This policy applies to all personnel who access HGA’s information systems or data, including internal HGA employees, external consultants, contractors, and third-party vendors who provide services or have access to the Humanics Global Advisors Digital Platform or related information. It covers all digital assets of HGA (servers, databases, networks, applications, and devices) as well as any sensitive or confidential data processed by HGA. All users and partners are expected to understand and abide by these policies as a condition of employment, contract, or partnership with HGA. Violations may result in disciplinary action, contract termination, or other legal remedies as appropriate.

Policy Maintenance: HGA’s executive management is responsible for approving this policy and any updates. The policy shall be reviewed at least annually, or whenever significant changes occur in our business or threat environment, to ensure continued effectiveness and compliance with evolving regulations and standards. Updates to the policy will be version-controlled and communicated to all relevant parties. All staff and associated third parties must acknowledge and adhere to the latest version of this policy.

1. Governance & Security Roles

Information Security Governance: HGA maintains an information security management system (ISMS) aligned with ISO/IEC 27001 principles. This includes a framework of policies, procedures, and controls designed to manage risk and protect HGA’s information assets. Top management demonstrates support for information security by allocating sufficient resources and by regularly reviewing security objectives and risk assessments. Cybersecurity risk management is integrated into organizational processes, following the NIST Cybersecurity Framework’s “Identify, Protect, Detect, Respond, Recover” model to ensure a comprehensive approach. A risk assessment will be conducted periodically to identify threats and vulnerabilities to HGA’s digital platform and data, and appropriate risk treatment plans will be implemented.

Roles and Responsibilities: Clear roles and responsibilities for security are defined to ensure accountability throughout the organization:

• Executive Management: Ultimate accountability for information security rests with HGA’s leadership. Management approves the security policy, sets risk appetite, and ensures that security and privacy are prioritized in business decisions. They provide the authority and support for implementing security controls and ensure compliance with legal/regulatory obligations.
• Chief Information Security Officer (CISO) / Security Officer: The CISO (or designated Security Officer) is responsible for developing, implementing, and enforcing information security policies and procedures. This role oversees risk assessments, security audits, incident response, and compliance efforts. The Security Officer reports to executive management on the security program’s status and any incidents or issues. They also coordinate with the Data Protection Officer on privacy matters (if a separate DPO is designated).
• Data Protection Officer (DPO): If appointed, the DPO oversees GDPR and privacy compliance. The DPO’s role is to monitor adherence to data protection policies and procedures, advise on privacy obligations, and act as a liaison with data protection authorities as required by GDPR. (In smaller scope, the CISO or another manager may fulfill this function.) HGA acknowledges its obligation to handle personal data lawfully and has designated personnel to ensure compliance with GDPR and CCPA requirements[4].
• IT Systems Manager / Administrators: The IT System Manager and system administrators are responsible for the secure configuration and maintenance of HGA’s digital platform and infrastructure. They implement technical security measures (firewalls, encryption, access controls) and perform regular system updates and patch management. They are charged with security oversight of the platform, implementing and monitoring security protocols to protect data and users, and addressing any potential threats or breaches that arise[5]. Administrators also review security event logs and reports to detect anomalies[6].
• Employees and Consultants: Every HGA employee, consultant, and authorized user of HGA systems has a responsibility to follow this Information Security Policy and related guidelines. Users must safeguard the information and assets they use, comply with all access and usage rules, protect passwords and sensitive data, and promptly report any suspicious incidents. They are required to complete security training and to uphold confidentiality and data protection agreements. No employee or consultant is exempt from these requirements.
• Third-Party Vendors and Service Providers: Vendors, contractors, or partner organizations with access to HGA’s systems or data must adhere to security and privacy requirements equivalent to those required of HGA’s internal staff. All third parties are expected to sign agreements that include confidentiality, data protection, and compliance obligations consistent with HGA’s policies[7]. Where applicable, vendors must also maintain adequate security practices and insurance coverage (e.g. liability and cyber insurance) commensurate with the risk they present[8]. HGA will conduct due diligence and security risk assessments of vendors (see Section 6) and ensure contractual rights to audit or monitor vendor security controls as needed.
• Information Security Committee: HGA may establish an internal security committee or working group with representatives from key departments (IT, legal, HR, etc.) to periodically review security status, discuss incidents or needed improvements, and ensure cross-functional coordination on security matters. This committee, if formed, would report to the CISO and management, helping to govern the implementation of the ISMS and foster a culture of security.

Each individual covered by this policy is expected to understand their specific responsibilities and to seek guidance from the Security Officer or management if any requirements are unclear. By assigning these roles and governance structures, HGA ensures that information security is managed proactively and that accountability is maintained at all levels.

2. Access Control Policy

HGA will enforce strict access controls to ensure that only authorized individuals can access systems and data, in accordance with the principle of least privilege and zero-trust practices. Access to the HGA Digital Platform and related systems is granted based on role and business need, and must be approved, documented, and regularly reviewed.

User Account Provisioning: All user accounts (for employees, consultants, or vendors) must be requested and approved through a formal process. An authorized manager must approve new access requests, specifying the level of access required. Accounts are created by the IT Administrator or System Manager only after approval and are tied to unique user IDs (no shared accounts are permitted). Users are granted access solely based on their role or job function, ensuring they can only reach information and functions necessary for their duties[9]. Elevated or administrative privileges are restricted to the minimum number of personnel necessary and require executive approval.

Authentication – Passwords and Multi-Factor: All user access to HGA systems must be authenticated with strong controls.

• Password Policy: Users must choose strong, complex passwords in line with HGA’s password standards (minimum length, mix of characters, no common words). Passwords must never be shared or reused across personal accounts. The system enforces strong password creation and will periodically prompt users to update their passwords to prevent stale credentials[10]. Passwords are stored in systems using secure hashing and never in plain text. Default passwords on any system or application must be changed immediately upon installation.
• Multi-Factor Authentication (MFA): HGA requires two-factor authentication for all interactive access to the Digital Platform and other sensitive systems. MFA is implemented for all user logins, adding an extra layer of security beyond just passwords[11]. Acceptable second factors include authenticator apps, hardware tokens, SMS/email one-time codes, or biometric methods, as approved by IT. Users must enroll at least one second-factor device during onboarding.
• Session Management: User sessions will time out after a period of inactivity to reduce risk of unauthorized use. Access to critical systems requires re-authentication if the session is idle beyond the defined threshold.

Access Reviews and Revocation: HGA will regularly review user access rights (at least quarterly or upon role changes) to confirm that each user’s access remains appropriate. Managers and the Security Officer will certify user access levels and adjust or remove privileges that are no longer needed. Critically, when any staff or consultant leaves HGA or a contract is terminated, their access to all systems must be revoked promptly (generally within 24 hours)[12]. Access removal in a timely manner is mandatory for security and compliance – failure to do so could result in security risks and audit findings[12]. Likewise, if a user’s role changes or they no longer require certain system privileges, their access must be adjusted immediately to reflect current needs. The IT team shall maintain procedures to rapidly deactivate accounts, including remote VPN accounts, cloud service credentials, and building access badges, as part of the employee off-boarding process.

Least Privilege and Need-to-Know: All systems and data follow a need-to-know policy. By default, new users have no access until access is explicitly granted. Each system or application should have role-based access controls such that users see only the data and functions required. Where feasible, granular permissions are used to segregate duties (for example, development, testing, and production system access are separated among different personnel to prevent conflicts of interest). Administrative access (such as server or database admin rights) is limited to system administrators and is not used for day-to-day business tasks.

Access Accountability: Users are accountable for actions taken with their credentials. All access events (login, logout, data retrieval, changes) should be logged with user ID and timestamp. Users must never use another person’s credentials or allow others to use theirs. Shared generic accounts are prohibited; in rare cases where a shared account is technically necessary, it must be approved by the CISO and tracked closely. Periodic audits of accounts and permissions will be conducted to detect any dormant or unnecessary accounts, which will be promptly disabled.

