Information Security Policy

Establishing Guidelines for Information Protection

1 – Purpose

The purpose of this Information Security Policy is to establish guidelines and procedures to protect the information assets of Emerald Smoke. This policy outlines the responsibilities of employees and defines the security measures necessary to maintain the confidentiality, integrity, and availability of our data and systems. Compliance with this policy is mandatory for all employees and contractors.

2 – Scope

a. Departments

This policy applies to all departments within Emerald Smoke, including Administration and Sales & Marketing. All employees, contractors, and third-party vendors who have access to our systems and data must adhere to this policy.

b. Types of Data

This policy covers the following types of data handled by Emerald Smoke:

– Customers’ name and last name
– Email addresses
– Phone numbers
– Addresses
– Zip codes

c. Key Information Assets

The key information assets of Emerald Smoke include:

– Login data
– Payroll processing applications
– Cloud storage
– Data files

3 – Information Security Objectives

The information security objectives of Emerald Smoke are as follows:

– Ensure the confidentiality, integrity, and availability of our information assets.
– Protect customer data from unauthorized access, disclosure, alteration, or destruction.
– Safeguard our systems and networks from security threats and vulnerabilities.
– Comply with legal, regulatory, and contractual requirements related to information security.
– Continuously improve our information security posture through regular assessments and updates.

4 – Data Classification

Emerald Smoke classifies data based on its sensitivity and criticality. The following classification levels are defined:

– Confidential: Data that, if disclosed, could cause harm to the company or its customers. This includes customer personal information.
– Internal Use Only: Data that is intended for internal use and should not be disclosed to external parties without proper authorization.
– Public: Data that can be freely shared with the public without any restrictions.

Employees are responsible for properly handling and protecting data based on its classification level. Data classification guidelines and procedures will be provided separately.

5 – Roles and Responsibilities

a. Information Security Officer (ISO)

Julio Sánchez is designated as the Information Security Officer (ISO) and is responsible for overseeing the implementation and enforcement of this policy. The ISO will ensure that appropriate security controls are in place, conduct regular risk assessments, and provide guidance to employees on information security matters.

b. Employees

All employees are responsible for:

– Complying with this policy and related procedures.
– Protecting the confidentiality, integrity, and availability of information assets.
– Reporting any security incidents or vulnerabilities to the ISO.
– Participating in information security training and awareness programs.

6 – Access Control

Access to Emerald Smoke’s systems and data is granted based on the principle of least privilege. The following access control measures are implemented:

– Employees access our systems via company-issued devices only.
– Two-factor authentication is required for all systems.
– VPNs are used when accessing from outside the office.

Access rights are reviewed periodically to ensure that employees have the appropriate level of access required to perform their job responsibilities.

7 – Security Measures

Emerald Smoke implements the following security measures:

– Physical Security: Our office is secured with card-based access control. Security cameras are installed at all entrances and exits. Visitors are required to sign-in and are escorted at all times.
– Change Management: All system changes are tracked through a Change Management System. Changes must be approved by the CISO before implementation. All changes are tested in a separate environment before deployment.
– Transmission Security: We encrypt all data in transit using SSL/TLS protocols. Our email system uses secure email gateways for outbound and inbound traffic.
– Incident Management: We follow a predefined Incident Response Plan for any security incidents. All incidents are logged, investigated, and lessons learned are incorporated into our security procedures.
– Business Continuity: We have a Business Continuity Plan that includes regular data backups, a disaster recovery site, and predefined roles and responsibilities for the management team.

8 – Training and Awareness

Emerald Smoke provides regular information security training and awareness programs to all employees. The training covers topics such as data protection, password security, phishing awareness, and incident reporting. Employees are required to complete the training and demonstrate their understanding of the policies and procedures.

9 – Policy Compliance

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract. Employees are required to report any suspected violations of this policy to the ISO or their immediate supervisor.

10 – Review and Updates

This policy will be reviewed annually or as needed to ensure its continued suitability, adequacy, and effectiveness. Updates to the policy will be communicated to all employees, and their compliance is required.

11 – Definitions

– ISO: Information Security Officer
– THC: Tetrahydrocannabinol
– SSL/TLS: Secure Sockets Layer/Transport Layer Security
– VPN: Virtual Private Network

This Information Security Policy is effective as of the date of approval and supersedes any previous policies or guidelines related to information security at Emerald Smoke.