Information Security Policy and Procedures

This policy serves as a formal guide to the security practices expected at Eververse, aligning with best practices and ensuring the ongoing protection of our systems and data.

1. Introduction

Eververse is committed to maintaining the confidentiality, integrity, and availability of its information systems, sensitive data, and customer information. This Information Security Policy and Procedures document outlines the rules and procedures to be followed by all employees, contractors, and third parties to ensure compliance with industry standards, regulatory requirements, and best practices for information security.

The policy applies to all individuals who interact with Eververse’s systems and data, including employees, contractors, partners, and any external entities accessing Eververse resources.

2. Scope

This policy covers all aspects of information security, including (but not limited to) acceptable use, data classification, access control, asset management, data retention, incident response, cryptographic key management, and mobile device management. The policy applies to all systems, including cloud infrastructure, internal servers, development environments, and any hardware or software used to deliver the Eververse platform.

3. Information Security Policy

3.1 Acceptable Use

  • All employees and third parties must use Eververse systems, including internal networks, cloud services, and software, only for authorized purposes.
  • Users are prohibited from accessing, sharing, or distributing any sensitive information unless explicitly authorized to do so.
  • Users should not install unauthorized software or hardware on any device connected to Eververse’s infrastructure.
  • Internet usage must comply with Eververse’s acceptable use policy, which prohibits the access of malicious, illegal, or inappropriate websites.

3.2 Asset Management

  • Eververse maintains an inventory of all physical and digital assets, including servers, endpoints, and cloud instances.
  • All critical assets must have a designated owner responsible for their maintenance, security, and tracking.
  • Regular audits of asset inventories will be conducted to ensure accuracy and accountability.
  • Personal devices must meet Eververse security standards before being connected to the company network.

3.3 Data Classification

  • Data is classified into the following categories: Public, Internal, Confidential, and Restricted.
  • Confidential and Restricted data must be encrypted both at rest and in transit using industry-standard encryption methods.
  • Public and Internal data may be shared within Eververse or its clients, provided it is protected with appropriate security measures.

3.4 Human Resource Security

  • All relevant employees must undergo background checks and security awareness training as part of onboarding.
  • Relevant employees must sign non-disclosure agreements (NDAs) and agree to the acceptable use and information security policies before accessing any sensitive systems.
  • Terminated relevant employees must have all access revoked immediately, and all company-issued equipment must be returned.

3.5 Communications and Operations Management

  • Network communications, including access to cloud platforms and internal services, must be encrypted using HTTPS, VPNs, or other secure communication protocols.
  • Regular monitoring of network traffic and system logs must be performed to detect and mitigate any security anomalies.
  • Critical patches and updates must be applied in a timely manner to all systems, following an established patch management schedule.

3.6 Change Management

  • All changes to production environments must be approved by authorized personnel and follow a formal change control process.
  • Change requests must include a detailed description, impact assessment, rollback procedures, and necessary approvals.
  • Emergency changes must be documented and reviewed post-implementation.

3.7 Security Configuration and Hardening Standards

  • All Eververse systems must adhere to secure configuration standards and follow industry best practices for hardening.
  • Cloud services must be configured with least privilege access and security groups should be reviewed regularly.
  • Default configurations must be changed, including default usernames, passwords, and open ports.

3.8 Access Control

  • Access to systems and data must be granted based on the principle of least privilege and strictly on a need-to-know basis.
  • Role-based access control (RBAC) will be used for all critical systems, and administrative access must be carefully restricted.
  • Multi-factor authentication (MFA) must be enabled for all accounts that access sensitive or critical systems.

3.9 User Management and Provisioning

  • User accounts must be provisioned following strict verification and approval processes, ensuring appropriate access levels.
  • User access must be reviewed periodically, and inactive or terminated accounts must be disabled.
  • All access privileges must be removed when no longer required.

3.10 Password Management

  • Strong passwords must be used for all systems, adhering to the minimum length and complexity requirements.
  • Passwords must be changed regularly, and password reuse across systems is prohibited.
  • MFA should be enforced for all sensitive accounts.

