Information Security Policy
1.0 OVERVIEW
This policy defines the high-level objectives and implementation instructions for the organization’s information security program. It includes the organization’s information security objectives and requirements; such objectives and requirements are to be referenced when setting detailed information security policy for other areas of the organization.
This policy also defines management roles and responsibilities for the organization’s Information Security Management System (ISMS).
NEO requires information security policies to protect information assets from security threats. Security threats originate at a wide variety of sources, including computer-assisted fraud, industrial espionage, sabotage, vandalism and natural disasters. Computer viruses, unethical hacking and denial of service attacks are examples of threats encountered while operating over the Internet. In this document, the scope and boundaries for establishing, implementing, maintaining and continually improving Information Security of NEO are described.
In addition, policy outlines requirements for the handling of customer/client data received and processed by the NEO teams. Note, such data could be sensitive, confidential, personally identifiable or financial in nature. The NEO IT environment which hosts systems and data are cloud based via third-party software, applications, and sub-processors, and is segregated and protected from unauthorized access both physically and electronically.
2.0 PURPOSE & BACKGROUND
The purpose of this policy is to provide a security framework that will ensure the protection of NEO information from unauthorized access, loss or damage. NEO information may be verbal, digital, electronic, and/or hardcopy, individually-controlled or shared, stand-alone or networked. Standards and day-to-day procedures related to this Information Security Policy (ISP) are developed and published separately.
a. This information security policy defines the purpose, principles, objectives and basic rules for information security management.
b. This document also defines procedures to implement high-level information security protections within the organization, including definitions, procedures, responsibilities and performance measures (metrics and reporting mechanisms).
c. This policy applies to all users of information systems within the NEO organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization.
3.0 ELIGIBILITY
The ISP applies to all NEO employees. This policy also applies to all other individuals and entities granted use of NEO information, including, but not limited to, contractors, temporary employees, and volunteers.
4.0 POLICY
NEO appropriately secures its information from unauthorized access, loss or damage.
Protecting company data and the systems that collect, process, and maintain this information is of critical importance. Consequently, the security of systems must include controls and safeguards to offset possible threats, as well as controls to ensure accountability, availability, integrity, and confidentiality of the data:
- Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is restricted to only authorized users and services.
- Integrity – Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
- Availability – Availability addresses ensuring timely and reliable access to and use of information.
Classification Levels
All NEO information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information. When combining information, the classification level of the resulting information must be re-evaluated independently of the source information’s classification to manage risks. See the Data Classification Policy for more details.
Security Measures
Security measures must be taken to guard against unauthorized access to, alteration, disclosure or destruction of data and systems. This also includes against accidental loss or destruction.
The intention of this policy document is to serve as the foundation for all information security initiatives and directives at NEO. The subsequent security policies, standards, guidelines, and procedures are necessary to support the executive management team and users in day-to-day handling of company data. The list of subsequent policies, standards, guidelines, and procedures will be maintained in section 7.0 of this policy.
Governance
All Information Security Policies will reflect industry best practices in regard to maintaining the confidentiality, integrity and availability of NEO assets and data. These policies will be derived from multiple sources like NIST, SANS, ISO and CSA. At times, there will be security best-practices, recommendations and mandates from the NEO Information Security team which do not have an immediate policy specific to the issue. When this occurs, the guidance from the Information Security team will be followed until such time that the executive management team reviews the issue for further guidance.
The security controls documented in all Information Security policies shall be applied in a consistent manner commensurate with the data classification level of the information assets being protected. The degree in which mitigating or remediating controls are established may vary according to the Information Security team’s assessment of the identified risk to NEO and its customers.
The Information Security team is charged with the first-level annual review of all security policies to ensure appropriateness. On an annual basis, all policies shall be submitted to the NEO executive management team for second-level review and approval.
Managing Information Security
The organization’s objectives for information security are in line with the organization’s business objectives, strategy, and plans.
- Objectives for individual security controls or groups of controls are proposed by the company management team, including but not limited to CTO, CPO, Head of Product Operations, and others as appointed by the CEO; these security controls are approved by the CEO in accordance with the Risk Assessment Policy.
- All objectives must be reviewed at least annualy per year.
- The company will measure the fulfillment of all objectives. The measurement will be performed at least once per year. The results must be analyzed, evaluated, and reported to the management team.
Threat Intelligence (ISO 27001:2022 A.5.7)
NEO implements a comprehensive threat intelligence program to proactively identify, assess, and respond to evolving security threats:
- Internal Threat Detection: Kandji MDM/EDR platform provides real-time threat detection and intelligence on endpoint devices, monitoring for suspicious activities, malware, and potential security breaches across all managed devices.
- External Threat Intelligence: Regular subscription to reputable threat intelligence feeds and security advisories to stay informed about emerging threats, attack vectors, and vulnerability disclosures relevant to our technology stack.
- Penetration Testing Intelligence: Annual external penetration testing provides actionable threat intelligence by simulating real-world attack scenarios, identifying potential attack paths, and validating security control effectiveness.
- Threat Landscape Analysis: Monthly review and analysis of threat intelligence data to identify trends, emerging risks, and potential impacts on NEO security posture and business operations.
