Information Security Policy

The organization utilizes the “Tugboat Logic Platform” to manage InfoSec policies, provide security awareness training, implement and document security controls, and track compliance with customers, third party vendors, independent auditors and regulatory agencies.

1.0 Purpose

The purpose of this policy is to direct the design, implementation and management of an effective Information Security Program, which ensures that Accushield’s information assets are appropriately identified, recorded, and afforded suitable protection at all times. This document sets forth certain principles regarding the responsible use of information by Accushield and outlines the roles and responsibilities of personnel to protect the confidentiality, integrity, and availability of Accushield’s resources and data.

2.0 Scope

This policy covers Accushield’s information and information systems, including information and information systems used, managed, or operated by a contractor or other vendors and applicable to all Accushield employees, contractors, and other users of Accushield’s information and information systems.

3.0 Policy Statements

• Implement and maintain the Information Security Program at Accushield.
• Continuously improve and align information security practices to global best practices and standards.
• Information security policies shall be reviewed regularly.  Accushield employees shall acknowledge their adherence to these information security policies and practices annually.
• Security awareness training shall be provided regularly.
• Internal assessments or audits of Accushield’s Information Security Program shall be performed periodically, and any gaps or findings shall be remediated promptly.
• A risk assessment process for Accushield’s information assets shall be defined and followed. Risk reduction shall be carried out through the process of continuous improvement.
• Accushield’s information asset inventories shall be reviewed and updated when a new asset is added and/or an existing asset is upgraded.
• Business continuity plans (BCPs) and backup plans shall be reviewed and tested at least annually.
• Roles and responsibilities shall be clearly defined and communicated to relevant individuals.
• Information should be classified and handled according to its criticality and sensitivity as mandated by relevant legislative, regulatory and contractual requirements.
• Appropriate contacts shall be maintained with relevant authorities, special interest groups or other specialist security forums.
• As needed, the security incidents would be reported outside of Accushield by a designated person nominated by executive management.
• Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.
• Prevention, detection, and recovery controls to protect against malware shall be implemented by Accushield, and these will be combined with appropriate user awareness.
• An incident management process shall be established to correctly identify, contain, investigate, and remediate incidents that threaten the security or confidentiality of Accushield’s information assets.
• Accushield shall develop and maintain a vendor management process for third-party vendor engagement and assessment.
• Change and vulnerability management controls shall be established and implemented.

4.0 Roles and Responsibilities

4.1 Accushield Board of Directors

The Board of Directors shall be independent of management and provide oversight and direction for Accushield’s Information Security Program. Their responsibilities will include, but are not limited to:

• Ascertaining that there is transparency regarding the significant risks facing Accushield.
• Obtaining assurance that management has established responsibilities, processes and technology for an effective Information Security Program.
• Using the output of any Information Management Program assessment to assist in risk management decisions to secure Accushield’s information assets.

4.2 Accushield Executive Management

Executive Management shall provide directions and management support to employees with information security responsibilities at Accushield. The Executive Management team shall report the overall information security and business continuity program to the Accushield’s Board.

Executive Management’s responsibilities shall include:

• Defining and aligning the scope of the Information Security Program with Accushield’s business requirements and security best practices and standards.
• Ensuring that information security responsibilities have been assigned and are sufficient to comply with the Information Security Program, including:
  • Overseeing the Information Security Program implementation and security improvement initiatives.
  • Preparing security awareness training material and conducting periodic information security training.
  • Planning and performing periodic Information Security Program assessments and communicating the results to Executive Management.
  • Performing analysis of security incidents and recommending, initiating or tracking corrective actions as applicable.
  • Identifying the subject matter expertise needed to improve information security defenses.
• Reviewing any reports of the Information Security Program implementation status or assessments.
• Reporting the overall information security and business continuity program to Accushield’s Board.
• Providing guidance and oversight for BCPs and Disaster Recovery Management for Accushield and approving the Disaster Recovery Action Plans documented for implementation.
• Playing an active role during Accushield’s Risk Assessment exercises and defining risk mitigation strategies.
• Approving Accushield’s information security policies and any changes to the policies and ensuring that the overall information security posture is aligned to business requirements and risks.

4.3 Accushield Chief Information Security Officer (CISO)

Accushield has appointed a Chief Information Security Officer (CISO) from an executive team who is responsible for the organization’s information and data security. CISO’s responsibilities include (but are not limited to):

• Overall responsibility for implementing and ensuring information security in Accushield and providing leadership to the enterprise’s information security organization.
• Approving Accushield’s information security policies, as well as changes or amendments to policies to ensure overall information security posture, is aligned to business requirements and risks.
• Monitoring continuous security improvements; reviewing and recommending applicable changes in the security policies and processes.
• Managing and improving Business Continuity Planning (BCP) and Disaster Recovery (DR) preparedness of the organization.
• Convening with other members of executive management periodically and reporting on security risks and the organization’s security effectiveness.
• Advising top management on the standards or best security practices to adopt at the organizational level.
• Ensuring compliance with changing laws and applicable regulations.
• Communicating the Information Security policies and security programs to the organization through ongoing security training and awareness.
• Partnering with business stakeholders across the company to raise awareness of risk management concerns.