Access to Sensitive Data: Access to especially sensitive data (such as personal data, client confidential information, or financial records) may require additional controls. This can include restricting such data to a secure network zone, requiring MFA at each access, or requiring managerial authorization per access. For example, administrative access to production databases with personal data is tightly controlled and logged. Wherever practical, production sensitive data is masked or anonymized in lower environments to limit exposure.

By implementing these access control measures, HGA ensures that users have appropriate access and that the risk of unauthorized access or insider misuse is minimized. All employees and partners must cooperate with access control protocols and promptly report any known or suspected weaknesses in access management.

3. Network & Application Security Policy

HGA will protect its networks, servers, applications, and data through robust technical security controls. The objective is to prevent unauthorized access, detect threats, and maintain a secure configuration of all technology assets throughout their lifecycle, consistent with NIST “Protect” controls and ISO 27001 Annex security controls. Key aspects of the network and application security policy include:

Network Security Controls: All HGA networks, including cloud-based networks and on-premises office networks, are secured by appropriate perimeter and internal controls.

• Firewalls and Segmentation: Network firewalls are deployed at key points (e.g., between the public internet and HGA’s internal systems, and between different internal network segments) to block unauthorized traffic and attacks. Inbound traffic to the HGA Digital Platform passes through firewall filters and, where applicable, a web application firewall (WAF) to inspect for malicious payloads. Internal network segments are segregated based on sensitivity (for instance, the database servers are on a separate VLAN with restricted access). Firewall rules are reviewed regularly to ensure they are least-permissive necessary. Changes to firewall configurations follow change management procedures.
• Encryption in Transit: All data transmitted over networks must be encrypted to protect confidentiality and integrity. HGA’s applications enforce end-to-end encryption using industry-standard protocols (e.g., TLS 1.2/1.3 for web traffic). This includes encryption of all web communications on the Digital Platform (HTTPS is mandatory) and secure communication for any APIs or integrations. SSL/TLS is used for all sensitive data in transit, including personal information and financial data[13]. Encryption configurations are kept up to date to avoid deprecated algorithms (for example, no use of insecure ciphers or SSL versions).
• Encryption at Rest: Sensitive data stored in HGA systems is encrypted at rest to mitigate the risk of data compromise if storage media or databases are accessed without authorization. HGA uses strong encryption algorithms (such as AES-256) to encrypt databases, file storage, and backups containing confidential or personal data[14]. For cloud storage (e.g., documents uploaded to the platform), data is stored in encrypted form (leveraging AWS S3 server-side encryption with access controls)[15]. Encryption keys are managed securely, with restricted access to key management systems and periodic key rotation as appropriate.
• Secure Network Configuration: Default passwords, SNMP community strings, and other vendor default settings on network devices are changed upon installation. Unnecessary services and ports are disabled to reduce attack surface. Up-to-date network diagrams and asset inventories are maintained to understand the environment. All network devices (routers, switches, firewalls) run current firmware and updates to protect against known vulnerabilities.

Application Security and Secure SDLC: HGA integrates security into its software development lifecycle for the Digital Platform and any custom applications.

• Secure Coding Practices: Developers must follow secure coding guidelines (such as OWASP Top 10 recommendations) to prevent common vulnerabilities (like SQL injection, XSS, CSRF, etc.). Code reviews are conducted for security implications, and critical code changes undergo peer review or approval by senior developers. HGA encourages use of static application security testing (SAST) tools to scan source code for vulnerabilities and coding errors.
• Vulnerability Scanning and Patching: The IT security team performs regular vulnerability scanning of HGA’s websites, applications, and network devices to identify known weaknesses. At minimum, monthly automated scans are run on externally facing systems, and quarterly on internal systems, with prompt remediation of any high-risk findings. In addition, penetration testing by independent experts is conducted periodically (at least annually and after major changes) to probe for vulnerabilities in the digital platform[16]. HGA maintains a patch management program: security patches for operating systems, databases, and applications are evaluated and applied in a timely manner based on severity. Critical patches (e.g., those fixing actively exploited or high-severity vulnerabilities) are applied as soon as feasible, ideally within days. Less critical updates are scheduled in regular maintenance windows. All systems are configured to regularly update anti-malware definitions and other security signatures.
• Secure Configuration and Hardening: Servers (whether cloud VMs or on-premises) are hardened to CIS benchmark or equivalent standards. This includes disabling unnecessary services, enforcing strong authentication, limiting administrator/root access, and logging administrative actions. Application configurations (for the HGA Digital Platform) are set to secure defaults – for example, error messages do not reveal sensitive stack traces, and debug interfaces are disabled in production. The principle of least functionality is applied (systems provide only the necessary services to fulfill their role).
• Cloud Security: The HGA Digital Platform leverages cloud services, and HGA ensures cloud resources are securely configured. Administrative access to cloud consoles is limited and protected with MFA. Cloud storage buckets (such as the Amazon S3 buckets for document storage) are private, encrypted, and access-logged[15]. Network security groups and virtual firewalls are used to restrict access to cloud servers. HGA uses available cloud security services (e.g., AWS security monitoring) to augment its security posture. We regularly review cloud configurations for compliance with best practices and to ensure no accidental public exposure of data.
• Endpoint Protection: All HGA-managed endpoints (laptops, workstations, mobile devices) used by staff to access the platform must have up-to-date security software. This includes anti-virus/anti-malware protection, host-based firewalls, and where possible, endpoint detection and response (EDR) agents to detect suspicious behavior. Systems are configured to receive automatic updates for operating systems and applications. Employees are not given local admin rights on corporate laptops unless necessary, to prevent unauthorized software installation.
• Malware Defense: Email and web security gateways are employed to block malware, phishing, and other threats at the perimeter. All attachments and downloads may be scanned. Users are instructed not to bypass these controls.
• Change Control: Changes to network infrastructure or core applications must follow a change management process that includes assessing security impact and potential risks. Significant changes are reviewed by the Security Officer or a designated change advisory board. Emergency changes must be documented and reviewed post-implementation.

By enforcing these network and application security controls, HGA aims to prevent breaches and ensure that the digital platform operates securely. These measures align with NIST’s Protect function and ISO 27001 control requirements (such as network security, cryptography, system acquisition/development security). All technical personnel are expected to implement and maintain these controls, and all users must do their part by adhering to secure practices (e.g., not circumventing protections).

4. Device and Acceptable Use Policy

This section outlines the acceptable use of HGA’s information resources and the requirements for devices (company-issued or personal/BYOD) that access HGA systems. The goal is to ensure that all devices are used in a secure manner and that users understand their responsibilities to use HGA resources ethically and safely.