3.11 Information Systems Acquisition

  • All acquisitions of information systems, services, and tools must undergo a security review to ensure compliance with Eververse’s security policies.
  • Third-party vendors must adhere to Eververse’s security requirements, and proper due diligence must be conducted.

3.12 Data Retention

  • Data must be retained for a period aligned with legal, regulatory, and business requirements.
  • After the retention period, data must be archived or securely deleted.
  • Backup data must be securely encrypted, and access to backups must be strictly controlled.

3.13 Decommissioning and Destruction

  • When decommissioning systems or devices, all data must be securely erased before the hardware is disposed of or repurposed.
  • Secure destruction of sensitive information must follow established procedures, such as wiping drives or using certified shredding services.

3.14 Development and Maintenance

  • All software development must follow secure coding practices, ensuring that vulnerabilities are identified and mitigated during development.
  • Source code repositories must be protected using RBAC, and automated security testing must be implemented in CI/CD pipelines.
  • Regular vulnerability scans and penetration testing must be conducted to identify and address weaknesses.

3.15 Incident Response

  • Eververse has an Incident Response Plan (IRP) in place to detect, contain, mitigate, and recover from security incidents.
  • All employees must be trained in identifying and reporting incidents immediately.
  • Incidents must be logged, analyzed, and remediated according to the severity, with communication to stakeholders as necessary.

3.16 Threat Intelligence and Vulnerability Management

  • Eververse must monitor the threat landscape continuously and receive alerts from threat intelligence services.
  • Vulnerability management must include regular scans and remediation of identified weaknesses based on criticality.

3.17 Cryptographic Key Management

  • Cryptographic keys must be managed in a secure, centralized system.
  • Keys must be rotated periodically, and only authorized personnel should have access to key material.

3.18 Antivirus and Antimalware

  • Antivirus and antimalware software must be installed and kept up-to-date on all applicable systems.
  • Regular scans must be performed, and suspicious activity must be reported and addressed immediately.

3.19 Mobile Device Management

  • Employees using mobile devices to access Eververse systems must use only approved and secure devices.
  • Devices must have encryption, remote wipe capabilities, and passcode enforcement enabled.

3.20 Data Loss Prevention

  • Data Loss Prevention (DLP) tools must be implemented to monitor and prevent unauthorized transfers of sensitive information.
  • Alerts and logging must be configured to notify security teams of potential breaches of data.

4. Enforcement and Compliance

Any violation of this policy may result in disciplinary action, up to and including termination, and may result in legal penalties. Compliance with this policy will be regularly audited, and non-compliance will be addressed promptly.

By adhering to this Information Security Policy, Eververse ensures that its systems and sensitive data remain protected, allowing the organization to deliver its services securely and with trust.

5. Responsibilities

5.1 Chief Information Security Officer (CISO)

  • The CISO is responsible for the overall development, implementation, and enforcement of the Information Security Policy.
  • The CISO must ensure that all employees, contractors, and third parties comply with the policy and receive proper training.
  • The CISO is responsible for monitoring the effectiveness of the policy and updating it as necessary to adapt to new threats or organizational changes.

5.2 Information Technology (IT) and Security Teams

  • IT and security teams are responsible for the configuration, monitoring, and management of all systems, networks, and cloud environments in alignment with the security policies.
  • These teams are responsible for patch management, vulnerability scanning, and ensuring system hardening standards are applied.
  • IT and security teams must collaborate to ensure incident response and business continuity plans are tested and effective.

5.3 Employees and Contractors

  • All employees and contractors must adhere to the Information Security Policy and attend mandatory security awareness training.
  • Individuals are responsible for reporting any security incidents, vulnerabilities, or suspicious activity to the designated security personnel.
  • All users must protect their login credentials, avoid sharing passwords, and follow established access control policies.

5.4 Third-Party Vendors

  • Vendors and partners accessing Eververse systems or data must comply with this policy and sign agreements ensuring their adherence to Eververse’s security standards.
  • Vendors must allow Eververse to conduct audits of their security practices, if deemed necessary.
  • Any third-party services utilized by Eververse must undergo a security review before onboarding, if deemed necessary.

