Mindset AI

Information Security Policy

Last updated: July 12, 2023

Purpose

Mindset AI LTD developed this policy to establish a general approach to information security and the minimisation of information misuse, compromise or loss. This document serves to outline security processes, uphold ethical standards, meet regulatory obligations, control business risk, and maintain company reputation.

Scope

The policy applies to:

  • Information in any form on any media, as well as facilities, systems, or networks storing, processing, and transferring information
  • All employees, temporary staff, partners, contractors, vendors, suppliers, and any person accessing company networks
  • All activity using company information or equipment, whether on premises or remotely
  • Information resources from external entities like customers
  • Documents, messages, and communications created via company systems subject to third-party review for audits, litigation, and compliance

Background

This overarching policy governs an information security program comprising:

  • Acceptable Use Policy
  • Asset Management Policy
  • Backup Policy
  • Business Continuity/Disaster Recovery Plans
  • Code of Conduct
  • Data Classification, Retention, and Protection Policies
  • Encryption and Password Policies
  • Incident Response Plan
  • Physical Security Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Life Cycle Policy
  • System Access Management Policy
  • Vendor Management Policy
  • Vulnerability Management Policy

Information Security Objectives

Information, in all its forms — written, spoken, recorded, electronically or printed — will be protected from accidental or intentional unauthorised modification, destruction or disclosure.

Three core principles guide protection efforts:

  • Confidentiality: Data and information are protected from unauthorised access
  • Integrity: Data is intact, complete and accurate
  • Availability: IT systems are available when needed

Company objectives include protecting information from threats, enabling secure sharing, encouraging professional use, clarifying responsibilities, ensuring business continuity, and protecting against legal liability.

Roles and Responsibilities

The Security Officer oversees:

  1. Design, development, maintenance, dissemination, and enforcement of policies
  2. Ensuring the information security management system conforms to ISO/IEC 27001:2013
  3. Reporting program performance to top management

Additional roles and responsibilities appear in individual policies and company documents.

Policy Review

At a minimum, annually, a security and/or compliance committee composed of senior management and key personnel must discuss, evaluate and document the company's ISP. All ISP policies require annual review, modification, and approval by authorised personnel.

Accessibility

Employees access policies through Drata, a compliance automation SaaS platform. Policies pertaining to specific positions must be reviewed and signed upon hire and annually.

Exceptions

Executive management must approve policy exceptions after proper review, with annual reexamination required.

Policy

Training

Management ensures employees, contractors, and third-party users:

  • Receive briefing on security roles before accessing covered information
  • Receive guidelines stating security expectations
  • Stay notified of security changes through annual training and acknowledgements
  • Comply with organisational security policies
  • Achieve awareness levels appropriate to their roles
  • Conform to employment terms including security policies

New hires complete security awareness training within 14 days of hire, then annually. Training includes security, privacy requirements, and proper asset use. Incident response and contingency training occur within 90 days of assuming relevant roles, upon policy changes, and annually.

The organisation documents all training completion and requires written acknowledgement of the Information Security Program and Code of Conduct upon hire and annually thereafter.

Communication about security updates, changes, and incidents occurs via email or Slack channels, with annual reminders as part of security awareness training.

Clean Desk/Work Area

Authorised users must ensure that all sensitive/confidential materials, hardcopy or electronic, are removed from their workspace and locked away when the items are not in use, or an employee leaves his/her workstation.

Specific requirements include:

  • Securing sensitive information at day's end and during extended absences
  • Locking computer workstations when unattended and shutting down completely daily
  • Removing sensitive information from desks and securing it
  • Properly storing and securing laptops and portable devices
  • Keeping file cabinets containing restricted or sensitive information closed and locked
  • Not leaving keys at unattended desks
  • Never posting passwords on sticky notes or accessible locations
  • Immediately removing printouts with restricted or sensitive information
  • Shredding restricted/sensitive documents or using locked confidential disposal bins upon disposal
  • Erasing whiteboards containing restricted or sensitive information
  • Securing and encrypting mass storage devices like external hard drives and USB drives
  • Clearing printers and fax machines immediately after printing

Internet/Intranet Access and Use

Internet access represents a privilege granted by management subject to revocation for inappropriate conduct. Prohibited activities include:

  • Sending unsolicited spam unrelated to legitimate company purposes
  • Engaging in private business activities or excessive instant messaging
  • Accessing networks, servers, or files without authorisation
  • Making unauthorised copies or destroying company data
  • Misrepresenting oneself or the company
  • Violating federal, state, local, or provincial laws
  • Engaging in unlawful or malicious activities
  • Propagating viruses, worms, Trojans, or disruptive code
  • Using abusive, profane, threatening, racist, or sexist language
  • Sending, receiving, or accessing pornographic materials
  • Causing network disruption or impairment
  • Using recreational games
  • Defeating security restrictions

Access discontinues upon employment termination, contract completion, or disciplinary action. Job transfers require discontinuing original access codes and approving new requests. User IDs inactive for 30 days face revocation. Management must reevaluate user privileges annually, with system administrators promptly revoking unnecessary privileges.

