Information Security Policy

Effective Date: 09/25/2025
Last Updated: 09/30/2025

1. Purpose and Scope

This Information Security Policy outlines Whitaker Networks, Inc.'s ("Whitaker") commitment to protecting the confidentiality, integrity, and availability of information assets belonging to our organization, our clients, and our partners. This policy applies to all employees, contractors, partners, and third parties who access Whitaker systems or handle client data.

2. Security Commitment

Whitaker Networks is committed to maintaining the highest standards of information security. We implement comprehensive security controls designed to:

  • Protect client data and systems from unauthorized access, disclosure, modification, or destruction

  • Ensure the availability and reliability of our managed IT services

  • Comply with applicable laws, regulations, and industry standards

  • Maintain SOC 2 Type II compliance

  • Continuously improve our security posture through ongoing monitoring and assessment

3. Information Security Framework

3.1 Security Standards

Our information security program is designed to meet or exceed:

  • SOC 2 Trust Services Criteria (Security, Availability, Confidentiality)

  • NIST Cybersecurity Framework

  • CIS Critical Security Controls

  • Industry best practices for managed service providers

3.2 Risk Management

We conduct regular risk assessments to identify, evaluate, and mitigate security risks. Our risk management process includes:

  • Annual comprehensive risk assessments

  • Quarterly threat landscape reviews

  • Continuous vulnerability scanning and management

  • Regular security control testing and validation

  • Incident response planning and tabletop exercises

4. Access Control and Authentication

4.1 User Access Management

  • Access to systems and data is granted based on the principle of least privilege

  • User access is reviewed quarterly and when roles change

  • Terminated user access is revoked within 24 hours

  • All access requests require manager approval

  • Privileged access requires additional justification and approval

4.2 Authentication Requirements

  • Multi-factor authentication (MFA) is required for all administrative access

  • MFA is required for remote access to client systems

  • Passwords must meet complexity requirements (minimum 12 characters, complexity rules)

  • Password managers are required for credential storage

  • Service accounts use strong, unique passwords and are regularly rotated

4.3 Remote Access Security

  • All remote access sessions are encrypted using industry-standard protocols

  • Remote access connections are logged and monitored

  • Client systems are accessed only through secure, approved tools

  • Remote access sessions are terminated after periods of inactivity

5. Data Protection and Privacy

5.1 Data Classification

We classify data into categories (Public, Internal, Confidential, Restricted) and apply appropriate security controls based on sensitivity.

5.2 Data Encryption

  • Data in transit is encrypted using TLS 1.2 or higher

  • Data at rest is encrypted using AES-256 or equivalent

  • Client credentials and sensitive data are encrypted in our documentation systems

  • Backup data is encrypted both in transit and at rest

5.3 Data Handling

  • Client data is accessed only for authorized service delivery purposes

  • Data is processed in accordance with client instructions and contracts

  • Personal information is handled in compliance with applicable privacy laws

  • Data retention periods are defined and enforced

  • Secure deletion procedures are used when data is no longer needed

5.4 Data Backup and Recovery

  • Client systems are backed up according to agreed-upon schedules

  • Backups are tested regularly to ensure recoverability

  • Backup data is stored securely with appropriate access controls

  • Disaster recovery plans are maintained and tested annually

6. Network and Infrastructure Security

6.1 Network Security

  • Firewalls protect network boundaries

  • Network segmentation isolates sensitive systems

  • Intrusion detection and prevention systems monitor for threats

  • Wireless networks use WPA3 or WPA2 encryption

  • Network devices are hardened and regularly patched

6.2 Endpoint Security

  • All endpoints run approved antivirus/anti-malware software

  • Endpoint detection and response (EDR) solutions are deployed

  • Workstations and servers are configured to security baselines

  • Mobile device management (MDM) is used for mobile devices

  • Full disk encryption is enabled on laptops and mobile devices

  • Screens automatically lock after 5 minutes of inactivity

  • Users must lock devices when leaving them unattended

  • Clear desk policy requires confidential materials to be secured

  • Mobile devices must be password or biometric protected

  • Confidential information must not be stored on mobile devices or USB drives (except business contact information)

  • Stolen or lost devices must be reported immediately

6.3 Vulnerability Management

  • Vulnerability scans are conducted at least monthly

  • Critical vulnerabilities are remediated within 15 days

  • High vulnerabilities are remediated within 30 days

  • Patch management ensures timely application of security updates

  • Penetration testing is conducted annually by qualified third parties

7. Security Monitoring and Incident Response

7.1 Security Monitoring

  • Security events are logged and monitored 24/7

  • Security information and event management (SIEM) tools aggregate and analyze logs

  • Automated alerts notify security personnel of suspicious activities

  • Security metrics are tracked and reported to management

7.2 Incident Response

  • An incident response plan defines procedures for detecting, responding to, and recovering from security incidents

  • Incident response team members are trained and assigned specific roles

  • Security incidents are classified by severity and handled accordingly

  • Clients are notified of security incidents affecting their data as required by contract and law

  • Post-incident reviews identify lessons learned and drive improvements

7.3 Incident Notification

In the event of a security incident affecting client data:

  • We will notify affected clients within 72 hours of discovery

  • We will provide details about the nature of the incident, affected data, and response actions

  • We will coordinate with clients on any required notifications to regulators or individuals