Acceptable Use of Company Systems:
All HGA provided IT resources (including laptops, mobile devices, email, internet access, and the Digital Platform itself) are to be used for legitimate business purposes in serving HGA’s mission and clients. Incidental personal use is permitted provided it does not interfere with work duties, incur significant cost, or violate any policies or laws. Users must not use HGA systems to engage in any activity that is illegal, unethical, or could harm HGA, including but not limited to:

• Prohibited Activities: Users shall not deliberately access, create, download, or distribute any content that is defamatory, harassing, obscene, discriminatory, or infringing on intellectual property rights. Use of HGA networks or devices to harass, threaten, or impersonate others is strictly forbidden. Users must not engage in any actions that would degrade system performance or deny services to others (e.g., no introduction of malware, no mass emailing that disrupts servers, etc.). It is also forbidden to use HGA resources for personal commercial gain or political campaigning.
• No Unauthorized Software or Devices: Installation of software on HGA computers or servers must be approved by IT. Users may not install or run unapproved programs or utilities that could compromise security (for example, hacking tools, file sharing programs, or unlicensed software)[17][18]. Likewise, only authorized and IT-provisioned devices may be connected to HGA’s internal network. The use of personal USB drives or storage media on company systems is discouraged and if needed must be scanned for malware. Introduction of any device (including IoT devices) into HGA offices or networks must be with permission if that device will connect to the network.
• Data Handling: Users must treat all company and client data as confidential unless classified otherwise. Sensitive information (including personal data about individuals, HGA’s business plans, client deliverables, etc.) should not be emailed or transferred to unauthorized recipients. Users should use HGA-provided secure storage and communication tools for sensitive data – for example, using company OneDrive/SharePoint or the secure Digital Platform storage for project files, rather than consumer cloud services. Printing of sensitive data should be minimized and never left unattended. Any hardcopy containing confidential information must be stored securely and shredded when no longer needed.
• Internet and Email Use: Internet access from HGA systems is provided primarily for business use. Users should not browse to risky or non-business websites that might introduce malware. HGA may employ content filtering to block known malicious sites or inappropriate content. Company email must be used responsibly – no sending of company data to personal email accounts, and no clicking on suspicious email links or attachments (users are trained to recognize phishing attempts). Users should exercise caution and verify legitimacy of unexpected emails, especially those requesting sensitive info.

Bring Your Own Device (BYOD) Usage:
HGA recognizes that consultants or staff may at times use personal devices to access HGA email or systems. Any personal device used for HGA business must meet the following security requirements to protect HGA data:

• Device Security Requirements: The device (whether a laptop, smartphone, or tablet) must have up-to-date operating system and application patches. It must be protected by a strong passcode or biometric lock. Full disk encryption should be enabled on any device that stores HGA sensitive data (e.g., laptops should use BitLocker or FileVault, mobile devices should have device encryption enabled). The device must have anti-malware protection if applicable and should not be “jailbroken” or rooted (as that undermines security). Users are expected to only install reputable applications and must avoid installing software from untrusted sources on devices used for work.
• Company Control and Monitoring: As a condition of connecting to HGA resources, the user consents to certain management of their BYOD device. HGA reserves the right to require installation of a mobile device management (MDM) profile or similar security management tool on personal devices that access company email or files. This allows HGA to enforce security settings (such as requiring device encryption and screen lock) and to remotely wipe company data if the device is lost or compromised. HGA will not access personal data on BYOD devices beyond what is necessary for security (e.g., it can see device model and compliance status, but will not surveil personal content). Employees/consultants must promptly comply with any IT administrator requests to update device settings or apps for security.
• Secure Access and Use: When using a personal device for HGA work, users must ensure they access company systems through secure methods (such as the approved VPN or secure web portal with MFA). Company data should not be stored locally on personal devices unless absolutely necessary; if it is, it must be encrypted and deleted as soon as possible. Users must never save HGA passwords in plaintext on personal devices or share them. If a personal device is used to download or create HGA-related files, those files should be transferred to an approved HGA repository as soon as feasible and removed from the personal device.
• Lost or Stolen Device Reporting: Users must immediately report to IT if a device (company-issued or BYOD) that has access to HGA systems or data is lost, stolen, or suspected to be compromised. IT may perform a remote wipe of company information on the device to protect data (for BYOD, personal data would typically not be touched, but company email or files might be wiped). Prompt reporting is critical so that HGA can take steps to disable credentials or remote-wipe data before any unauthorized access occurs.

Physical Security and Use of Devices:
Users should also physically secure devices to prevent theft or shoulder-surfing of information. Portable devices like laptops must not be left unattended in public places; they should be locked in secure cabinets or kept on person when traveling. At the office, users should lock their computer screens (Ctrl-Alt-Del or equivalent) when stepping away from their desk to prevent misuse. All HGA equipment remains the property of HGA and must be returned upon request or at end of employment/contract. No one shall remove company-owned equipment from premises without authorization (except portable devices issued for remote work).

Furthermore, users should not connect to public Wi-Fi networks with HGA devices unless using a company VPN, due to the risk of eavesdropping. If printing sensitive documents, retrieve them immediately from the printer. Any violation of these acceptable use rules, or any use of devices that puts HGA data at risk, should be reported and may result in loss of BYOD access or other sanctions.

By following this Device and Acceptable Use Policy, users help maintain the integrity and security of HGA’s information. All users are required to read and acknowledge this policy, and attend security awareness training that reinforces these guidelines. HGA may monitor network and device activity for compliance (in line with applicable laws and with respect for privacy) and will investigate any suspected misuse.

5. Remote Access Policy

As HGA staff and consultants frequently operate in various locations, secure remote access to HGA’s systems is essential. This policy establishes requirements for safely connecting to HGA networks and resources from outside of HGA’s physical offices. The goal is to prevent unauthorized remote access and protect data that is transmitted over public networks.

Authorized Remote Access Methods: Remote access into HGA’s internal network or confidential systems is only permitted through company-approved secure methods. The primary method is via HGA’s Virtual Private Network (VPN), which provides an encrypted tunnel for network traffic. Users must use the VPN to access any internal systems or the management interfaces of the HGA Digital Platform when outside the trusted office network. The VPN requires MFA authentication (e.g., user credentials plus an authenticator app code). In some cases, HGA may provide a secure remote desktop or VDI (Virtual Desktop Infrastructure) solution; use of those must likewise be protected with strong authentication. Direct remote desktop access or port forwarding from the internet is not allowed unless through the VPN or other secure gateway.

User Authentication and Access Control: All provisions of the Access Control Policy (Section 2) apply to remote connections. Users must log in with their individual credentials and MFA; shared or generic remote access accounts are prohibited. Idle remote sessions will be configured to time out and disconnect after a defined period to reduce risk. Remote login attempts are logged and monitored. Repeated failed login attempts will trigger account lockout and alert the security team to possible brute force attempts.

Device Requirements for Remote Access: Only trusted devices should be used for remote access. Ideally, users will use HGA-issued laptops with full security controls for remote work. If personal/BYOD devices are used to initiate VPN or other remote sessions, they must meet the security criteria outlined in Section 4 (updated OS, anti-malware, encryption, etc.). HGA may restrict VPN access to known devices or require additional authentication for new devices. The IT team maintains the right to inspect devices (or require an attestation of device security) before granting them network access. Connections from devices that do not meet security standards (e.g., outdated software or detection of malware) may be blocked.

Secure Remote Work Practices: Users connecting remotely must ensure they work in a secure environment. When accessing HGA systems from home or public spaces, users should be mindful of who might observe their screen or communications. Use privacy screens or position yourself to avoid shoulder-surfing of sensitive data. Avoid discussing confidential information on calls in public areas where you might be overheard. Public computers (e.g., at kiosks or libraries) must never be used to log into HGA accounts, as their security cannot be trusted. Public or unsecured Wi-Fi networks (like coffee shops, airports) carry risks; users must always activate the VPN before accessing HGA email or data over such networks to ensure encryption of traffic.

All remote access must also comply with HGA’s policies on data handling. For example, downloading sensitive files while remote should be minimized; where possible, work on files directly on HGA’s secured systems rather than downloading to a local machine. If local copies are necessary, they should be properly encrypted and deleted when no longer needed. Users should report any lost or stolen devices immediately as per the Device Policy, since those pose a risk to remote access channels.

Administrative Remote Access: Administrative personnel (IT admins, developers, etc.) who need remote access to servers or cloud infrastructure must use additional safeguards. This may include jump hosts/bastion servers configured with hardened security for all admin access. Admin remote logins should use key-based authentication (such as SSH keys or certificates) in addition to MFA, and those keys must be protected. Direct administrative access via remote protocols (SSH, RDP) from the internet is disallowed; it must transit through the VPN or an approved bastion service. All such sessions must be logged in detail. Administrative actions performed remotely on critical systems should have an accompanying change ticket or approval record.

