Security Policy

Last Updated: November 16, 2025

1. Introduction

1.1 Purpose

This policy establishes the framework for securing our cloud storage platform and ensures all personnel understand their security responsibilities.

1.2 Scope

Applies to all employees, contractors, systems, and data managed by MyWebdav Technologies.

2. Governance and Management

2.1 Information Security Management System (ISMS)

We maintain an ISO/IEC 27001-certified ISMS with regular risk assessments, audits, and continuous improvement.

2.2 Roles and Responsibilities

• CISO: Oversees security program
• Security Team: Implements controls and responds to incidents
• Employees: Follow policies and report incidents
• Management: Provides resources and enforces compliance

3. Access Control

3.1 Access Management

Access follows the principle of least privilege with multi-factor authentication required for administrative access.

3.2 User Authentication

Strong passwords, regular rotation, and account lockout policies are enforced.

3.3 Remote Access

Secured via VPN with full logging and monitoring.

4. Data Protection and Encryption

4.1 Data Classification

Data classified as Public, Internal, Confidential, or Highly Sensitive with appropriate controls.

4.2 Encryption Standards

• TLS 1.3 for data in transit
• AES-256 for data at rest
• Secure key management and rotation

4.3 Data Retention and Disposal

Data retained only as necessary with secure deletion methods.

5. Network Security

5.1 Network Segmentation

Isolated networks with firewalls, IDS, and regular monitoring.

5.2 Secure Configuration

Hardened systems following CIS Benchmarks.

6. Physical Security

6.1 Facility Access

Controlled access to data centers with biometric authentication.

6.2 Equipment Security

Secure storage in climate-controlled environments.

7. Incident Response

7.1 Incident Response Plan

Comprehensive plan for identification, containment, eradication, recovery, and notification.

7.2 Breach Notification

Incidents reported within 72 hours (GDPR) or 24 hours (NIS2) as applicable.

8. Secure Development

8.1 Secure Coding Practices

Code reviews, static/dynamic analysis, and vulnerability management.

8.2 Change Management

Formal approval processes for production changes.

9. Third-Party Risk Management

9.1 Vendor Assessment

Security assessments and contractual requirements for all vendors.

10. Compliance and Auditing

10.1 Regulatory Compliance

Compliance with GDPR, NIS2, and ISO/IEC 27001.

10.2 Audits and Assessments

Annual audits, quarterly penetration testing, and continuous monitoring.

10.3 Training

Mandatory annual security training for all personnel.

11. Enforcement

Compliance is mandatory. Violations may result in disciplinary action up to termination.