synthetic_policies/information_security_policy.md

SEC-POL-011: Information Security Policy

Effective Date: 2025-01-20 Revision: 1.1 Owner: IT Department

1. Purpose and Scope

This policy establishes the framework for protecting the confidentiality, integrity, and availability of Innovate Inc.'s information assets. This policy applies to all employees, contractors, and third parties who have access to company data or systems.

2. Data Classification

All data must be classified and handled according to its sensitivity level:

• Level 1: Public: Information intended for public dissemination (e.g., marketing materials). No impact if disclosed.
• Level 2: Internal: Information for internal use only that does not contain sensitive data (e.g., this policy, internal announcements). Minor impact if disclosed.
• Level 3: Confidential: Sensitive business data requiring strict access control (e.g., financial data, source code, strategic plans). Significant impact if disclosed.
• Level 4: Restricted: Highly sensitive data protected by law or regulation (e.g., Personally Identifiable Information (PII), health information). Severe impact if disclosed.

3. Access Control

• Principle of Least Privilege: Access to systems and data is granted on a "need-to-know" basis, limited to the minimum necessary to perform a job function.
• Password and Credential Management:
  • Complexity: Passwords must be a minimum of 14 characters and include uppercase letters, lowercase letters, numbers, and symbols.
  • Rotation: Passwords must be changed every 90 days.
  • History: Do not reuse any of the last 5 passwords.
  • Sharing: Never share your password with anyone, including IT staff.
• Multi-Factor Authentication (MFA): MFA is required for all external-facing systems and remote access to the corporate network.

4. Acceptable Use of IT Resources

• Company Equipment: Use of company-provided equipment (laptops, phones, etc.) is primarily for business purposes. Incidental personal use is permitted but should not interfere with work or consume significant resources.
• Prohibited Activities:
  • Installing unauthorized software.
  • Accessing or distributing illegal or malicious content.
  • Using company resources for commercial activities not related to Innovate Inc.
  • Circumventing security controls.
• Removable Media: Use of unencrypted removable media (e.g., USB drives) is prohibited.

5. Security Incident Response

• Definition: A security incident is any event that compromises the confidentiality, integrity, or availability of our information assets.
• Reporting: Any suspected security incident must be reported immediately to the IT helpdesk (x4357) or by emailing [email protected].
• Cooperation: All employees must cooperate fully with any subsequent investigation.
• For detailed procedures, see the Emergency Response Plan (EHS-PLAN-001).

6. Physical Security

• Clean Desk Policy: Sensitive information should be stored securely and not left unattended on desks.
• Visitor Access: All visitors must be signed in and escorted by an employee.
• Device Security: Laptops and other mobile devices must be locked when unattended.

7. Related Policies

• Remote Work Policy (HR-POL-003)
• Privacy Policy (SEC-POL-012)
• Emergency Response Plan (EHS-PLAN-001)

8. Revision History

• v1.1 (2025-10-12): Expanded data classification, password rules, and added physical security.
• v1.0 (2025-01-20): Initial version.