Monitoring and Controls: HGA will monitor remote access endpoints for unusual activity. This includes monitoring VPN login records for anomalous times, locations, or durations. Any remote access from foreign locations or unknown IP addresses may be flagged for verification to ensure it’s authorized. The security team may employ intrusion detection on VPN connections to spot signs of compromise. We also ensure that after termination of an employee/consultant, their VPN and remote access accounts are promptly disabled (as noted in Section 2). Periodic audits of active remote access accounts and logs will be performed to verify that all active accounts are expected and being used appropriately.

By adhering to this Remote Access Policy, HGA ensures that flexibility in work location does not come at the expense of security. Employees and consultants are expected to follow these guidelines diligently. Any questions or exceptions regarding remote access must be reviewed and approved by the Security Officer and documented (for instance, if a certain project requires a special remote connectivity setup, it must go through a risk evaluation and approval). Failure to comply with remote access requirements could result in suspension of remote privileges or other disciplinary measures.

6. Third-Party and Vendor Security Policy

HGA relies on third-party vendors, service providers, and independent consultants for various services, but it retains responsibility for protecting its data even when handled by these external parties. This policy establishes how HGA manages the security of third parties and ensures that vendors uphold security standards and legal requirements (including GDPR/CCPA) when they interact with HGA’s systems or data. The scope includes software/SaaS providers, data hosting providers, outsourced IT services, consultants on the platform, and any other third party with access to HGA information.

Vendor Security Due Diligence: Before onboarding a new vendor or service provider who will handle sensitive information or provide critical services, HGA will perform a security due diligence assessment. This involves evaluating the vendor’s information security posture – for example, by sending a Vendor Security Checklist or questionnaire (see Appendix B) and reviewing their responses. HGA will examine whether the vendor has appropriate security policies (e.g. an information security program, access controls, incident management), relevant certifications or audits (such as ISO 27001 certification or SOC 2 reports), and compliance with privacy laws (GDPR, CCPA if applicable). The vendor’s reputation and any past security breaches will also be considered. Only vendors that meet HGA’s security requirements or are willing to remediate identified gaps can be engaged.

Contractual Security Requirements: All contracts or service agreements with third parties must include appropriate security and privacy clauses to protect HGA. At minimum, vendors must sign confidentiality/non-disclosure agreements to safeguard any HGA data they receive. Vendors that process personal data on HGA’s behalf will be required to sign Data Processing Agreements (DPAs) where required by GDPR, binding them to GDPR-equivalent data protection obligations. Contracts will specify that the vendor must implement appropriate technical and organizational measures to protect HGA data, and may reference specific standards (e.g., requiring encryption, access control, sub-vendor management, breach notification, etc.). Third parties shall agree in writing to adhere to HGA’s confidentiality, compliance, and security requirements[7], including any export control rules if relevant (no vendor may expose HGA data to sanctioned countries or persons). For consultants or subcontractors that HGA engages, HGA’s standard consultant agreement terms (which include confidentiality and data protection clauses) shall apply; any subcontractor engaged by a consultant must similarly agree to those obligations[7].

HGA also includes in contracts the requirement for vendors to notify HGA promptly in the event of any security incident or data breach affecting HGA’s data. This mirrors HGA’s own obligation to report breaches and ensures timely communication (usually within 24-72 hours of discovery, per GDPR and good practice). Additionally, HGA reserves the right to audit or request evidence of the vendor’s compliance. Contracts may allow HGA to perform security audits or penetration tests on the vendor’s environment, or to review the vendor’s audit reports/certifications. Vendors are expected to cooperate with HGA’s compliance inquiries and remediate any identified security issues.

Least Privilege for Vendors: Vendor and partner access to HGA systems or data will be limited to the minimum necessary. If a vendor is given an account on HGA’s systems (for example, a support vendor needing access to a server), a dedicated account with least privilege permissions will be created, and it will be disabled when not actively in use. Vendor accounts must also use MFA when supported. If a third-party requires access to production data for troubleshooting, wherever possible data should be sanitized or a supervised session used rather than giving broad access. All vendor access should be time-bound – enabled only for the duration needed. Vendor activities on HGA systems should be logged and subject to review.

Vendor Oversight and Monitoring: HGA will maintain an inventory of its third-party service providers, especially those with access to sensitive data (often referred to as a vendor register). Each vendor in the inventory will have an assigned risk level (e.g., high, medium, low) based on the nature of access and data sensitivity. Higher-risk vendors will be reviewed more frequently. HGA may conduct annual security reviews of key vendors, which could include sending updated questionnaires or requiring up-to-date compliance attestations. For cloud or SaaS providers, HGA will monitor announcements of security issues and ensure patches or mitigations are applied (in coordination with the provider). Where feasible, contractual provisions will allow HGA to terminate the relationship if the vendor is found to have inadequate security or experiences a serious breach.

Third-Party Personnel: Vendors must ensure their employees who handle HGA engagements are trustworthy. HGA expects that vendors perform background checks on staff if they will have substantial access to sensitive data. Vendors should also provide security awareness training to their relevant staff, similar to HGA’s own training standards. In certain cases, HGA might require vendor staff to go through HGA’s security briefing before accessing our systems. All vendor personnel must be uniquely identifiable (no generic logins) when accessing HGA systems so their actions can be attributed.

Supply Chain and Subcontractors: If a vendor uses subcontractors or sub-processors to deliver services involving HGA data, the vendor is required to flow down the same security requirements to those parties. For example, if HGA’s cloud provider engages a data center operator, that operator should meet equivalent standards. Vendors must obtain HGA’s consent for any significant subcontracting that involves HGA data, and must maintain responsibility for any actions of their subcontractors. This ensures that the entire supply chain is secure.

Compliance with Privacy Laws: Third parties who process personal data from HGA (such as consultant personal information or client data on the platform) must comply with GDPR, CCPA, and other applicable privacy laws. This includes honoring data subject rights (if HGA or a data subject requests deletion or access of personal data, the vendor must support this in a timely manner) and applying the required level of protection to personal information. The contract will specify these obligations, and vendors may be asked about their mechanisms for GDPR/CCPA compliance during due diligence.

In summary, HGA will only do business with third parties that demonstrate a commitment to security commensurate with HGA’s own standards. We recognize that third-party risk is a significant component of overall information security risk, and we manage it through careful selection, strong agreements, ongoing monitoring, and the ability to enforce our requirements. Employees who manage vendor relationships must ensure these steps are followed in coordination with HGA’s Security Officer and legal counsel. If any vendor fails to meet our security expectations or experiences a material security failure, HGA will take appropriate action, which may include suspending data sharing, requiring remediation measures, or ultimately terminating the relationship to protect HGA and its clients.

7. Data Privacy and Protection Policy (GDPR & CCPA Compliance)

HGA is dedicated to protecting personal data and ensuring privacy rights are respected in all operations. In handling personal information (whether belonging to consultants, clients, employees, or end-users of the Digital Platform), HGA complies with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This policy describes how HGA safeguards personal data, manages privacy, and meets legal obligations under these frameworks.

Lawful and Fair Processing: HGA will only collect and process personal data for specific, explicit, and legitimate purposes related to its business (such as facilitating consulting engagements, managing client relationships, and administrative requirements). Personal data will be processed fairly and transparently. Individuals whose data is collected (data subjects) will be provided with clear notices about the purposes of collection, the types of data collected, and their rights. For example, HGA’s privacy notice (on its website or platform) will detail how consultant and client data is used and protected, in an easily accessible form. HGA commits to transparency in its privacy policies and user agreements, clearly outlining how user data is used and safeguarded[19]. If any secondary use of data is intended beyond the original purpose, HGA will obtain consent or ensure another lawful basis as required.

