Information Security Policy

1. Purpose & Scope

This Information Security Policy establishes the framework for protecting the confidentiality, integrity, and availability of all information assets owned, controlled, or processed by AttackRadar Inc. This policy applies to all employees, contractors, third-party service providers, and any individual with access to AttackRadar systems, data, or infrastructure.

2. Security Governance

AttackRadar maintains a dedicated security governance structure led by our Chief Information Security Officer (CISO), who reports directly to the CEO. The CISO is responsible for the development, implementation, and continuous improvement of our information security program.

Our security program is reviewed annually by an independent third-party auditor to ensure compliance with industry standards and regulatory requirements.

3. Data Classification

All information assets are classified into one of four categories:

• Public: Information approved for public disclosure (marketing materials, published research).
• Internal: Information for internal use only (internal communications, procedures).
• Confidential: Sensitive business information requiring restricted access (customer data, financial records, proprietary algorithms).
• Restricted: Highly sensitive information with strict access controls (encryption keys, security credentials, vulnerability data, threat intelligence sources).

4. Access Control Policy

We implement the principle of least privilege across all systems and data. Access is granted based on job function and business need, and reviewed quarterly.

• Multi-factor authentication (MFA) is required for all employees and systems
• Role-based access control (RBAC) is enforced across the platform
• Administrative and privileged access requires additional approval and monitoring
• Access reviews are conducted quarterly and upon role changes
• Accounts are deactivated within 24 hours of employee departure

5. Encryption Standards

• In Transit: All data transmitted between clients and our servers is encrypted using TLS 1.3. We enforce HTTPS across all endpoints with HSTS headers.
• At Rest: All stored data is encrypted using AES-256 encryption. Database encryption is managed through cloud provider key management services with regular key rotation.
• Key Management: Encryption keys are stored in hardware security modules (HSMs) with access limited to authorized security personnel only.

6. Vulnerability Management

We maintain a rigorous vulnerability management program with defined patching SLAs:

• Critical (CVSS 9.0+): Patched within 24 hours
• High (CVSS 7.0-8.9): Patched within 7 days
• Medium (CVSS 4.0-6.9): Patched within 30 days
• Low (CVSS 0.1-3.9): Patched within 90 days

Automated vulnerability scanning is performed continuously. Penetration testing is conducted at least annually by qualified third-party security firms, with additional testing after significant infrastructure changes.

7. Incident Response

Our incident response plan follows a four-phase approach:

1. Detect: Continuous monitoring with automated alerting for security events. All security incidents are logged and triaged within 15 minutes.
2. Contain: Immediate isolation of affected systems to prevent further damage. Communication to stakeholders within 1 hour of confirmed incident.
3. Eradicate: Root cause analysis, removal of threat vectors, and system remediation. Forensic evidence preservation for investigation.
4. Recover: System restoration from verified clean backups. Post-incident review within 5 business days with lessons learned documentation.

8. Business Continuity & Disaster Recovery

• Recovery Point Objective (RPO): Less than 1 hour — maximum acceptable data loss
• Recovery Time Objective (RTO): Less than 4 hours — maximum acceptable downtime
• Geographic redundancy across multiple cloud regions
• Automated backups performed every 30 minutes
• Disaster recovery plans tested at least twice annually
• 99.9% uptime SLA for Enterprise customers

9. Third-Party Security

All third-party service providers undergo a security risk assessment before engagement. This includes:

• Review of security certifications (SOC 2, ISO 27001)
• Assessment of data handling practices and encryption standards
• Contractual security requirements and data processing agreements
• Annual re-assessment of vendor security posture
• Incident notification requirements (within 24 hours)

10. Employee Security Training

All employees complete mandatory security awareness training upon hire and annually thereafter. Training covers:

• Phishing recognition and reporting
• Data classification and handling procedures
• Password hygiene and multi-factor authentication
• Incident reporting procedures
• Social engineering awareness
• Remote work security best practices

11. Physical Security

AttackRadar utilizes cloud infrastructure providers (Cloudflare, Google Cloud) that maintain SOC 2 Type II and ISO 27001 certified data centers with comprehensive physical security controls including biometric access, 24/7 surveillance, and environmental monitoring.

12. Compliance & Certifications

• SOC 2 Type II: Annual audit covering security, availability, and confidentiality trust service criteria
• ISO 27001: Certified information security management system
• GDPR: Full compliance with EU General Data Protection Regulation
• CCPA: Compliance with California Consumer Privacy Act

13. Policy Violations

Violations of this Information Security Policy may result in disciplinary action, up to and including termination of employment or contract. Suspected violations should be reported immediately to security@attackradar.us. All reports are investigated confidentially.

14. Review & Update Cycle

This policy is reviewed and updated at least annually, or more frequently as required by changes in the threat landscape, regulatory environment, or business operations. All policy changes are approved by the CISO and communicated to all relevant stakeholders.

For questions regarding this policy, contact us at security@attackradar.us.