Cybrexus Technology
Information Security
Policy
Document Version: 1.0
Effective Date: July 1, 2026
1. Purpose
The
purpose of this Information Security Policy is to protect the confidentiality,
integrity, and availability of Cybrexus Technology’s information assets,
customer data, intellectual property, software systems, and technology
infrastructure.
This
policy establishes security requirements that all employees, interns,
contractors, consultants, freelancers, vendors, and third-party service
providers must follow to reduce cybersecurity risks and maintain customer
trust.
2. Scope
This
policy applies to:
·
All employees
·
Interns and trainees
·
Directors and management
·
Consultants
·
Contractors
·
Freelancers
·
Third-party personnel
·
Vendors with access to company
information
·
All company-owned and
authorized personal devices used for company work
The
policy covers:
·
Information assets
·
Customer information
·
Company data
·
Software applications
·
Source code
·
Cloud infrastructure
·
Internal systems
·
Physical documents
·
Electronic communications
3. Security Objectives
Cybrexus Technology is committed to:
·
Protecting confidential
information
·
Preventing unauthorized access
·
Maintaining system availability
·
Ensuring data integrity
·
Meeting legal and contractual
obligations
·
Continuously improving
cybersecurity practices
·
Reducing security risks through
proactive controls
4. Information
Classification
Information shall be classified into the following categories:
Public
Information approved for public
release.
Examples:
·
Marketing materials
·
Public website content
·
Job advertisements
Internal
Information intended only for
internal business use.
Examples:
·
Internal procedures
·
Project schedules
·
Team documentation
Confidential
Sensitive business
information requiring controlled access.
Examples:
·
Client data
·
Financial records
·
Employee information
·
Contracts
·
Pricing
·
Internal reports
Restricted
Highly sensitive information
with limited authorized access.
Examples:
·
Source code
·
Encryption keys
·
Password vaults
·
Production credentials
·
Security configurations
·
Strategic business plans
5. Access Control
Access shall be granted based on the principle of least privilege.
Users shall:
·
Access only information
necessary for their job responsibilities.
·
Never use another person’s
account.
·
Never share passwords.
·
Request access through approved
authorization.
·
Immediately report unauthorized
access.
Management shall review user access periodically.
6. Password Policy
All users must:
·
Use passwords with at least 12
characters.
·
Include uppercase letters,
lowercase letters, numbers, and special characters.
·
Use unique passwords for
company systems.
·
Change passwords immediately if
compromise is suspected.
·
Enable multi-factor
authentication (MFA) wherever supported.
Passwords shall never be:
·
Shared
·
Written in visible locations
·
Stored in unsecured documents
·
Sent through unencrypted
communication channels
Approved password managers should be used where feasible.
7. Multi-Factor
Authentication
Multi-factor authentication should be enabled for:
·
Email accounts
·
Cloud services
·
VPN access
·
Administrative accounts
·
Source code repositories
·
Financial applications
·
Remote access services
8. Device Security
Company and authorized personal devices used for work shall:
·
Be protected by strong
passwords or biometric authentication.
·
Use supported operating systems
with current security updates.
·
Run approved antivirus or endpoint
protection software where applicable.
·
Automatically lock after a
period of inactivity.
·
Encrypt storage when
technically feasible.
·
Be reported immediately if lost
or stolen.
Unauthorized devices shall not access sensitive company resources
without approval.
9. Software Installation
Only authorized software may be installed on company systems.
Personnel shall not:
·
Install pirated software
·
Disable security software
·
Install unauthorized browser
extensions
·
Download software from
untrusted sources
Software licensing requirements shall always be respected.
10. Email Security
Employees shall:
·
Verify unknown senders.
·
Avoid opening suspicious
attachments.
·
Report phishing attempts
immediately.
·
Never share passwords by email.
·
Use company email for official
business communication.
Sensitive information should only be shared through approved and
secure methods.
11. Internet Usage
Internet access is provided for legitimate business purposes.
Users shall not:
·
Visit malicious websites
·
Download illegal content
·
Bypass security controls
·
Engage in unauthorized hacking
activities
·
Use company internet for
unlawful purposes
Limited personal use may be permitted provided it does not interfere
with work or violate company policies.
12. Remote Work Security
Personnel working remotely must:
·
Use secure internet
connections.
·
Avoid using unsecured public
Wi-Fi without approved protection.
·
Lock devices when unattended.
·
Prevent unauthorized viewing of
confidential information.
·
Store company information only
in approved locations.
·
Follow all company security
policies while working remotely.
13. Data Protection
Company and client data shall be protected throughout its lifecycle.
Personnel shall:
·
Collect only necessary
information.
·
Use data only for authorized
purposes.
·
Avoid unnecessary duplication
of data.
·
Dispose of information securely
when no longer required.
·
Protect sensitive information
during storage and transmission.
14. Backup and Recovery
Critical business information shall be backed up according to
company procedures.
Backups should:
·
Be tested periodically.
·
Be protected against
unauthorized access.
·
Support business continuity and
disaster recovery requirements.
15. Encryption
Sensitive
information should be encrypted:
·
During transmission using
secure protocols (such as HTTPS, TLS, or SSH).
·
At rest where appropriate.
·
On portable storage devices
containing confidential information.
Encryption
keys shall be protected and managed securely.
16. Source Code Security
Developers shall:
·
Store source code in approved
repositories.
·
Use version control systems.
·
Protect repository credentials.
·
Review code before production
deployment where feasible.
·
Avoid embedding passwords, API
keys, or secrets directly in source code.
·
Follow secure coding practices.
17. Cloud Security
Cloud resources shall:
·
Be configured using security
best practices.
·
Restrict access based on
business need.
·
Enable logging where practical.
·
Use encryption where supported.
·
Be regularly reviewed for
unnecessary exposure.
18. Physical Security
Personnel shall:
·
Secure laptops and mobile
devices.
·
Protect confidential documents.
·
Restrict visitor access to
sensitive areas.
·
Avoid leaving confidential
materials unattended.
·
Properly dispose of sensitive
documents using approved methods.
19. Incident Reporting
Any suspected security incident shall be reported immediately.
Examples include:
·
Phishing emails
·
Malware infections
·
Lost or stolen devices
·
Unauthorized access
·
Data leakage
·
Password compromise
·
Ransomware
·
System intrusion
Employees shall cooperate with investigations and preserve relevant
evidence where possible.
20. Security Awareness
Cybrexus Technology encourages ongoing security awareness.
Personnel should:
·
Stay informed about
cybersecurity threats.
·
Participate in security
training.
·
Follow secure working
practices.
·
Report suspicious activity
promptly.
21. Third-Party Security
Third-party service providers handling company or customer
information should:
·
Protect confidential
information.
·
Implement appropriate security
measures.
·
Comply with contractual
security requirements.
·
Report security incidents
affecting company data without undue delay.
22. Compliance
Personnel
must comply with:
·
Company policies
·
Applicable laws and regulations
·
Customer contractual
obligations
·
Confidentiality agreements
·
Intellectual property
requirements
·
Data protection obligations
23. Policy Violations
Violations of this policy may result in:
·
Security awareness counseling
·
Written warning
·
Temporary suspension of system
access
·
Disciplinary action
·
Termination of employment or
engagement
·
Legal action where appropriate
24. Policy Review
This Information Security Policy shall be reviewed at least annually
or whenever there are significant changes to:
·
Business operations
·
Technology infrastructure
·
Legal or regulatory
requirements
·
Security risks
25. Contact
Questions regarding this policy or the
reporting of security incidents should be directed to the Information Security
Team or designated management representative at Cybrexus Technology.