Data Minimization and Accuracy: HGA will only collect personal data that is relevant and limited to what is necessary for the stated purposes. Whenever feasible, data will be anonymized or pseudonymized to reduce privacy impact. Personal information in HGA’s records will be kept accurate and up-to-date. Data subjects (such as consultants using the platform) are encouraged to update their information, and HGA will have processes to correct or delete inaccurate data when identified.

Confidentiality and Integrity Protections: In line with the broader security controls described in this policy, HGA implements appropriate technical and organizational measures to safeguard personal data against unauthorized access or disclosure[20]. This includes access controls (only staff with a need-to-know can access personal data), encryption of personal data both in transit and at rest (for instance, storing personal details in encrypted databases)[14], and network security measures to prevent breaches. Personal data is treated as a highly confidential category of information. HGA’s employees and contractors must handle personal data in strict confidence; misuse or unauthorized sharing of personal data is grounds for disciplinary action. Moreover, personal data is considered a special subset of Confidential Information that requires indefinite protection – even after other business confidential data might expire in sensitivity, personal data remains protected[21].

Compliance with GDPR Principles: For personal data subject to GDPR, HGA adheres to its core principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability). Concretely: – HGA has identified valid legal bases for processing personal data (e.g., consent from consultants for using their CV data in proposals, or legitimate interests for internal administrative contacts). Where consent is relied on, it is obtained through a clear affirmative action and can be withdrawn. – Data Subject Rights: HGA upholds the rights of individuals under GDPR. This includes the right to access (individuals can request a copy of their personal data we hold), right to rectification (correct inaccurate data), right to erasure (“right to be forgotten”, to delete personal data upon request when applicable), right to restrict processing, right to data portability, and right to object to certain processing. HGA’s platform features are designed to facilitate some of these rights (for example, providing users easy access to review their personal profile data, and a mechanism to request account deletion)[22]. Internally, HGA has procedures for handling such requests within the required time frames (typically one month for GDPR requests). We verify the identity of requestors to protect against unauthorized access when fulfilling data requests. – Data Transfers: If personal data is transferred across international borders (e.g., between the EU and the U.S.), HGA will ensure adequate safeguards are in place as required by GDPR. This might include using EU Standard Contractual Clauses with service providers or verifying that transfers fall under an approved mechanism. The Consultant Contract explicitly notes consent to transfer personal data internationally as needed for business, in compliance with applicable laws[23]. – Data Protection by Design and Default: HGA incorporates privacy considerations in the design of its systems (for example, making certain personal fields optional if not strictly needed, or masking data in reports that do not require full detail). By default, only necessary personal data is collected and stored.

Compliance with CCPA Requirements: For personal information of California residents, HGA extends similar rights and protections per the CCPA (and CPRA as amended). This includes: – Providing California consumers with notices about the categories of personal information collected and the purposes (often through a website privacy policy). – Honoring the right to know (disclosure of what personal data categories have been collected and sold or shared, if applicable, upon request), the right to delete personal information (with similar process to GDPR erasure, minus exceptions), and the right to opt-out of sale of personal information. HGA does not sell personal data to third parties for monetary consideration; if HGA ever shares data in ways that constitute a “sale” under CCPA, it will ensure an opt-out mechanism is in place. We include a “Do Not Sell or Share My Personal Information” link on relevant user interfaces if required. – Ensuring that if any personal data of minors (under 16) were ever handled (unlikely in HGA’s business context), we would obtain affirmative authorization as required by CCPA. – Non-discrimination: HGA will not discriminate against individuals for exercising their privacy rights (no difference in service or price, beyond what is permitted by law for e.g. value of data considerations).

Data Retention and Disposal: HGA will retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law or legitimate business needs (such as maintaining records for contracts, compliance, or dispute resolution). We have retention schedules for different categories of data. For example, consultant profile data in the platform may be retained for the duration of the consultant’s engagement plus a reasonable period thereafter; client contract data might be kept for a number of years for legal record-keeping. When personal data is no longer required, HGA will ensure it is securely deleted or destroyed. This includes shredding physical documents and using secure erasure methods for electronic data. Backup data that is older than its retention time will be purged as well, or if immediate deletion is not possible, it will be securely protected until deletion is feasible.

Incident/Breach Notification: In the event that personal data is compromised despite our safeguards, HGA has an incident response plan (see Section 9) which includes specific procedures for handling data breaches. Both Parties (HGA and any consultants/vendors) shall promptly notify each other of any breach or security incident involving the other’s personal data[24]. If a breach meets the threshold for notification under GDPR (likely to result in risk to individuals’ rights) or CCPA (unauthorized access to certain personal data types), HGA will notify the appropriate regulatory authorities (for GDPR, typically within 72 hours of awareness) and affected individuals without undue delay, as required by law. Our notification will include the nature of the breach, the data involved, remedial actions being taken, and advice for individuals to protect themselves, if applicable.

Employee and Contractor Responsibilities: All HGA employees, consultants, and vendors must understand the sensitivity of personal data and are required to follow privacy and security policies. They are only to use personal information for legitimate HGA business purposes and must not disclose it to unauthorized parties. As per our agreements, Consultants also agree to abide by data privacy laws in handling any personal data received from HGA or clients[25]. Regular training (see Section 11) is provided on data protection to ensure awareness of obligations. Any questions on handling personal data should be directed to the Data Protection Officer or Security Officer for guidance.

Privacy Governance and Accountability: HGA’s management acknowledges its accountability under GDPR/CCPA. We document our processing activities (maintaining a Record of Processing Activities as per GDPR Article 30, listing categories of data, purposes, recipients, etc.). Data Protection Impact Assessments (DPIAs) will be conducted for any high-risk processing (such as large-scale use of special category data, though HGA generally avoids processing sensitive personal categories like health, etc.). HGA has appointed privacy responsibles (DPO or privacy lead) and ensures that privacy compliance is part of our internal audits and reviews. Where required, HGA will comply with oversight from data protection authorities and will readily demonstrate compliance measures (for instance, via our policies like this one, technical security measures, training records, and vendor agreements).

By following this Data Privacy and Protection Policy, HGA not only remains compliant with laws like GDPR and CCPA but also reinforces trust with the individuals whose data we handle. Protecting privacy is integral to HGA’s values and operations, and every member of the organization and its partners plays a role in upholding these standards.

8. Backup and Disaster Recovery Policy

HGA must ensure that its critical data and systems are resilient against disasters, data loss, or other disruptive incidents. This section of the policy describes the approach to data backup and the disaster recovery (DR) planning that together uphold the “Availability” aspect of information security. The goal is to guarantee that HGA can restore normal operations in a timely manner after an adverse event and prevent permanent loss of important information.

Data Backup Strategy: HGA performs regular backups of all critical systems and data. Key databases (such as the Digital Platform database containing consultant profiles, project data, transaction records, etc.) are backed up frequently, with a backup schedule designed to meet our Recovery Point Objectives (RPOs). At a minimum, incremental backups of databases are done daily (or more frequently for high-change systems), and full backups are done weekly. All critical data backups are encrypted and stored securely, either on encrypted backup servers, tapes, or within secure cloud storage, to prevent unauthorized access to backup content[26]. Backup files are protected with access controls so only authorized IT personnel can access or restore them. We utilize a combination of onsite and offsite backups: local backups for quick recovery and offsite/cloud backups to protect against site-wide disasters. For example, production database backups are automatically copied to an offsite cloud storage in a different region. Similarly, important documents and files in the platform’s S3 storage are configured with versioning and periodic snapshot backups.

HGA maintains backups for a defined retention period consistent with business needs and legal requirements. Older backups are rotated out and securely destroyed to manage storage and security. The integrity of backups is tested regularly – IT will perform test restorations of a sample backup at least quarterly to verify that data can be recovered and that backups are not corrupted. Backup logs and reports are monitored to ensure each scheduled backup completed successfully; any failures are addressed immediately.

