1. Introduction

This document outlines the information security policies and procedures that all employees, contractors, and systems of Alpha Company must adhere to in order to ensure the confidentiality, integrity and availability of company information assets. Violations of these policies put the company at risk for financial, legal and reputational damages. The intended audience for this guide includes all personnel who have access to Alpha Company systems and data.

2. Password Policy

- All user-level and system-level passwords must be a minimum of 14 characters in length.

- Passwords must contain a mix of uppercase and lowercase letters, numbers, and special characters.

- Simple or common words, names, patterns like keyboard rows, and contextual information like usernames and dates must be avoided.

- Multi-factor authentication using a time-based one-time password (TOTP) app or security key is required for all remote access and administrative logins.

- All user-level passwords must be rotated at least every 90 days.

- Accounts will be locked out for 30 minutes after 10 failed login attempts to prevent brute force attacks. This applies to all login systems including network, cloud apps, email, VPN, etc.

- Passwords must be hashed using bcrypt or PBKDF2 with a unique salt and iteration count of at least 10,000.

3. Access Controls

- A role-based access control model will be used to restrict access to authorized users only.

- Access must be granted on a least-privilege basis, giving only the minimum access required for the specific role.

- Access to critical data and systems must be reviewed and re-approved by business owners every 6 months to ensure appropriate.

- Third party and contractor access will be time-bound and revoked immediately after engagement completion.

- Access for terminated employees will be revoked within 24 hours of termination across all systems and premises.

- Segregation of duties will be implemented such that the same person cannot initiate and authorize a transaction.

- All access control changes must be logged and audited weekly.

4. Employee Security Training

- All employees must complete the annual Information Security Awareness training course and pass the quiz to maintain access permissions.

- Training will cover strong authentication practices, social engineering, phishing, physical security controls, data handling, and ethical use of information systems.

- Employees in high-risk roles like IT, Systems Administrators, Finance, and Executives must take additional job-specific security training annually.

- Monthly security tips will be emailed to all employees to reinforce good security practices.

5. Encryption

- Full disk encryption using AES-256 is required for all laptops and mobile devices.

- Confidential data must be encrypted via PGP or S/MIME when transmitted over email.

- Databases containing personal data or other confidential information must be encrypted at rest using AES-256.

- Encryption keys must be protected from unauthorized access and rotated quarterly.

- VPN connections to the corporate network must use TLS 1.2 encryption or higher.

- Public WiFi access is prohibited unless connecting through the Alpha Co. VPN or using a personal hotspot.

- All removable media like USB drives must be encrypted using hardware-based encryption.

6. Firewalls and Network Security

- Next-generation firewalls must be deployed at all network boundaries to restrict traffic based on IP address, port, protocol, and application layer context.

- Web traffic must be routed through a web application firewall and content filter to block malicious sites and activity.

- Network traffic should be denied by default and only allowed based on a strict ruleset. Any exceptions must be documented and reviewed monthly.

- The network should be segregated into multiple VLANs based on business function and system criticality.

- Micro-segmentation should be used to further isolate critical systems and data stores.

- Intrusion detection and prevention systems must be implemented to detect anomalous network activity and known bad traffic patterns.

7. VPN and Remote Access

- All VPN connections to the corporate network must require multi-factor authentication using either a one-time password token or certificate.

- Remote access may only be initiated through approved VPN gateways. Direct access to internal resources is prohibited.

- Employees must not install or utilize unauthorized VPN software or tools.

- VPN connections will be terminated after 30 minutes of inactivity.

- All VPN connection activity will be logged to a centralized monitoring system.

- Remote access accounts must be disabled immediately upon termination of employees.

8. Incident Response Plan

- A documented incident response plan will be maintained covering detection, analysis, containment, eradication and recovery steps.

- The Computer Security Incident Response Team (CSIRT) has been appointed with defined roles and responsibilities.

- Reportable security incidents categories are defined based on breach notification laws and contractual requirements.

- The CSIRT will receive continuous training to detect, analyze, and respond to incidents.

- Simulated incident response exercises will be conducted annually.

- Security incidents will be categorized based on severity and escalated accordingly.

- Forensic artifacts will be preserved in the chain of custody to support potential legal prosecution.