Cybersecurity Policy

This Cybersecurity Policy establishes minimum standards for protecting information assets, systems, and data of Good Stewards Holdings Inc. and our users. It applies to all employees, contractors, third-party service providers, systems, networks, and applications.

We classify data into PUBLIC, INTERNAL, CONFIDENTIAL, and RESTRICTED categories, with corresponding protection requirements. RESTRICTED and CONFIDENTIAL data is encrypted in transit and at rest, with access restricted to authorized personnel only. Data is retained only as long as required by law or business need and disposed of securely.

We implement the Principle of Least Privilege, granting users only the minimum access necessary for their role. All user accounts require multi-factor authentication (MFA). Privileged accounts are monitored, recorded, and audited. Access is reviewed quarterly and revoked immediately upon termination.

All RESTRICTED and CONFIDENTIAL data is encrypted with AES-256 encryption. Data in transit uses TLS 1.2 or higher. Encryption keys are managed in a centralized Key Management Service with restricted access and annual rotation. Full-disk encryption is enabled on all corporate devices.

We identify vulnerabilities through automated scanning, penetration testing, and code review. Vulnerabilities are assessed using CVSS scoring and remediated based on severity: Critical (24 hours), High (7 days), Medium (30 days), Low (90 days). All systems receive security patches within 14 days of release.

Our incident response team follows established procedures for detection, containment, investigation, and recovery. We maintain Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 15 minutes. Daily backups are encrypted and stored in geographically separated locations. Disaster recovery is tested quarterly.

Data centers in secure facilities (AWS, Google Cloud) have restricted access with authentication, visitor logs, environmental controls, fire suppression, and CCTV monitoring. Office physical security includes access cards, visitor badges, clean desk policy, and emergency procedures.

Production servers run ClamAV antivirus with real-time scanning, OSSEC intrusion detection, and file integrity monitoring. Corporate workstations use Endpoint Detection & Response (EDR) solutions with continuous monitoring. All devices have application whitelisting, USB restrictions, and mobile device management enrollment.

Vendors are assessed for security maturity before engagement and required to sign our Data Processing Agreement. We verify security certifications (ISO 27001, SOC 2), conduct audits every 2 years for high-risk vendors, and require immediate notification of security incidents.

All employees complete mandatory security training annually, covering password management, phishing, data handling, incident reporting, and privacy requirements. New hires train during onboarding. Monthly security tips and quarterly phishing simulations reinforce awareness.

We comply with GDPR, CCPA, state privacy laws, and financial regulations. We conduct annual security assessments, quarterly vulnerability scans, annual penetration testing, and annual SOC 2 audits. External audits verify compliance with security standards.