Disaster Recovery Planning: HGA has a Disaster Recovery Plan (DRP) to address how to restore operations in the event of a major incident (such as a natural disaster, major hardware failure, cyber-attack causing system outage, etc.). The DRP defines our Recovery Time Objectives (RTOs) – the target maximum downtime for critical services – and outlines the processes and resources required to meet them. For the Digital Platform, HGA’s target might be, for example, to recover core platform functionality within 24-48 hours of a catastrophic outage, and to ensure no more than 24 hours of data loss (depending on backup frequency and replication).

Key elements of HGA’s Disaster Recovery include: – Infrastructure Redundancy: Where feasible, production systems are built with redundancy. For cloud-based components, this means using multi-AZ or multi-region deployments. For on-premises components, redundancy might include backup power (UPS, generators), duplicate network connections, and failover hardware. – DR Sites / Cloud Failover: HGA maintains the ability to operate from a secondary location if the primary data center or cloud region fails. This could involve spinning up our platform in an alternate cloud region using the latest backups. Critical business applications have documented procedures for re-deployment or activation in DR environment. For example, if Region A of the cloud is down, we have infrastructure-as-code templates to deploy necessary servers in Region B and restore data from backups. – DR Teams and Communication: The disaster recovery plan defines roles such as the Disaster Recovery Coordinator, technical recovery team members, and communication leads. It includes an up-to-date contact list for key personnel and external support (e.g., cloud provider support contacts). During a disaster scenario, the DR Coordinator will lead the effort, and regular communications (status updates) will be provided to management and possibly clients if they are impacted. – Recovery Procedures: Detailed step-by-step procedures are documented for recovering each major system. This can include steps like: rebuild servers from base images or cloud templates, install necessary software, apply configurations, restore data from backup XYZ, verify integrity, and switch DNS or networking to point to the new environment. For the Digital Platform, the procedure might outline rebuilding the database from the last backup and re-pointing the application servers to it, etc. These procedures are kept up to date as systems change.

Regular Testing: The DR plan is of little use if not tested. HGA commits to regular testing of the disaster recovery plan (at least annually)[27]. Tests may include simulations or tabletop exercises as well as technical recovery drills. For instance, the IT team might do a partial failover test in which they simulate loss of the primary database and practice restoring the service in the DR environment. Results of tests are documented, and any gaps or issues identified are used to improve the plan. Over time, these tests ensure that staff are familiar with their DR roles and that recovery time objectives can realistically be met.

Business Continuity Considerations: While this policy focuses on IT disaster recovery, it aligns with broader business continuity planning. HGA ensures that critical business processes (not just IT systems) can continue or resume quickly after a disruption. This includes having manual workaround procedures if IT systems are down, and ensuring critical staff have the ability to work offsite if an office location is unavailable. For example, if a regional office is impacted by a natural disaster, staff can work from alternate locations and still securely access systems via remote access/VPN, as long as the core systems are recovered per the DR plan.

Backup Power and Environmental Controls: HGA’s server facilities and network closets have measures like UPS units to handle short power interruptions, and backup generators (or cloud provider equivalents) for sustained power outages, to protect hardware and prevent abrupt shutdowns that could cause data corruption. Environmental controls (HVAC for cooling, fire suppression) are in place to guard the equipment that runs our platform.

Restoration Prioritization: The DR plan prioritizes which systems to restore first. Typically, systems are ranked by criticality. The Digital Platform that serves clients and consultants is top priority, whereas internal systems like timesheets might be secondary. By following priorities, limited resources during a disaster are allocated effectively.

All HGA employees must be aware of what to do in a disaster scenario. While the technical teams execute the DR procedures, other staff should know basic steps like whom to contact, how to obtain information (for example, if email is down, maybe an emergency phone tree or external communication channel will be used). This is included in security awareness training as well.

In conclusion, through robust backups and a comprehensive, tested disaster recovery plan, HGA ensures continuity of operations and protection of data availability even under unforeseen events. This not only meets ISO 27001 requirements for business continuity and NIST’s Recover function, but more importantly, it preserves trust with our clients and users that HGA’s services will be reliable. Management supports and funds these activities recognizing their criticality.

9. Logging, Monitoring, and Incident Response

Early detection of security issues and a swift, effective response to incidents are cornerstones of HGA’s security program. This section describes how HGA monitors its systems for security events (logging and monitoring) and the process for responding to and managing security incidents. The aim is to promptly identify and contain threats, minimize damage, and learn from incidents to improve future defenses, in alignment with NIST’s Detect and Respond functions and ISO 27001 incident management controls.

Logging and Audit Trails: HGA systems are configured to produce logs of important security-relevant activities. This includes application logs, server/system logs, and network device logs. Specifically: – User Activity Logs: The HGA Digital Platform records user activities such as logins, logout, password changes, creation or viewing of sensitive records, and administrative actions. Document access is logged and monitored for unusual activities[15], as are critical transactions (e.g., any changes to financial data or permissions). – System and Security Logs: Operating systems on servers log authentication events, process execution, and errors. Firewalls and VPNs log connection attempts (allowed and blocked traffic, VPN login success/fail). If Intrusion Detection/Prevention Systems (IDS/IPS) or a Security Information and Event Management (SIEM) system are used, they aggregate logs and flag anomalies. – Audit Log Protection: Logs are stored in a centralized logging server that is secured against tampering. Only authorized administrators may access or clear logs, and log integrity is protected (ideally, with write-once storage or cloud log services). Logs of critical systems are retained for a defined period (for example, application and security logs retained for at least 1 year online, and archived as needed) to support investigations and compliance audits.

• Log Review: Merely collecting logs is insufficient; HGA personnel (or automated tools) must review them. The IT security team sets up automated alerts for certain events (e.g., multiple failed login attempts triggering an alert for possible brute force attack, or unusual after-hours logins by privileged users). Additionally, daily or weekly manual review of summary reports is done to catch subtler indicators. For example, administrators review administrative access logs and change logs for any unexpected changes.

Continuous Security Monitoring: HGA employs continuous monitoring to identify potential security breaches or policy violations in real-time. This includes use of automated tools and processes: – Intrusion Detection Systems (IDS): Network IDS sensors monitor inbound and internal traffic for suspicious patterns or known attack signatures. Similarly, host-based IDS/endpoint protection can alert on suspicious behavior on servers or endpoints. – File Integrity Monitoring: Critical system files or configurations may be monitored for unauthorized changes. – Threat Intelligence Integration: HGA stays informed of emerging threats. Indicators of compromise (IoCs) from threat intelligence feeds (such as malicious IP addresses or file hashes) can be loaded into security tools to flag if any appear in our environment. – Cloud Security Monitoring: For cloud resources, we utilize cloud-native security monitoring (e.g., AWS CloudWatch/CloudTrail for monitoring API calls, suspicious activities, and config changes in our cloud environment). In summary, continuous monitoring of the system for security breaches or suspicious activities is in place, with automated tools and intrusion detection systems[28] to alert the security team promptly.

