process personal data according to the EU GDPR (for EEA data subjects), U.S. state privacy laws (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA), and other applicable regulations. Privacy-by-design reviews and Data-Protection Impact Assessments are embedded in the SDLC.
Information Security Requirements
Key minimum controls include multi-factor authentication, least-privilege access, CI/CD security testing, network segmentation, zero-trust principles, vulnerability scanning, patch management, secure backups, and disaster-recovery capability. Third-party providers must sign security addenda and pass due-diligence reviews.
Information Security Training
All staff complete security-awareness training at onboarding and annually. Role-based modules cover secure coding, incident handling, and privacy. Phishing simulations and threat briefings reinforce secure behavior.
Control and Monitoring
Critical systems send tamper-evident logs to a 24 × 7 SIEM monitored by the Security Operations Center (SOC). Automated alerts trigger investigation; metrics are reported to executive leadership.
Processing of Information Security Incidents
Our Incident Response Plan follows NIST SP 800-61 phases: preparation, detection/analysis, containment, eradication, recovery, and post-incident review. The Computer Security Incident Response Team (CSIRT) coordinates actions and communications.
Information Security Breaches
Any suspected or confirmed breach must be reported immediately via the designated channel. Breaches involving personal data are notified to regulators and affected individuals within statutory timeframes (e.g., 72 hours under GDPR).
Responsibilities and Organization
| Role | Key Responsibilities |
| Board of Directors | Approves the Security Policy and receives risk reports. |
| Chief Executive Officer | Provides resources and oversight. |
| Information Security Steering Committee | Reviews risks, endorses major initiatives, and tracks remediation. |
| Department Heads / Product Owners | Implement controls in their domains and sign off on residual risks. |
| Employees & Contractors | Follow policy, complete training, and report incidents. |
Information Security Steering Model
The Steering Committee meets quarterly to align security objectives with enterprise risk management. Key Risk Indicators and KPIs track progress; independent audits and management reviews drive continual improvement.