6. Policy Review and Update

This Information Security Policy must be reviewed at least annually or whenever significant changes to the organization, technology, or regulatory requirements occur. Any updates must be approved by the CISO and communicated to all relevant personnel.

7. Audits and Compliance Monitoring

  • Regular internal and external audits must be conducted to ensure compliance with this policy, as well as regulatory requirements such as GDPR, HIPAA, or any relevant industry standards.
  • Audits will assess access control, data retention, encryption methods, and other critical areas of security.
  • Results of audits must be reviewed by the CISO and reported to senior management, along with recommendations for corrective action, if necessary.

8. Incident Management and Reporting Procedures

8.1 Incident Reporting

  • All employees must immediately report any suspected or confirmed security incidents to the incident response team.
  • Incidents may include data breaches, malware infections, unauthorized access, or any other event that compromises security.

8.2 Incident Response Plan (IRP)

  • The IRP outlines the procedures for handling incidents, including detection, containment, eradication, recovery, and lessons learned.
  • The incident response team is responsible for coordinating the response, communicating with stakeholders, and escalating issues as needed.
  • Post-incident reviews must be conducted to determine root causes and improve future responses.

9. Disaster Recovery and Business Continuity

9.1 Disaster Recovery Plan (DRP)

  • Eververse must maintain a comprehensive DRP to ensure that business operations can resume quickly in the event of a disaster.
  • Backup systems must be tested regularly to ensure data integrity and availability in the event of system failure.

9.2 Business Continuity Plan (BCP)

  • The BCP ensures that critical services and functions can continue during and after a disruption.
  • Periodic testing and simulations must be conducted to assess readiness and to refine procedures as needed.

10. Security Awareness and Training

10.1 Training Requirements

  • All relevant employees, contractors, and third parties with access to Eververse systems must complete security awareness training at least annually.
  • Specialized training must be provided for those in roles that handle sensitive information or critical infrastructure (e.g., developers, administrators) if deemed necessary.

10.2 Phishing and Social Engineering Prevention

  • Regular phishing simulations and training exercises may be conducted to raise awareness of common attack vectors.
  • Employees must be trained to recognize and report suspicious emails, links, or messages.

11. Data Protection and Privacy

11.1 Data Privacy

  • Eververse is committed to protecting the privacy of its customers and users, and complies with applicable data privacy regulations, such as GDPR and CCPA.
  • All personally identifiable information (PII) must be processed lawfully and transparently, with customer consent obtained where required.

11.2 Data Subject Rights

  • Individuals have the right to access, modify, or delete their data. Eververse will respond to such requests in accordance with legal requirements.
  • Procedures must be in place to ensure that data subject requests are handled securely and efficiently.

12. Compliance with Legal and Regulatory Requirements

  • Eververse will endeavor to comply with all relevant legal and regulatory requirements, including but not limited to:
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Health Insurance Portability and Accountability Act (HIPAA), if applicable
  • Federal Risk and Authorization Management Program (FedRAMP), if applicable
  • Any changes to the regulatory landscape must be monitored, and compliance efforts must be adjusted as necessary to meet new requirements.

13. Penalties for Policy Violations

  • Violations of the Information Security Policy can result in disciplinary actions, including warnings, suspension, or termination of employment, depending on the severity of the violation.
  • Legal actions may be taken against individuals or entities found to have breached security policies, resulting in potential fines or lawsuits.

14. Conclusion

Eververse’s Information Security Policy and Procedures aim to protect the organization’s critical assets, including its AI-powered platform, customer data, and intellectual property. Through adherence to this policy, Eververse strives to maintain a robust security posture, ensuring the trust of its customers and compliance with all applicable laws and regulations.

15. Approval and Acknowledgement

All employees, contractors, and third parties accessing Eververse systems must review and acknowledge their understanding of this Information Security Policy. This ensures that everyone is aware of their role in safeguarding the organization’s assets and complying with legal obligations.

16. Contact Information

For any questions or clarifications regarding this Information Security Policy, please contact us.

Get started for free

Explore problems, ideate solutions, prioritize features and plan your roadmap with the help of AI.

Get started for free
Eververse

Eververse

© Eververse 2024. All rights reserved.

HomeBlogPricingContactLegal
All systems normal