Security Policies

Cybrexus Technology

Information Security Policy

Document Version: 1.0
Effective Date: July 1, 2026


1. Purpose

The purpose of this Information Security Policy is to protect the confidentiality, integrity, and availability of Cybrexus Technology’s information assets, customer data, intellectual property, software systems, and technology infrastructure.

This policy establishes security requirements that all employees, interns, contractors, consultants, freelancers, vendors, and third-party service providers must follow to reduce cybersecurity risks and maintain customer trust.


2. Scope

This policy applies to:

·         All employees

·         Interns and trainees

·         Directors and management

·         Consultants

·         Contractors

·         Freelancers

·         Third-party personnel

·         Vendors with access to company information

·         All company-owned and authorized personal devices used for company work

The policy covers:

·         Information assets

·         Customer information

·         Company data

·         Software applications

·         Source code

·         Cloud infrastructure

·         Internal systems

·         Physical documents

·         Electronic communications


3. Security Objectives

Cybrexus Technology is committed to:

·         Protecting confidential information

·         Preventing unauthorized access

·         Maintaining system availability

·         Ensuring data integrity

·         Meeting legal and contractual obligations

·         Continuously improving cybersecurity practices

·         Reducing security risks through proactive controls


4. Information Classification

Information shall be classified into the following categories:

Public

Information approved for public release.

Examples:

·         Marketing materials

·         Public website content

·         Job advertisements

Internal

Information intended only for internal business use.

Examples:

·         Internal procedures

·         Project schedules

·         Team documentation

Confidential

Sensitive business information requiring controlled access.

Examples:

·         Client data

·         Financial records

·         Employee information

·         Contracts

·         Pricing

·         Internal reports

Restricted

Highly sensitive information with limited authorized access.

Examples:

·         Source code

·         Encryption keys

·         Password vaults

·         Production credentials

·         Security configurations

·         Strategic business plans


5. Access Control

Access shall be granted based on the principle of least privilege.

Users shall:

·         Access only information necessary for their job responsibilities.

·         Never use another person’s account.

·         Never share passwords.

·         Request access through approved authorization.

·         Immediately report unauthorized access.

Management shall review user access periodically.


6. Password Policy

All users must:

·         Use passwords with at least 12 characters.

·         Include uppercase letters, lowercase letters, numbers, and special characters.

·         Use unique passwords for company systems.

·         Change passwords immediately if compromise is suspected.

·         Enable multi-factor authentication (MFA) wherever supported.

Passwords shall never be:

·         Shared

·         Written in visible locations

·         Stored in unsecured documents

·         Sent through unencrypted communication channels

Approved password managers should be used where feasible.


7. Multi-Factor Authentication

Multi-factor authentication should be enabled for:

·         Email accounts

·         Cloud services

·         VPN access

·         Administrative accounts

·         Source code repositories

·         Financial applications

·         Remote access services


8. Device Security

Company and authorized personal devices used for work shall:

·         Be protected by strong passwords or biometric authentication.

·         Use supported operating systems with current security updates.

·         Run approved antivirus or endpoint protection software where applicable.

·         Automatically lock after a period of inactivity.

·         Encrypt storage when technically feasible.

·         Be reported immediately if lost or stolen.

Unauthorized devices shall not access sensitive company resources without approval.


9. Software Installation

Only authorized software may be installed on company systems.

Personnel shall not:

·         Install pirated software

·         Disable security software

·         Install unauthorized browser extensions

·         Download software from untrusted sources

Software licensing requirements shall always be respected.


10. Email Security

Employees shall:

·         Verify unknown senders.

·         Avoid opening suspicious attachments.

·         Report phishing attempts immediately.

·         Never share passwords by email.

·         Use company email for official business communication.

Sensitive information should only be shared through approved and secure methods.


11. Internet Usage

Internet access is provided for legitimate business purposes.

Users shall not:

·         Visit malicious websites

·         Download illegal content

·         Bypass security controls

·         Engage in unauthorized hacking activities

·         Use company internet for unlawful purposes

Limited personal use may be permitted provided it does not interfere with work or violate company policies.


12. Remote Work Security

Personnel working remotely must:

·         Use secure internet connections.

·         Avoid using unsecured public Wi-Fi without approved protection.

·         Lock devices when unattended.

·         Prevent unauthorized viewing of confidential information.

·         Store company information only in approved locations.

·         Follow all company security policies while working remotely.


13. Data Protection

Company and client data shall be protected throughout its lifecycle.

Personnel shall:

·         Collect only necessary information.

·         Use data only for authorized purposes.

·         Avoid unnecessary duplication of data.

·         Dispose of information securely when no longer required.

·         Protect sensitive information during storage and transmission.


14. Backup and Recovery

Critical business information shall be backed up according to company procedures.

Backups should:

·         Be tested periodically.

·         Be protected against unauthorized access.

·         Support business continuity and disaster recovery requirements.


15. Encryption

Sensitive information should be encrypted:

·         During transmission using secure protocols (such as HTTPS, TLS, or SSH).

·         At rest where appropriate.

·         On portable storage devices containing confidential information.

Encryption keys shall be protected and managed securely.


16. Source Code Security

Developers shall:

·         Store source code in approved repositories.

·         Use version control systems.

·         Protect repository credentials.

·         Review code before production deployment where feasible.

·         Avoid embedding passwords, API keys, or secrets directly in source code.

·         Follow secure coding practices.


17. Cloud Security

Cloud resources shall:

·         Be configured using security best practices.

·         Restrict access based on business need.

·         Enable logging where practical.

·         Use encryption where supported.

·         Be regularly reviewed for unnecessary exposure.


18. Physical Security

Personnel shall:

·         Secure laptops and mobile devices.

·         Protect confidential documents.

·         Restrict visitor access to sensitive areas.

·         Avoid leaving confidential materials unattended.

·         Properly dispose of sensitive documents using approved methods.


19. Incident Reporting

Any suspected security incident shall be reported immediately.

Examples include:

·         Phishing emails

·         Malware infections

·         Lost or stolen devices

·         Unauthorized access

·         Data leakage

·         Password compromise

·         Ransomware

·         System intrusion

Employees shall cooperate with investigations and preserve relevant evidence where possible.


20. Security Awareness

Cybrexus Technology encourages ongoing security awareness.

Personnel should:

·         Stay informed about cybersecurity threats.

·         Participate in security training.

·         Follow secure working practices.

·         Report suspicious activity promptly.


21. Third-Party Security

Third-party service providers handling company or customer information should:

·         Protect confidential information.

·         Implement appropriate security measures.

·         Comply with contractual security requirements.

·         Report security incidents affecting company data without undue delay.


22. Compliance

Personnel must comply with:

·         Company policies

·         Applicable laws and regulations

·         Customer contractual obligations

·         Confidentiality agreements

·         Intellectual property requirements

·         Data protection obligations


23. Policy Violations

Violations of this policy may result in:

·         Security awareness counseling

·         Written warning

·         Temporary suspension of system access

·         Disciplinary action

·         Termination of employment or engagement

·         Legal action where appropriate


24. Policy Review

This Information Security Policy shall be reviewed at least annually or whenever there are significant changes to:

·         Business operations

·         Technology infrastructure

·         Legal or regulatory requirements

·         Security risks


25. Contact

Questions regarding this policy or the reporting of security incidents should be directed to the Information Security Team or designated management representative at Cybrexus Technology.