4.4 Accushield Information Technology (IT) Security

Accushield has appointed an IT Security Manager who is in charge of overseeing the organization’s security operations. The responsibilities of the IT Security Manager include (but are not limited to):

• Managing the Security Operations team and developing policies and procedures for hiring new employees and developing new processes.
• Monitoring compliance which includes internal, external, and regulatory compliance.
• Ensuring internal and external cybersecurity risk management policies are understood and implemented by both vendors and employees. For law and regulation compliance, confirming that the organization complies with industry regulations such as ISO, GDPR, SOX, PCI DSS, COPPA, etc.
• Collaborating with various departments within the organization to reduce risk by ensuring that technical controls and policies are implemented across the organization.

4.4.1 Security Operations Team

The Security Operations team (as a part of the IT Security team) at Accushield is responsible for maintaining security monitoring tools and investigating suspicious activities. The Security Operations team’s responsibilities shall include (but are not limited to):

• Maintaining all security tools and technology to secure and monitor systems effectively and updating these tools regularly.
• Monitoring all operations and infrastructure by reviewing alerts and logs to track the organization’s digital security impact.
• Evaluating new technologies and assisting in the implementation of controls that reduce the risk of its operation.
• Conducting continuous reviews of policies and controls to determine what needs to be improved or remediated.
• Liaising with the Incident Management team to ensure that the incident response program is tested throughout the organization and that employees understand their roles in the event of an incident.

4.5 Information Technology (IT) Operations

Accushield has appointed a Chief Technology Officer (CTO) who is responsible for supervising the development and delivery of technology for external customers, vendors, and other clients to improve and expand the business. The IT Operations team responsibilities shall include (but are not limited to):

• Creating technical requirements for the organization’s strategy to ensure alignment with its business goals.
• Discovering and implementing new technologies that provide a competitive advantage.
• Assisting departments in making profitable use of technology.
• Monitoring the system infrastructure to ensure its functionality and efficiency.
• Utilizing stakeholder feedback to inform necessary technological improvements and adjustments.

4.6 Human Resources (HR)

The Human Resources team ensures that employees follow security policies designed to protect Accushield, its customers and employees. The HR team responsibilities shall include (but are not limited to):

• Determining the skills and requirements for positions in information security.
• Ensuring that employees and contractors are informed of their information security responsibilities and carry them out.
• Providing information security management direction and support following business requirements and applicable laws and regulations.

5.0 Information Security Policies

This document, along with the rest of Accushield’s information security policies define the principles and terms of Accushield’s Information Security Program as well as the responsibilities of the users and employees in carrying out and adhering to the respective program requirements.

Violations of Accushield’s information security policies may result in corrective actions and the start of a disciplinary process.

6.0 Communication

Accushield shall have dedicated communication channels to ensure incidents related to personnel security or breach of policies are reported, evaluated and addressed.

Examples of incidents include, but are not limited to:

Breach of security policies

Discrimination or harassment of employees

Occupational Health and Safety hazards

Issues with the quality of work or performance

Inappropriate conduct in the workplace

Please see Appendix 1 for a list of contacts to report incidents.

7.0 Resolution of Service Issues, Disruptions, Outages, and Security/Privacy Incidents

The supplier shall resolve service issues, disruptions, outages, or security/privacy incidents as per the following timelines, based on the severity level of the issue:

• Critical Issues (e.g., system outages affecting all customers):Resolution or workaround within 4 hours.
• High-Priority Issues (e.g., significant degradation affecting multiple users):Resolution within 8 hours.
• Medium-Priority Issues (e.g., partial service interruptions):Resolution within 24 hours.
• Low-Priority Issues (e.g., non-urgent minor disruptions):Resolution within 5 business days.

8.0 Reimbursement Method for Service Disruptions/Outages

• The supplier will make commercially reasonable efforts to maintain an uptime of 99.9%. In the event of service disruptions or outages, the supplier will:
• Provide a detailed incident report within 5 business days of the issue’s resolution.
• Work with customers to identify and implement measures to prevent similar disruptions in the future.
• Offer a reasonable extension of service or additional support resources, at the supplier’s discretion, to address the impact of the disruption.

The supplier does not provide monetary compensation, including service credits or refunds, for downtime but is committed to maintaining reliable service and resolving issues promptly.

 Appendix 1