Information Security Policy
Version: 11.2-Rev3 | Effective Date: February 1, 2019
- Document Created: January 12, 2019
- Last Reviewed: February 3, 2025
- Next Review Date: February 2026
- Approved By: Chief Technology Officer
- Policy Owner: Security Officer
11.1 Purpose
This Information Security Policy establishes Blue Whale Apps’ comprehensive framework for protecting confidentiality, integrity, and availability of information assets against security threats, unauthorized access, disclosure, modification, or destruction.
11.2 Scope
Applies to all information and systems owned or managed by Blue Whale Apps, all personnel, all locations, and all information lifecycle phases.
11.3 Information Security Objectives
Blue Whale Apps is committed to:
- Protecting information assets
- Maintaining customer trust
- Complying with laws and regulations
- Implementing defense-in-depth controls
- Detecting and responding to incidents effectively
- Continuously improving security posture
- Fostering security awareness culture
11.4 Security Governance
- Chief Technology Officer: Executive responsibility for security program, strategic direction, resource allocation, risk acceptance, board reporting.
- Security Officer: Day-to-day management, policy development, compliance oversight, incident coordination, team leadership.
- IT Security Team: Implementation, monitoring, vulnerability management, architecture, operations.
- Business Unit Leaders: Security within their areas, data classification, access management, compliance.
Blue Whale Apps maintains a comprehensive security program including risk management, policies and procedures, awareness training, access control, network and infrastructure security, application security, data protection, incident response, business continuity, third-party management, compliance, and metrics.
11.5 Risk Management
Annual comprehensive risk assessments identify, analyze, and evaluate security risks. Risks are treated through mitigation, avoidance, transfer, or acceptance (with executive approval for high/critical risks).
11.6 Personnel Security
- Background Checks: Comprehensive checks for all employees and contractors with system access before hire.
- Security Awareness Training: Mandatory annual training covering policies, data protection, passwords, phishing, incident reporting, physical security, acceptable use, mobile security, and remote work practices.
- Role-Specific Training: Specialized training for security team (certifications), developers (secure coding, OWASP), administrators (hardening, patching), and executives (governance, risk).
- BYOD Policy: Personal devices accessing corporate systems must have MDM software installed, enable encryption, implement strong authentication, separate corporate data, enable remote wipe, and comply with Acceptable Use Policy. MDM enforces encryption, remote wipe capability, compliance monitoring, password enforcement, and automatic wipe after failed attempts.
11.7 Operations Security
Malware protection on all systems, regular backups per Backup Policy, comprehensive logging and SIEM monitoring, vulnerability management with quarterly scanning and annual penetration testing, and timely patch management.
11.8 Network Security
Defense-in-depth architecture with network segmentation, DMZ for internet-facing systems, firewalls with default-deny policies, IDS/IPS, secure remote access via VPN with MFA, and wireless security (WPA3/WPA2, 802.1X authentication).
11.9 Compliance
Supports ISO/IEC 27001:2022, SOC 2 Type II, NIST Cybersecurity Framework, GDPR and CCPA, PCI DSS, and FedRAMP.