Teleworking

Requirements:

  • Secure remote access requires encryption through Virtual Private Networks (VPNs) and strong pass-phrases
  • Authorised users must protect login credentials without exception
  • Mindset AI computers connecting remotely must not simultaneously connect to other networks except personal networks under authorised user control
  • Most current antivirus software must run on all computers
  • Equipment connecting to company networks must meet remote access requirements

Remote Access Tools

All remote access tools must comply with:

  • Multi-factor authentication (tokens, smart cards requiring PINs or passwords)
  • Authentication through Active Directory or LDAP using challenge-response protocols resistant to replay attacks
  • Mutual authentication of both session endpoints
  • Support for application layer proxy rather than direct firewall connections
  • Strong, end-to-end encryption of communication channels
  • No disabling, interference with, or circumvention of antivirus, data loss prevention, or other security systems

Mobile Endpoint and Storage Devices

Protecting endpoint devices issued by Mindset AI LTD or storing company data is the responsibility of every employee.

For endpoint devices:

  • Company-issued mobile devices have pre-installed antivirus and endpoint security
  • Users run online malware scanners at least monthly
  • Approved browser add-ons require testing via browser testing tools
  • Mobile endpoint devices must meet use requirements

For storage devices:

  • Risk analysis occurs before use or network connection unless previously approved
  • Incident detection requires immediate reporting to the information security team
  • Stolen devices need immediate reporting

Intellectual Property Rights

Mindset AI LTD takes handling and safeguarding of intellectual property very seriously. Intellectual property includes software, document copyright, design rights, trademarks, patents, and source code licences.

Procedures include:

  • Acquiring software only through reputable sources ensuring copyright compliance
  • Maintaining asset inventories identifying intellectual property protection requirements
  • Preserving proof of ownership for licences, master disks, manuals, etc.
  • Ensuring only licensed products are installed
  • Ensuring compliance with terms and conditions for publicly obtained software and information

Information Security Requirements Analysis & Specifications

The company identifies security requirements using different methods and ensures documentation reviewed by stakeholders, integrating requirements in early project stages.

Methods:

  • Policies and regulations
  • Threat modelling
  • Incident reviews
  • Vulnerability thresholds

Factors:

  • Confidence levels required for user identity claiming and authentication requirements
  • Access provisioning and authorisation processes for business and privileged users
  • Informing users and operators of duties and responsibilities
  • Asset protection needs regarding availability, confidentiality, and integrity
  • Business processes like transaction logging and non-repudiation requirements
  • Other security controls like logging, monitoring, or data leakage detection systems

Employment Terms and Conditions

Employment terms include contractual obligations to safeguard information:

  • Signing confidentiality or non-disclosure agreements before accessing confidential information
  • Legal responsibilities and rights, particularly concerning intellectual property
  • Responsibilities for information classification and organisational asset management
  • Responsibilities for handling third-party information
  • Reviewing and agreeing with company security policies
  • Duration of responsibilities beyond employment termination
  • Actions for non-compliance with terms and security policies

Disciplinary Process

Mindset AI LTD's discipline policy and procedures are designed to provide a structured corrective action process to improve and prevent a recurrence of undesirable employee behaviour and performance issues. The company reserves discretion to combine or skip steps depending on circumstances and offence nature.

Step 1: Verbal Warning and Counselling The immediate supervisor meets with the employee to address performance, conduct, or attendance issues. The supervisor discusses the problem, clearly describes expectations, and outlines improvement steps.

Step 2: Formal Written Warning If issues persist, formal written documentation follows. The supervisor and HR representative meet with the employee to review additional incidents and prior corrective actions. Management outlines consequences for continued failure. A formal performance improvement plan (PIP) requiring immediate corrective action follows, with warnings about possible termination.

Step 3: Suspension and Final Written Warning Serious incidents may warrant temporary workplace removal. Immediate supervisors may suspend pending investigation when safety requires. Disciplinary suspensions require approval from next-level managers and HR.

Step 4: Recommendation for Termination of Employment Termination represents the final step. Generally, the company attempts progressive discipline before termination, but Mindset AI LTD reserves the right to combine and skip steps depending on the circumstances of each situation and the nature of the offence. Management may terminate without prior notice. Management recommendations require HR approval and supervisor's immediate manager approval, with potential CEO approval necessary.

Performance and Conduct Issues Not Subject to Progressive Discipline: Illegal behaviour avoids progressive discipline and may be reported to law enforcement. Theft, substance abuse, intoxication, fighting, and workplace violence warrant immediate termination.

Enforcement

Mindset AI LTD Management, under the explicit authority granted by the company CEO, retains the authority and responsibility to monitor and enforce compliance with this Policy. Monitoring may occur continuously or randomly when Management deems necessary, potentially investigating information resource use. The company reserves the right to review any and all communications and activities without notice.

The company takes precautions limiting monitoring to determining policy violations or assessing business processing performance and quality.

Policy violations face appropriate disciplinary action including verbal and/or written warnings, suspension, termination, and/or other legal remedies consistent with published HR standards and practices.