|
<html>
|
|
<head>
|
|
<title>Security Policy</title>
|
|
<style>
|
|
body {
|
|
font-family: 'Times New Roman', serif;
|
|
line-height: 1.6;
|
|
max-width: 800px;
|
|
margin: 0 auto;
|
|
padding: 20px;
|
|
color: #333;
|
|
}
|
|
h1, h2, h3 {
|
|
color: #2c3e50;
|
|
margin-top: 30px;
|
|
}
|
|
h1 { font-size: 2em; border-bottom: 2px solid #3498db; padding-bottom: 10px; }
|
|
h2 { font-size: 1.5em; border-bottom: 1px solid #bdc3c7; padding-bottom: 5px; }
|
|
ul { margin-left: 20px; }
|
|
li { margin-bottom: 8px; }
|
|
strong { color: #2c3e50; }
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<h1>Security Policy</h1>
|
|
<p><em>Last Updated: November 13, 2025</em></p>
|
|
|
|
<h2>1. Introduction</h2>
|
|
|
|
<h3>1.1 Purpose</h3>
|
|
<p>This policy establishes the framework for securing our cloud storage platform and ensures all personnel understand their security responsibilities.</p>
|
|
|
|
<h3>1.2 Scope</h3>
|
|
<p>Applies to all employees, contractors, systems, and data managed by MyWebdav Technologies.</p>
|
|
|
|
<h2>2. Governance and Management</h2>
|
|
|
|
<h3>2.1 Information Security Management System (ISMS)</h3>
|
|
<p>We maintain an ISO/IEC 27001-certified ISMS with regular risk assessments, audits, and continuous improvement.</p>
|
|
|
|
<h3>2.2 Roles and Responsibilities</h3>
|
|
<ul>
|
|
<li><strong>CISO:</strong> Oversees security program</li>
|
|
<li><strong>Security Team:</strong> Implements controls and responds to incidents</li>
|
|
<li><strong>Employees:</strong> Follow policies and report incidents</li>
|
|
<li><strong>Management:</strong> Provides resources and enforces compliance</li>
|
|
</ul>
|
|
|
|
<h2>3. Access Control</h2>
|
|
|
|
<h3>3.1 Access Management</h3>
|
|
<p>Access follows the principle of least privilege with multi-factor authentication required for administrative access.</p>
|
|
|
|
<h3>3.2 User Authentication</h3>
|
|
<p>Strong passwords, regular rotation, and account lockout policies are enforced.</p>
|
|
|
|
<h3>3.3 Remote Access</h3>
|
|
<p>Secured via VPN with full logging and monitoring.</p>
|
|
|
|
<h2>4. Data Protection and Encryption</h2>
|
|
|
|
<h3>4.1 Data Classification</h3>
|
|
<p>Data classified as Public, Internal, Confidential, or Highly Sensitive with appropriate controls.</p>
|
|
|
|
<h3>4.2 Encryption Standards</h3>
|
|
<ul>
|
|
<li>TLS 1.3 for data in transit</li>
|
|
<li>AES-256 for data at rest</li>
|
|
<li>Secure key management and rotation</li>
|
|
</ul>
|
|
|
|
<h3>4.3 Data Retention and Disposal</h3>
|
|
<p>Data retained only as necessary with secure deletion methods.</p>
|
|
|
|
<h2>5. Network Security</h2>
|
|
|
|
<h3>5.1 Network Segmentation</h3>
|
|
<p>Isolated networks with firewalls, IDS, and regular monitoring.</p>
|
|
|
|
<h3>5.2 Secure Configuration</h3>
|
|
<p>Hardened systems following CIS Benchmarks.</p>
|
|
|
|
<h2>6. Physical Security</h2>
|
|
|
|
<h3>6.1 Facility Access</h3>
|
|
<p>Controlled access to data centers with biometric authentication.</p>
|
|
|
|
<h3>6.2 Equipment Security</h3>
|
|
<p>Secure storage in climate-controlled environments.</p>
|
|
|
|
<h2>7. Incident Response</h2>
|
|
|
|
<h3>7.1 Incident Response Plan</h3>
|
|
<p>Comprehensive plan for identification, containment, eradication, recovery, and notification.</p>
|
|
|
|
<h3>7.2 Breach Notification</h3>
|
|
<p>Incidents reported within 72 hours (GDPR) or 24 hours (NIS2) as applicable.</p>
|
|
|
|
<h2>8. Secure Development</h2>
|
|
|
|
<h3>8.1 Secure Coding Practices</h3>
|
|
<p>Code reviews, static/dynamic analysis, and vulnerability management.</p>
|
|
|
|
<h3>8.2 Change Management</h3>
|
|
<p>Formal approval processes for production changes.</p>
|
|
|
|
<h2>9. Third-Party Risk Management</h2>
|
|
|
|
<h3>9.1 Vendor Assessment</h3>
|
|
<p>Security assessments and contractual requirements for all vendors.</p>
|
|
|
|
<h2>10. Compliance and Auditing</h2>
|
|
|
|
<h3>10.1 Regulatory Compliance</h3>
|
|
<p>Compliance with GDPR, NIS2, and ISO/IEC 27001.</p>
|
|
|
|
<h3>10.2 Audits and Assessments</h3>
|
|
<p>Annual audits, quarterly penetration testing, and continuous monitoring.</p>
|
|
|
|
<h3>10.3 Training</h3>
|
|
<p>Mandatory annual security training for all personnel.</p>
|
|
|
|
<h2>11. Enforcement</h2>
|
|
<p>Compliance is mandatory. Violations may result in disciplinary action up to termination.</p>
|
|
|
|
<hr>
|
|
<h3>Contact Information</h3>
|
|
<p>If you have any questions about this security policy, please contact us:</p>
|
|
<ul>
|
|
<li><strong>Email:</strong> <a href="mailto:legal@mywebdav.eu">legal@mywebdav.eu</a></li>
|
|
<li><strong>Website:</strong> <a href="https://mywebdav.eu">https://mywebdav.eu</a></li>
|
|
<li><strong>Address:</strong> MyWebdav Technologies, European Union</li>
|
|
</ul>
|
|
<p>MyWebdav Technologies</p>
|
|
</body>
|
|
</html> |