Information Security Policy Manual

1. Core Framework (MISP) 2. Technical & Operational 3. Client & Vendor Management 4. Compliance & Response

Organization: Mercury Technology Solution

Effective Date: January 18, 2024

Version: 1.0

Authority: Executive Management / CISO

1. Core Framework: Master Information Security Policy (MISP)

This section acts as the "Constitution" of security at Mercury Technology Solution. It establishes the mandate for the entire security program.

1.1 Purpose and Scope

The purpose of this policy is to protect the information assets of Mercury Technology Solution and its clients from all threats, whether internal or external, deliberate or accidental. This policy applies to all employees, contractors, consultants, and third parties who access the company’s systems.

1.2 Objectives

  • Reputation Management: Mitigate risks that could damage the professional standing of Mercury Technology Solution.
  • Legal Compliance: Ensure adherence to relevant laws (e.g., GDPR, CCPA) and contractual obligations to clients.
  • Operational Resilience: Minimize business damage by preventing and reducing the impact of security incidents.

1.3 Key Principles (The CIA Triad)

All security controls at Mercury Technology Solution are designed to uphold three pillars:

  1. Confidentiality: Information is accessible only to those authorized to have access.
  2. Integrity: Safeguarding the accuracy and completeness of information and processing methods.
  3. Availability: Ensuring that authorized users have access to information and associated assets when required.

2. Technical & Operational Policies

This section defines specific behavioral and technical rules required to secure the Mercury Technology Solution infrastructure and client deliverables.

2.1 Acceptable Use Policy (AUP)

  • Assets: Company-issued laptops, email accounts, and internet access are for business use. Occasional personal use is permitted provided it does not interfere with productivity or security.
  • Prohibitions: Users must not download unauthorized software ("Shadow IT"), engage in illegal activities, or bypass security controls.
  • Monitoring: Mercury Technology Solution reserves the right to audit network traffic and device usage to ensure compliance.

2.2 Access Control

  • Principle of Least Privilege (PoLP): Employees are granted the minimum level of access necessary to perform their job functions. Access rights are reviewed quarterly.
  • Authentication: Strong passwords are required. Multi-Factor Authentication (MFA) is mandatory for all remote access, email, and critical infrastructure (e.g., GCP, GitHub).
  • Offboarding: Access for terminated employees must be revoked immediately (within 24 hours).

2.3 Data Classification

  • Public: Marketing materials, job postings (Low risk).
  • Internal: Employee handbooks, org charts (Low/Medium risk).
  • Confidential: Client lists, pricing, non-public code (High risk).
  • Restricted: PII, credentials, encryption keys, highly sensitive client IP (Critical risk).

2.4 Secure Software Development Life Cycle (SDLC)

  • Code Review: No code is deployed to production without a peer review.
  • Automated Scanning: Static Application Security Testing (SAST) must run on every commit.
  • Separation of Environments: Development, Staging, and Production environments must remain distinct.

2.5 Remote Access & BYOD

  • VPN Requirement: Access to internal resources from public networks (e.g., coffee shops) requires a corporate VPN.
  • BYOD Security: Personal devices used for work must meet the following criteria: Full-disk encryption enabled, Remote wipe capability installed, Current OS patches and antivirus software.

2.6 Vulnerability Management

  • Patching: Critical security patches must be applied to all systems within 72 hours of release.
  • Scanning: Automated vulnerability scans occur weekly; penetration testing is conducted annually.

3. Client & Vendor Management

Recognizing Mercury Technology Solution often acts as a data processor or sub-processor, strictly controlling third-party interactions is vital.

3.1 Vendor Access Policy

  • Vetting: All third-party tools (SaaS providers like Slack, AWS, Jira) must undergo a security review before onboarding.
  • Access Limitations: Vendors are granted access only for the specific time frame and scope required for their service.
  • Review: Vendor access logs and permissions are reviewed semi-annually.

3.2 Non-Disclosure Agreements (NDA)

  • Mandatory Signing: All employees and contractors must sign a comprehensive NDA prior to starting work.
  • Client Protection: The NDA specifically enforces the legal duty to protect client secrets and intellectual property, distinct from Mercury Technology Solution's own data.

4. Compliance & Incident Response

4.1 Incident Response Plan (IRP)

In the event of a security breach (e.g., stolen laptop, leaked database, ransomware):

  1. Identification: Report the incident immediately to the Security Officer at [email protected].
  2. Containment: Isolate affected systems to prevent spread.
  3. Eradication & Recovery: Remove the threat and restore from clean backups.
  4. Notification: The Legal/Security team will determine if and when to notify affected clients and regulatory bodies, strictly adhering to contractual notification windows (e.g., 72 hours).

4.2 Regulatory Alignment

This policy is designed to comport with major industry frameworks. Mercury Technology Solution commits to:

  • GDPR/CCPA: Respecting user privacy and "Right to be Forgotten" requests.
  • SOC2 Type II: Maintaining operational controls relevant to Security, Availability, and Confidentiality.
  • ISO 27001: Adopting a continuous improvement cycle for Information Security Management.