  • We will provide regular updates until the incident is resolved

8. Physical and Environmental Security

8.1 Office Security

  • Office facilities have restricted access controls

  • Visitors are logged and escorted

  • Workstations lock automatically when unattended

  • Clean desk policy requires securing sensitive information

8.2 Data Center Security

  • Client data hosted in secure, SOC 2 compliant data centers

  • Data centers employ physical access controls, surveillance, and environmental controls

  • Multiple geographic locations provide redundancy

  • Power and cooling systems are monitored and maintained

9. Third-Party Security Management

9.1 Vendor Risk Management

  • Third-party service providers are assessed for security risks before engagement

  • Vendors handling sensitive data must meet our security requirements

  • Vendor security is reviewed annually

  • Contracts include security and confidentiality requirements

9.2 Approved Service Providers

We use industry-leading security and service providers, including:

  • SOC 2 compliant cloud infrastructure providers

  • Certified cybersecurity software vendors

  • Vetted backup and disaster recovery providers

  • Secure communication and collaboration tools

10. Security Awareness and Training

10.1 Employee Training

  • All employees complete security awareness training upon hire and acknowledge the Information Security Policy

  • Annual security training is mandatory for all personnel

  • Role-specific training is provided for technical staff

  • Phishing simulation exercises test and improve awareness

  • Security policies and procedures are readily accessible to all team members

  • Employees are responsible for exercising good judgment regarding appropriate use of information and systems

10.2 Employee Responsibilities

All employees and contractors must:

  • Read and understand company security policies

  • Use company systems only for authorized business purposes

  • Report security incidents immediately via [email protected]

  • Protect passwords and credentials

  • Lock screens after 5 minutes of inactivity or when leaving workstations unattended

  • Follow clear desk policies for confidential materials

  • Exercise good judgment regarding personal use of company devices

10.3 Client Training

  • Security awareness training is available for client employees

  • Mock phishing campaigns help clients assess and improve their security posture

  • Training content is updated regularly to address current threats

  • Training completion is tracked and reported

11. Change Management

  • Changes to production systems follow documented change management procedures

  • Changes are reviewed, approved, tested, and documented

  • Emergency changes follow expedited procedures with post-implementation review

  • Change logs are maintained for audit purposes

  • Clients are notified of changes that may affect their systems

12. Business Continuity and Disaster Recovery

12.1 Business Continuity

  • Business continuity plans ensure critical operations continue during disruptions

  • Key personnel have documented backup coverage

  • Alternative work arrangements enable remote operations

  • Business continuity plans are tested annually

12.2 Disaster Recovery

  • Disaster recovery plans define procedures for recovering from major incidents

  • Recovery time objectives (RTO) and recovery point objectives (RPO) are established

  • Client systems have appropriate backup and recovery capabilities

  • Disaster recovery procedures are tested regularly

13. Compliance and Audit

13.1 Compliance Program

  • Legal and regulatory requirements are identified and tracked

  • Compliance with applicable laws is monitored and enforced

  • Privacy regulations (GDPR, CCPA, etc.) are followed where applicable

  • Industry standards and frameworks guide our security practices

13.2 SOC 2 Compliance

  • Whitaker maintains SOC 2 Type II certification

  • Independent auditors assess our controls annually

  • SOC 2 reports are available to qualified clients under NDA

  • Control deficiencies are remediated promptly

13.3 Internal Audits

  • Internal security audits are conducted quarterly

  • Audit findings are tracked and remediated

  • Management reviews audit results and security metrics

  • Continuous improvement initiatives address identified gaps

14. Acceptable Use

14.1 User Responsibilities

All users of Whitaker systems must:

  • Protect credentials and not share accounts

  • Use systems only for authorized business purposes

  • Report security incidents or suspicious activities immediately

  • Comply with security policies and procedures

  • Complete required security training

14.2 Prohibited Activities

Users must not:

  • Access systems or data without authorization

  • Introduce malware or compromise system security

  • Bypass or disable security controls

  • Use systems for illegal activities

  • Disclose confidential information improperly

14.3 Consequences

Violations of security policies may result in:

  • Disciplinary action up to and including termination

  • Revocation of system access

  • Legal action for criminal violations

  • Financial liability for damages caused

15. Security Contact Information

To report security incidents or concerns, or for questions about our security practices:

Security Incident Reporting:
Email: [email protected] (monitored 24/7)
Phone: (330) 850-1025

General Information:
Support: [email protected]
Address: 41 Merz Blvd. Fairlawn, Ohio 44333

Whistleblower Reporting:
Anonymous reports of ethics violations, fraud, or policy violations can be submitted through our internal whistleblower portal. We protect whistleblowers from retaliation.

All security incidents must be reported immediately or as soon as possible. When reporting, include a description of the incident along with relevant details.

16. Policy Review and Updates

This Information Security Policy is reviewed and updated at least annually, or more frequently as needed to address:

  • Changes in business operations or risk landscape

  • New threats or vulnerabilities

  • Regulatory or compliance requirement changes

  • Audit findings or security incidents

  • Technology or service changes

All significant policy changes are communicated to employees, clients, and other stakeholders as appropriate.

17. Acknowledgment and Agreement

By accessing Whitaker systems or handling Whitaker or client data, you acknowledge that you have read, understood, and agree to comply with this Information Security Policy.

Document Version: 1.0