Information Security Policy and Procedures

Infos B4B maintains a formal information security governance structure to ensure that security is embedded across all levels of the organization:

• Executive leadership has ultimate accountability for information security and approves all security policies and resource allocations
• A dedicated Information Security Officer (ISO) is responsible for developing, implementing, and maintaining the information security program
• Security policies are reviewed and updated at least annually or whenever significant changes occur in the threat landscape, technology, or business operations
• A cross-functional security committee meets quarterly to review security posture, assess emerging threats, and prioritize improvements
• All security policies, procedures, and standards are documented, version-controlled, and accessible to all employees through our internal management system

We employ a structured approach to identifying, evaluating, and mitigating information security risks:

• Comprehensive risk assessments are conducted annually and whenever significant changes occur in our systems, processes, or business environment
• Risks are identified, analyzed, and evaluated using a standardized methodology that considers likelihood, impact, and existing controls
• A risk register is maintained and reviewed quarterly by the security committee, with risk owners assigned for each identified risk
• Risk treatment plans are developed for all risks above the accepted threshold, with defined timelines, resources, and accountability
• Residual risks are formally accepted by management with documented justification and review schedules

All information assets are inventoried, classified, and protected according to their sensitivity and business value:

• A complete inventory of information assets is maintained, including hardware, software, data repositories, and intellectual property
• Assets are classified into categories (Public, Internal, Confidential, Restricted) with corresponding handling requirements for each level
• Each asset has a designated owner responsible for ensuring appropriate security controls are applied and maintained
• Asset inventories are reviewed and updated semi-annually to reflect additions, removals, and changes
• End-of-life procedures for hardware and software include secure data destruction and proper disposal in accordance with environmental and data protection regulations

Access to information systems and data is managed on a need-to-know basis following the principle of least privilege:

• All access is granted based on business need, job function, and formal authorization from the relevant data or system owner
• Role-based access control (RBAC) is implemented across all critical systems, with roles defined and documented
• Multi-factor authentication (MFA) is required for all remote access, administrative accounts, and access to systems containing sensitive data
• User access rights are reviewed quarterly and adjusted to reflect role changes, transfers, or departures
• Privileged accounts are subject to enhanced monitoring, time-limited sessions, and regular audits
• Password policies require minimum length of 12 characters, complexity requirements, and prohibit reuse of the previous 12 passwords
• Access is revoked within 4 hours of an employee's departure or role change that no longer requires the access

Cryptographic controls are used to protect the confidentiality, integrity, and authenticity of information:

• Data in transit is protected using TLS 1.2 or higher for all external communications and internal system-to-system transfers
• Data at rest is encrypted using AES-256 or equivalent industry-standard algorithms
• Cryptographic keys are managed through a formal key management lifecycle covering generation, distribution, storage, rotation, revocation, and destruction
• Digital certificates are managed centrally with automated expiration monitoring and renewal processes
• Cryptographic standards are reviewed annually to ensure alignment with current best practices and evolving threat landscape

Physical security measures protect our facilities, equipment, and information from unauthorized access and environmental threats:

• Office and data center facilities are protected by multi-layered access controls including key cards, biometric readers, and security personnel
• Visitor access is controlled through sign-in procedures, identification verification, and escort requirements in secure areas
• Data centers feature redundant power supplies, climate control systems, fire suppression, and water damage detection
• Video surveillance operates 24/7 in all critical areas with recordings retained for a minimum of 90 days
• Equipment and media are securely disposed of using certified data destruction methods that comply with NIST 800-88 guidelines
• Clean desk and clear screen policies are enforced in all work areas to prevent unauthorized access to sensitive information

Operational procedures and controls ensure the secure and reliable operation of our information processing systems:

• Change management procedures govern all modifications to production systems, requiring documented approval, testing, and rollback plans
• Development, testing, and production environments are segregated to prevent unauthorized changes and data leakage
• Anti-malware solutions are deployed on all endpoints and servers with real-time scanning and automatic definition updates
• System and application logs are collected, centralized, and monitored for security events using a security information and event management (SIEM) platform
• Backups are performed on a defined schedule (daily incremental, weekly full) with encrypted copies stored offsite and regularly tested for recoverability
• Vulnerability management includes regular scanning, patch management within defined SLAs based on severity, and tracking of remediation status

We protect information in networks and during transfer through the following controls:

• Network infrastructure is segmented using firewalls and VLANs to isolate sensitive systems and limit the blast radius of potential breaches
• Intrusion detection and prevention systems (IDS/IPS) monitor network traffic for malicious activity and anomalous behavior
• Email security controls include spam filtering, phishing detection, and data loss prevention (DLP) scanning for outbound messages
• Secure file transfer protocols (SFTP, FTPS, or HTTPS) are required for all data exchanges with clients and partners
• Remote access requires VPN connections with strong authentication and is limited to authorized devices meeting security baseline requirements
• Information transfer agreements are established with all parties with whom we regularly exchange sensitive data

A formal incident management process ensures security events are detected, reported, and resolved effectively:

• All employees are trained to recognize and report security incidents through defined channels
• Incidents are classified by severity with defined response times: Critical (1 hour), High (4 hours), Medium (24 hours), Low (72 hours)
• An incident response team with defined roles and responsibilities is activated for all incidents classified as High or Critical
• Evidence preservation and chain of custody procedures are followed for all incidents that may require forensic investigation or legal action
• Affected parties, including clients and regulators, are notified within timeframes required by applicable laws and contractual obligations
• Post-incident reviews are conducted for all significant incidents, with lessons learned documented and incorporated into security improvements
• Incident response plans are tested through tabletop exercises and simulated incidents at least twice per year

We maintain business continuity and disaster recovery plans to ensure the availability of critical services:

• Business impact analyses identify critical business processes and the resources required to support them
• Recovery time objectives (RTOs) and recovery point objectives (RPOs) are defined for all critical systems and data
• Redundant infrastructure and failover mechanisms ensure continuity of operations in the event of hardware or data center failures
• Business continuity plans are documented, distributed to key personnel, and stored in accessible locations both on-site and off-site
• Disaster recovery procedures are tested at least annually through full or partial restoration exercises with results documented and improvements implemented
• Communication plans define how employees, clients, and stakeholders will be notified during a business continuity event

Infos B4B is committed to compliance with all applicable legal, regulatory, and contractual security requirements:

• Applicable legal and regulatory requirements are identified and documented, including GDPR, CCPA, CAN-SPAM, TCPA, and industry-specific regulations
• Our security controls are aligned with SOC 2 Type II criteria and ISO 27001 best practices
• Internal audits of the information security program are conducted semi-annually to assess compliance and effectiveness
• Independent external assessments and penetration tests are performed annually by qualified third-party firms
• Audit findings are tracked in a remediation plan with assigned owners, target dates, and status updates reported to the security committee
• Contractual security requirements from clients and partners are reviewed and incorporated into our security controls as applicable

For questions about this Information Security Policy or to report a security concern:

• Email: info@infosb4b.com
• Phone: +1 833-209-5599
• Address: 228 Park Ave S 60111, New York, NY 10003