- Intelligence Sharing: Participation in industry threat intelligence sharing initiatives and coordination with AWS security advisories to enhance overall threat awareness.
- Actionable Response: Integration of threat intelligence with vulnerability management processes to prioritize security patches and implement targeted security controls based on current threat landscape.
- Threat Intelligence Coordination: Security Engineer (Łukasz Zuber) responsible for threat intelligence collection, analysis, and dissemination to relevant stakeholders for informed security decision-making.
Information Security Requirements
This policy and the entire information security program must be compliant with legal and regulatory requirements as well as with contractual obligations relevant to the organization.
- All employees, contractors, and other individuals subject to the organization’s information security policy must read and acknowledge all information security policies.
- The process of selecting information security controls and safeguards for the organization is defined.
- The organization prescribes guidelines for remote workers as part of the Remote Access Policy.
- To counter the risk of unauthorized access, the organization maintains a Data Center Security Policy.
- Security requirements for the software development life cycle, including system development, acquisition and maintenance are defined in the Software Development Lifecycle Policy.
- Security incidents are defined in the Security Incident Response Policy.
- Disaster recovery and Business continuity management policy is defined in the Disaster Recovery Policy & Business Continuity Policy.
- Requirements for information system availability and redundancy are defined in the System Availability Policy.
Access
Secure authentication protocols are used to validate user identity prior to enabling access to customer/client data, information, and files. In addition, all systems require a secure username and password for access which is compliant with our password policy. Systems must be configured to lock after a period of inactivity, up to, but no longer than 30 minutes. The only exception is email.
Data Security – Employee Requirements
- You need to complete NEO’s security awareness training and agree to uphold the Acceptable Use Policy.
- You are required not to reference the subject or content of sensitive or confidential data publicly, or via systems or communication channels not controlled by NEO. For example, the use of external e-mail systems not hosted by NEO to distribute data is not allowed.
- Please keep a clean desk. To maintain information security, you need to ensure that all printed in scope data is not left unattended at your workstation.
- You need to use a secure password on all NEO systems. These credentials must be unique and must not be used on other external systems or services.
- Terminated employees will be required to return all records, in any format, containing personal information. This requirement should be part of the employee onboarding process with employees signing documentation to confirm they will do this.
- If you have been assigned the ability to work remotely you must take extra precaution to ensure that data is appropriately handled. Seek guidance from IT if you are unsure as to your responsibilities.
- Data that must be moved within NEO is to be transferred only via business provided secure transfer mechanisms (e.g. encrypted USB keys, file shares, email etc.). NEO will provide you with systems or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with IT.
- Any information being transferred on a portable device (e.g. USB stick, laptop) must be encrypted in line with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek guidance from IT.
Anti-Virus
All computers and devices with access to the network must have an antivirus client installed, with real-time protection. The antivirus utility must be set to automatically update virus definitions.
| # | Guidelines |
|---|---|
| 1 | All servers, workstations, desktops, laptops, and tablets must have approved, centrally managed antivirus software installed. This also includes traveling devices that regularly connect to the network or that can be managed via secure channels (e.g. VPN) through the Internet. |
| 2 | Visitor’s computers and all computers that connect to the network are required to stay “healthy”, i.e. with a valid, updated personal antivirus utility installed. |
| 3 | Regular monitoring will occur as it is necessary to ensure that antivirus updates are successful. Unsuccessful updates are investigated until resolved. |
| 4 | Always run and use the NEO standard software. |
| 5 | NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then “double delete” them by emptying your Trash. |
| 6 | Never download files from unknown or suspicious sources. |
Data Breach Notification
- If a data breach has occurred or is suspected, supervisors must immediately report the event to the NEO security team security@neohr.io
- The NEO Cybersecurity Insurance provider (e.g. Beasley, CyberFirst by Traverlers, etc.…) must be notified of the breach.
- Evaluation regarding whether there has been a data breach of Personal Information requiring notification to affected individuals will be determined by the NEO Legal Department.
- The NEO Legal Department will assist in drafting any needed notification letters based on the nature of the breach.
- The NEO Legal Department will determine if the Polices and/or Government Authorities need to be notified.
| Breach Type | IT Investigate | Legal Notified |
|---|---|---|
| General Company Data/Information | Yes | Yes |
| Employee PII | Yes | Yes |
| Customer PII | Yes | Yes |
| Vendor PII | Yes | Yes |
| Financial Records | Yes | Yes |
| Accounting Files | Yes | Yes |
| Password / Encryption Keys | Yes | Yes |
| Payroll Records and Files | Yes | Yes |
Cyber Liability Insurance
Cyber Liability insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. The advantages of having cyber insurance include:
- Protection from Internet-based risks.
- Transferring some of the financial risk of a security breach to the insurer.
- Assistance with a forensic investigation of the breach.
- Legal advice to determine notification and regulatory obligations.
- Covering some of the notification costs of communicating the breach.
- Offering credit monitoring to customers as a result of a verified breach.
