ComplianceKit

Information Security Policy

Policy #1

Information Security Policy

Policy Number: CK-001

Version: 1.0

Effective Date: 6/12/2026

Review Cycle: Annual

1. Purpose

This Information Security Policy establishes the framework for protecting Acme Corp's information assets, systems, and data. This policy supports our SOC 2 Type I compliance objectives and ensures all personnel understand their security responsibilities.

2. Scope

This policy applies to all employees, contractors, consultants, and third-party service providers who access Acme Corp's information systems, including our AWS cloud infrastructure, GitHub repositories, and Google Workspace environment.

3. Policy Statement

Acme Corp is committed to maintaining the confidentiality, integrity, and availability of all information assets. All personnel must comply with this policy and related security standards as a condition of employment or engagement.

4. Roles & Responsibilities

Chief Technology Officer (CTO)

  • Owns overall information security program
  • Approves security policies and exception requests
  • Allocates security budget and resources

    • Engineering Leads

  • Enforce security controls within their teams
  • Conduct security reviews of system changes
  • Report security incidents to the CTO

    • All Employees

  • Complete annual security awareness training
  • Report suspicious activity or security incidents
  • Follow acceptable use guidelines for all systems

    • 5. Core Security Controls

    5.1 Access Management

    All access to production systems on AWS must be provisioned through our Identity and Access Management (IAM) framework following least-privilege principles. Access reviews are conducted quarterly.

    5.2 Data Protection

    Customer data is encrypted at rest (AES-256) and in transit (TLS 1.2+). AWS S3 bucket policies enforce encryption and restrict public access. Database backups are encrypted and tested monthly.

    5.3 Code Security

    All code changes require peer review through GitHub pull requests before merging to main. Security scanning via automated tools runs on every pull request. Critical vulnerabilities block deployment.

    5.4 Incident Response

    Security incidents are reported within 24 hours to the CTO. Our Incident Response Policy (CK-005) governs investigation, containment, and notification procedures.

    6. Compliance & Enforcement

    Violations of this policy may result in disciplinary action up to and including termination. Suspected violations should be reported to security@acmecorp.com or through the anonymous reporting channel in Slack.

    7. Review

    This policy is reviewed annually or following significant changes to our infrastructure, business model, or regulatory environment. The CTO is responsible for initiating and approving reviews.

    *This policy was generated and approved by Acme Corp leadership as part of our SOC 2 Type I readiness program.*