Incident Response Plan: HGA maintains a documented Incident Response Plan (IRP) that guides the actions when a security incident is suspected or confirmed. An incident is any event that jeopardizes the confidentiality, integrity, or availability of information – for example, a malware infection, a detected intrusion, a lost laptop containing sensitive data, or an internal misuse of privileges. The IRP outlines the phases of incident handling: 1. Preparation: (Proactive measures are covered by our policies, training, and tools – essentially everything up to detecting an incident. The IRP document itself, training of the response team, and tools in place are part of preparation.) 2. Detection and Analysis: When alerts from monitoring systems or reports from staff indicate a potential incident, the incident response team (IRT) will verify and analyze the situation. All employees are instructed to report any suspected security incidents immediately (e.g., unusual system behavior, data that appears wrongfully accessed, phishing email received). The IRT will gather information from logs, affected systems, and witness accounts to determine the nature and scope of the incident. 3. Containment: The first priority upon confirming an incident is to contain the damage. Depending on the incident, this could mean isolating affected systems (e.g., removing a compromised server from the network, disabling a user account that was taken over), applying temporary firewall blocks (blocking an IP involved in an attack), or other quarantine actions. The goal is to stop the incident from getting worse (stop data exfiltration, malware spread, etc.). 4. Eradication: After containment, the root cause of the incident is addressed. This may involve removing malware from systems, closing vulnerabilities (installing patches if an exploit was used), disabling compromised accounts or backdoors, and in some cases, completely rebuilding a system from clean backups to ensure the threat is removed. 5. Recovery: Once systems are clean and secure, they are carefully brought back to normal operation. For example, bringing a patched server back online, restoring data from backup if it was corrupted or encrypted (e.g., in a ransomware scenario), and monitoring closely for any sign of recurring issues. When recovering, we ensure that any compromised credentials are reset and that systems are fully patched to prevent re-entry by attackers. 6. Post-Incident Analysis (Lessons Learned): After an incident is resolved, the IRT conducts a debrief and analysis to understand what happened, how it was handled, and what improvements can be made. A formal incident report is written documenting the timeline, impact, and actions taken. The team identifies any gaps in response or controls and updates the incident response plan or other policies accordingly. Regular drills and updates to the response plan are conducted to handle evolving security threats[29][29], ensuring continuous improvement.

The Incident Response Team is led by the CISO or a designated Incident Manager and includes IT admins, and representatives from relevant areas (e.g., HR if an insider incident, Legal if customer data is involved and notification might be required, etc.). Contact information for the team (including after-hours contact methods) is maintained and tested. We also have relationships with external experts (such as incident response consultants or forensic specialists) that we can quickly engage for serious incidents that exceed our internal capacity. Law enforcement or cyber insurance breach coaches may be involved if necessary (for example, in cases of significant data breach or criminal activity, per legal counsel advice).

Notification and Communication: The incident response plan includes communication guidelines. Internally, relevant leadership is notified of serious incidents immediately. For incidents involving personal data breaches or other regulatory impact, the DPO and legal counsel are engaged to manage any notifications to authorities (as noted in Section 7, e.g., GDPR 72-hour rule) or affected individuals. Externally, any communication to clients, partners, or the public is carefully managed to ensure accuracy and compliance (usually vetted by legal/communications departments). HGA is committed to transparency with clients in the event their data is affected, and will provide timely updates and guidance to help mitigate any harm.

Incident Logging: All incidents and near-misses are logged in an Incident Register. This log helps track frequency and types of incidents, which is useful for trending and identifying areas that need bolstering. It also is evidence of our incident management practice for compliance audits (ISO 27001 auditors will expect to see that incidents are recorded and handled systematically).

Continuous Improvement: Through the combination of monitoring and incident response, HGA aims to create a feedback loop that strengthens security. For example, if a particular phishing email was clicked by a user but caught in time, the incident response may lead to improving email filters and reinforcing training (Section 11). If a vulnerability was exploited, the fix is implemented and also preventative measures (like improved patch management or scanning) are put in place. We treat every incident, minor or major, as a learning opportunity to refine our defenses.

By implementing comprehensive logging and an incident response capability, HGA significantly reduces the potential impact of security events. This ensures that threats are not only quickly addressed but also that stakeholders (customers, management, regulators) can trust HGA to manage incidents professionally and effectively, thereby minimizing damage and downtime.

10. Compliance and Audit Policy

HGA operates in a regulated environment and is committed to complying with all applicable laws, regulations, industry standards, and contractual security requirements. This Compliance and Audit Policy outlines how HGA ensures adherence to these obligations and continuously verifies the effectiveness of its information security controls through audits and assessments. The scope covers compliance with frameworks like ISO 27001 and NIST CSF, legal requirements (GDPR, CCPA as discussed; also any sector-specific rules), and internal policy compliance.

Regulatory and Legal Compliance: HGA will identify and keep updated on all laws and regulations that apply to its operations and data. Aside from GDPR and CCPA (covered in Section 7), this may include laws such as data breach notification laws, employment privacy laws, and any specific client requirements. HGA’s legal and compliance team, in coordination with the Security Officer, monitors for changes in relevant regulations. The company will update its policies and practices as needed to remain compliant with new or amended laws. For example, if a new privacy regulation in a jurisdiction where HGA does business comes into effect, HGA will take steps to implement its requirements. Periodic reviews are conducted to ensure ongoing compliance with all relevant laws, regulations, and standards, and to update compliance measures in response to new regulations or industry standards[30]. This proactive stance helps avoid violations and demonstrates due diligence.

All employees and consultants are expected to comply with applicable laws in the course of their work (as reinforced in our Consultant Contract under general legal compliance)[31]. Any known non-compliance or legal infringements must be reported to management or the compliance officer immediately so corrective action can be taken.

ISO 27001 and NIST CSF Alignment: As stated, HGA’s Information Security Management System is modeled on ISO/IEC 27001. This involves maintaining documentation of controls (the policies in this document and related procedures), conducting risk assessments and treating risks, and performing management review of the ISMS at least annually. An internal audit of the ISMS will be carried out once a year to evaluate conformity with ISO 27001 requirements and the effectiveness of controls. Non-conformities identified are addressed with corrective actions. While formal certification to ISO 27001 may be pursued, even if not, HGA will run its program as if seeking certification to ensure rigor.

HGA also uses the NIST Cybersecurity Framework as a guide, which means we evaluate our maturity in the five core areas (Identify, Protect, Detect, Respond, Recover) and strive for improvement. The mapping of our policies to NIST CSF categories is maintained to ensure we have no significant gaps.

Security Audits (Internal and External): HGA conducts regular internal audits and security assessments to verify that technical and administrative controls are properly implemented[16]. Internal audits may be performed by HGA’s own security team or an internal audit function, or by qualified third-party consultants to provide an independent view. The scope may include reviewing user access rights, configuration reviews of firewalls, code reviews for secure development practices, compliance with data handling procedures, etc. Each major domain of this policy can be subject to audit. Findings from internal audits are reported to management and tracked to resolution.

In addition, HGA recognizes the value of external audits/certifications. Where required by clients or standards, HGA may undergo independent audits (for example, a SOC 2 Type II audit for security, if client contracts demand such assurance). Also, if pursuing ISO 27001 certification, external auditors will verify our ISMS. HGA will address any observations or non-conformities from these audits in a timely manner and continuously improve its controls.

Client and Third-Party Audits: Some clients, especially larger organizations or those in regulated sectors, may invoke the right to audit HGA’s security as part of contracts. HGA will cooperate with reasonable security audits or questionnaires from clients or partners, in line with contractual terms. We will provide accurate and truthful information about our controls and, if needed, allow on-site inspections or penetration tests under controlled conditions to satisfy client concerns. Our vendor management (Section 6) expects the same of our vendors – thus HGA in turn will fulfill these obligations to our clients.

Compliance Monitoring: Beyond formal audits, HGA employs ongoing compliance monitoring. This means checking that daily operations follow the policies – for example, verifying that new hires actually complete their security training, or that backups are done as scheduled (compliance with backup policy), or that access reviews (Section 2) happen on time. The Security Officer or a Compliance Officer may use checklists or automated tools to continuously validate compliance. Deviations or exceptions are documented and corrected. If any policy exceptions are needed (e.g., a specific situation makes strict compliance impractical), they must be formally requested, risk-assessed, and approved by management, and documented with expiration or review date. This ensures we manage exceptions rather than let them weaken our program silently.

Audit Logging and Evidence: HGA understands that audits (internal or external) often require evidence. We maintain logs, reports, and records as evidence of compliance. Examples include: training attendance records, access review sign-offs, incident reports, change management tickets, vulnerability scan results, etc. These records are retained per our record retention schedule and are readily available for audit purposes. For instance, to prove our platform is secure, we keep results of penetration tests and our remediation steps; to prove GDPR compliance, we keep records of consent or processing activities, etc.