On a minimum basis, the Cyber Liability insurance policy to be purchased for the Technology industry and coverage should include all or parts of the following: Technology errors and omissions, Network & information security, Communications & Media, and Breach Notification.
Regulatory Reporting Requirements
Regulatory reporting requirements is determined based on the types of incidents, data impacted by the incident, the country/state where the breached data resides. See table below for guidelines.
| # | Guidelines |
|---|---|
| 1 | In some cases, notice is required only if, after a good faith and prompt investigation, a covered entity determines that as a result of a breach of security, sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm to the individuals to whom the information relates. The other situation is determined based on MSA or Contractual terms (notification within 72 hours – in most cases). The NEO Legal Department will determine. |
| 2 | If the NEO Legal Department determines that notice is not required, the NEO must document the determination in writing and maintain records concerning the determination for no less than five years. |
| 3 | Security Awareness Training should communicate the reminder to lock rooms and file cabinets where paper records are stored. |
| 4 | Using unique passwords (non-dictionary words and/or number combinations). |
| 5 | Referring calls or other requests for personal information to designated individuals within the department, IT, Legal or Human Resources Departments. |
| 6 | Requiring all third-party vendors/contractors having access to Covered Information to exercise reasonable care in the handling of Personal Information and to implement commercially reasonable policies, procedures and systems to protect the confidentiality, security, and integrity of personal information and to detect the occurrence of a data breach. |
3rd party vendors Sub-Processors
| Vendor | Data Center Location | Purpose |
|---|---|---|
| Amazon Web Services, Inc. | USA, EU | Primary cloud infrastructure provider for NEO, where all SaaS applications are hosted. Almost all data stored, processed and transmitted through NEO products and services resides on Amazon Web Services data centers. |
| Pandadoc | EU | Documents / Electronic Signing |
| Postmark | USA, EU | Email Management |
| Airwallex | Australia | Global Payment Processing |
| Corpay Inc | USA, Australia | Global Payment Processing |
| Sentry | USA, EU | Error logging |
| Bitwarden | USA, CA | Secrets manager |
5.0 ROLES & RESPONSIBILITIES
Review & Approval
Szymon Fraszczak (VP of Engineering) is responsible for reviewing and approving all security policies. Once an approved policy has been published, the IT and Information Security teams are expected to support and enforce the policy within NEO.
Create & Publish
It is the responsibility of the Information Security team to create and publish all security policies in accordance with this policy. All changes are to be approved by the executive management team before implementation and publication. The Information Security team is charged with the first-level annual review of all security policies to ensure appropriateness. All security standards, guidelines, and procedures will be provided and maintained by Information Security.
Cloud Security for Information Security (ISO 27001:2022 A.5.23)
NEO’s cloud-first approach requires specialized security considerations:
- AWS Shared Responsibility Model: Clear understanding and implementation of security responsibilities between AWS (infrastructure security) and NEO (data and application security).
- Cloud Configuration Management: Secure configuration of AWS services, regular compliance monitoring, and automated security assessments using AWS security tools.
- Data Protection in Cloud: Implementation of encryption at rest and in transit, proper access controls, and data classification for all cloud-stored information.
- Cloud Access Management: Strong identity and access management (IAM) controls, multi-factor authentication, and principle of least privilege for all cloud resources.
- Cloud Monitoring and Logging: Comprehensive logging and monitoring of cloud activities using AWS CloudTrail, CloudWatch, and integration with security incident and event management (SIEM) tools.
6.0 COMPLIANCE
In order for security measures to be effective, periodic reviews (Internal Audits) shall be performed to ensure compliance with the established guidelines, polices, and procedures. The Internal Audits will be initiated by the Information Security team and supported by the executive management team with cooperation from all employees, consultants, contractors or anyone doing work on behalf of NEO. Information Security will publish a report to the executive management team to include any deficiencies found during the audit. The report will include a plan of corrective actions to address the discrepancies and deficiencies discovered by the security review and audit. The frequency of these internal audits is dependent on the security domain and will be identified in the supporting subject matter policies.
8.0 ENFORCEMENT
This policy is intended to protect the security and integrity of NEO’s data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms, or as a result of a newly identified security vulnerability. Any employee, contractor, consultant, external party or any person doing work on behalf of v found to have violated any policy, standard or procedure may be subject to disciplinary action, up to and including termination of employment or contract. Violators of local, state, Federal, and/or international law may be reported to the appropriate law enforcement agency for civil and/or criminal prosecution.
9.0 ACTIVITY CALENDAR OF ISMS
All ISMS activities will be under review at least once a year. They are part of the security calendar in Google Workspace. Specifically:
- Review and update of the Security Policy will be done once a year in May
- Review and update of Risk Log and Remediations will be done at least once a year with all department heads, once a year a followup with management
- Review of security- Management review to be done every 6 months
- Internal Audit will be done once a year in May
- External pentesting will be done once a year in May
- Threat intelligence review and update quarterly
- Cloud security assessment annually
7.0 CLOUD SECURITY
All critical and sensitive data is stored and processed in AWS cloud infrastructure, which meets or exceeds ISO 27001:2022 requirements. Cloud security controls are regularly reviewed and updated to ensure compliance and data protection.
