Back to Security Policies
Information Security Policy
Framework for protecting PrivionGRC's information assets
Version 1.0
Document Information
- Company: PrivionGRC, Inc.
- Effective Date: October 17, 2025
- Version: 1.0
- Policy Owner: Matt Fishman, CEO
- Review Frequency: Annual
Contact Information
- Email: mfishman@priviongrc.com
- Location: San Diego, CA
1. Purpose
This Information Security Policy establishes the framework for protecting PrivionGRC's information assets, including customer data, intellectual property, and business information. This policy applies to all employees, contractors, vendors, and third parties with access to PrivionGRC systems and data.
2. Scope
This policy applies to:
- All information assets owned or managed by PrivionGRC
- All information systems, networks, and devices
- All employees, contractors, consultants, and vendors
- All customer data processed through the PrivionGRC platform
- Cloud infrastructure and services (Netlify, Supabase/AWS)
3. Policy Statement
PrivionGRC is committed to protecting the confidentiality, integrity, and availability of information assets through:
- Risk-based security controls aligned with industry standards (SOC 2, ISO 27001, NIST)
- Continuous monitoring and improvement of security posture
- Employee awareness and training on security best practices
- Compliance with applicable laws and regulations (GDPR, CCPA, etc.)
- Prompt detection and response to security incidents
4. Information Security Principles
C
4.1 Confidentiality
Information shall be accessible only to authorized individuals on a need-to-know basis.
I
4.2 Integrity
Information shall be accurate, complete, and protected from unauthorized modification.
A
4.3 Availability
Information and systems shall be accessible to authorized users when needed.
A
4.4 Accountability
All actions shall be traceable to individuals through comprehensive audit logging.
5. Roles and Responsibilities
5.1 Executive Management
- Provide strategic direction for information security program
- Allocate resources for security initiatives
- Review security metrics and risk reports quarterly
- Approve security policies and major changes
5.2 Chief Technology Officer (CTO)
- Overall responsibility for information security program
- Approve security architecture and controls
- Oversee incident response activities
- Report security status to executive management
5.3 Security Officer (if designated)
- Implement and maintain information security program
- Conduct risk assessments and security reviews
- Manage security incidents and coordinate response
- Ensure compliance with security policies and standards
5.4 Development Team
- Implement secure coding practices
- Conduct code reviews with security focus
- Address security vulnerabilities promptly
- Follow change management procedures
5.5 All Employees
- Protect company and customer information
- Report security incidents immediately
- Complete required security training
- Follow all security policies and procedures
- Use strong, unique passwords and enable MFA
6. Information Security Framework
PrivionGRC's information security program is based on:
- SOC 2 Trust Services Criteria (Security, Confidentiality, Privacy)
- NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover)
- ISO 27001 principles and controls
- GDPR data protection requirements
7. Security Control Categories
7.1 Access Control
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication (MFA) required for all user accounts
- Regular access reviews (quarterly)
- Immediate access revocation upon termination
7.2 Data Protection
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Data classification and handling standards
- Secure data disposal procedures
7.3 Network Security
- Cloud-based infrastructure with provider security controls
- Network segmentation and isolation
- Firewall and intrusion detection/prevention
- Regular vulnerability scanning
7.4 Application Security
- Secure software development lifecycle (SSDLC)
- Input validation and output encoding
- Protection against OWASP Top 10 vulnerabilities
- Regular security testing and code reviews
7.5 Logging and Monitoring
- Comprehensive audit logging of user activities
- Security event monitoring and alerting
- Log retention for minimum 1 year
- Regular log review and analysis
7.6 Physical and Environmental
- Cloud infrastructure with SOC 2 certified data centers
- Environmental controls managed by infrastructure providers
- No on-premises servers or data storage
8. Risk Management
8.1 Risk Assessment
- Formal risk assessments conducted annually
- Risk assessment for significant system changes
- Third-party risk assessments for vendors
8.2 Risk Treatment
- Risk acceptance, mitigation, transfer, or avoidance
- Risk treatment plans with owners and timelines
- Residual risk approval by management
9. Vendor and Third-Party Management
All vendors and third parties must:
- Sign data processing agreements (DPAs) when handling customer data
- Provide evidence of security controls (questionnaires, SOC 2 reports)
- Notify PrivionGRC of security incidents within 24 hours
- Submit to security assessments as required
13. Compliance
PrivionGRC maintains compliance with:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- SOC 2 Trust Services Criteria (audit in progress)
- Customer contractual security requirements
14. Policy Enforcement
Violations of this policy may result in:
- Verbal or written warning
- Suspension of system access
- Termination of employment or contract
- Legal action if warranted
17. Related Policies
- Access Control Policy
- Data Classification and Handling Policy
- Incident Response Policy
- Change Management Policy
- Acceptable Use Policy
- Remote Work Policy
- Vendor Management Policy
Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
For Questions Regarding This Policy
Contact Matt Fishman, CEO: mfishman@priviongrc.com
San Diego, CA