Management Review: At least annually, HGA’s leadership (the executive team, including the CEO/Managing Partners and CISO) will review the overall state of the information security program. This review will consider results of audits, status of risk assessments, incidents that occurred, progress on security projects, and any changes in context (new business, new regulations). Management will then decide on any necessary changes to the policy or resource allocations. This practice is required by ISO 27001 and ensures that security remains aligned with business objectives and gets top-level attention.

Penalties and Enforcement: Compliance is not optional. HGA will enforce this policy and related standards. If an employee, consultant, or vendor is found to be in violation of security requirements, HGA will take appropriate actions. For employees, this can range from additional training and a warning for minor first-time violations, up to termination of employment for serious or willful neglect. Consultants may be subject to contract termination. Vendors can face contract penalties or termination according to the terms if they fail to meet security obligations (e.g., a data breach caused by a vendor’s negligence could trigger contract breach remedies). Enforcement actions will be coordinated with Human Resources and Legal as needed, ensuring fairness and consistency with local labor laws.

Continuous Compliance Improvement: The compliance landscape evolves. HGA is committed to not only meeting current requirements but also to anticipating future ones. We consider aligning with emerging best practices and frameworks (for instance, if new privacy standards or an extension of ISO standards like ISO 27701 for privacy or ISO 22301 for business continuity become relevant, we will evaluate adopting them). Compliance is seen not just as a checkbox exercise but as integral to HGA’s mission of trust and quality service.

In summary, through diligent compliance efforts and rigorous audits, HGA provides assurance to stakeholders (whether internal management, clients, or regulators) that our information security measures are not only in place but are effective and continuously improved. We back our commitments with verification – “trust but verify” is a guiding principle in our security governance.

11. Awareness and Training Policy

Technology and policies alone cannot secure an organization unless the people using them are informed and vigilant. HGA’s Awareness and Training Policy ensures that all employees, consultants, and relevant third parties receive appropriate cybersecurity awareness education and role-specific training so that they understand their security responsibilities and can recognize and respond to risks. Creating a culture of security at HGA is a top priority, supported by regular communication and education efforts.

New Hire and Onboarding Training: Every new HGA staff member or long-term consultant is required to complete an initial information security orientation as part of their onboarding. This training covers the fundamentals of HGA’s security policies (including acceptable use, data protection, incident reporting, etc.), the importance of protecting client and personal data, and practical guidance such as how to create strong passwords and use the MFA system. New hires must sign an acknowledgement that they have read and will abide by the Information Security Policy and related confidentiality agreements. For third-party contractors or vendors who have access to HGA systems, HGA will provide either a similar onboarding briefing or require the vendor to demonstrate that their personnel have equivalent training on security awareness.

Regular Security Awareness Training: HGA conducts regular security awareness training for all users – generally on an annual basis, or more frequently if needed[32]. This can take the form of online training modules, in-person workshops, or interactive webinars. The training content is updated periodically to address the latest threats and to reinforce key policies. Topics typically include: – Protecting sensitive information and following data privacy principles, – Best practices for device and network security (e.g., not clicking suspicious links, avoiding insecure Wi-Fi, proper use of VPN), – Recognizing and reporting phishing emails or social engineering attempts[32], – Safe use of passwords and authenticators, and avoiding reuse of corporate credentials on other sites, – Physical security reminders (such as building access or visitor handling, if applicable), – Incident reporting procedures (what to do if you lose a device, suspect malware, or see something unusual), – Any recent incidents or lessons learned within HGA or in the industry (to make it relatable and current).

The training will often include quizzes or simulated scenarios to ensure engagement. HGA maintains records of who has completed training. Completion of the annual security training is mandatory; non-compliance could result in HR action (and system access may be disabled for those grossly overdue on training).

Specialized Training by Role: In addition to general awareness for all staff, certain roles receive extra training tailored to their responsibilities: – Developers and IT Administrators: They get training on secure coding, secure configuration, vulnerability management, and other technical security practices. For example, developers might receive OWASP Top 10 training to prevent common app vulnerabilities, and system admins might get training on incident response tools or cloud security configuration. – Management and Executives: They are briefed on security governance, risk management, and leadership’s role in enforcing a security-conscious environment. Also, training on crisis communication in the event of a major incident may be provided. – Incident Response Team members: They receive periodic training or simulations of incident scenarios to practice their response skills (like tabletop exercises for handling a breach scenario). – Privacy/Data Protection Officer (and team): They attend specialized training or workshops on data protection laws, handling data subject requests, etc., to stay current.

Ongoing Awareness and Culture: Beyond formal training sessions, HGA fosters an ongoing security-aware culture through various initiatives: – Security Reminders and Bulletins: The IT/Security team periodically sends out brief tips or alerts. For example, an email newsletter might cover “Tip of the Month” such as how to spot a phishing scam, or an alert if a new critical vulnerability (like a widely publicized hack) emerges with instructions on what employees should do. We may also put up posters or intranet postings about key security practices during certain campaigns (for instance, during October which is Cybersecurity Awareness Month). – Phishing Simulations: To reinforce training on phishing, HGA’s security team may conduct controlled phishing email tests. Employees will receive fake phishing emails, and those who click on them will be redirected to an immediate educational page explaining the red flags they missed. The results help identify who might need refresher training. Over time, these exercises aim to improve our collective “human firewall”. – Interactive Activities: Some organizations hold events like security trivia contests or workshops (sometimes called “lunch and learn” sessions). HGA can adopt such practices to keep engagement high. – Leadership Messaging: Company leadership will periodically speak to the importance of security (e.g., a message from the CEO or CISO on why everyone’s participation is critical). This top-down emphasis helps employees understand that security is not just an IT issue but an organizational priority.

Reporting and Open Communication: A key part of awareness is ensuring employees know that they can and should report security issues without fear of blame. HGA encourages a “see something, say something” approach. If an employee accidentally clicks a bad link or loses a device, they are instructed that reporting it immediately is the best course of action (so it can be mitigated), and that HGA’s focus is on solutions, not punishment for mistakes. We provide clear channels to report incidents or ask security questions – such as an internal security hotline or a dedicated email like security@[company].org. Reports can even be made anonymously if someone is uncomfortable attaching their name (though we stress that honest mistakes reported promptly will not face disciplinary action, whereas willful negligence or unreported issues might).

Measuring Training Effectiveness: HGA will measure the effectiveness of its training and awareness efforts. This can be through tracking participation and quiz scores, monitoring metrics like click rates on phishing tests (with a goal to reduce them over time), and even including security-related questions in employee engagement surveys. If certain departments show weaker understanding, targeted campaigns can be done. The Security Officer will review these metrics as part of the ISMS monitoring and report results to management. Continuous improvement will be applied – for example, if training feedback says it was too technical, we adjust the content to be more accessible.

Contractor and Vendor Awareness: While we cannot train external vendor employees directly in all cases, we ensure via contracts that vendors are giving their people adequate training (see Section 6). When vendors come on-site or have significant access, we share our relevant policies with them. Similarly, independent consultants engaged through our platform are made aware of their obligations via the contract which includes compliance and confidentiality clauses. For example, our consultant agreement requires adherence to ethics and compliance standards[31]; we supplement that by providing any needed guidance on HGA’s specific security expectations when they work on HGA projects.

By implementing a comprehensive awareness and training program, HGA greatly reduces the likelihood of human error leading to a security incident. Knowledgeable employees are the first line of defense – they can avoid many incidents entirely and serve as an active detection network (reporting things that automated tools might miss). Cultivating this knowledge and culture is an ongoing effort that HGA is fully committed to, as evidenced by the resources allocated and the executive support given to security awareness initiatives.