Information Security Policy


SOC 2 Criteria: CC1.2, CC1.3, CC2.1, CC5.1, CC5.2, CC5.3,

Keywords: Corrective action, Security training, Clean desk


Background

CAST.AI commits to satisfy applicable requirements related to information security and data privacy.

Information security and data privacy is an important integral part of our corporate governance. We are committed to continually improve our information security management system by setting ambitious information security goals and objectives at least in these areas:
• Compliance
• Risk appetite and capacity
• Incident detection and resolution.

It is the policy of CAST AI that information, as defined hereinafter, in all its forms–written, spoken, recorded electronically, or printed–will be protected from accidental or intentional unauthorized modification, destruction, or disclosure throughout its life-cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.

The Security Officer is responsible for the design, development, maintenance, dissemination, and enforcement of the items contained in this policy. At a minimum on an annual basis, a security and/ or compliance committee composed of senior management and key personnel must discuss, evaluate and document the company’s security program, ensuring strategic goals and objectives are continually being developed. At a minimum on an annual basis, all policies must be reviewed, modified, and/ or edited to meet necessary security standards. All policies must be signed and approved by authorized personnel.

Policies and/or procedures must be accessible to employees for review at all times via the compliance automation SaaS, Drata. Policies pertaining to positions must be reviewed and signed upon hire and on an annual basis by all employees.

Requests for any exceptions to any policies included within the security program must be approved by Executive Management. Any approved exceptions will be reviewed annually.

Purpose

This Policy has been developed to meet the company’s regulatory, legal, contractual, and other obligations; to ensure that the appropriate company image is presented, and to control business risks.

Scope

This Policy applies to:
Information in any form, regardless of the media on which it is stored, as well as, any facility, system, or network used to store, process, and/or transfer information.

All CAST AI employees, temporary staff, partners, contractors, vendors, suppliers, and any other person (collectively also referred to as “Staff” or “Personnel”) or entity that accesses the company’s data or it’s infrastructure.

All activity while using or accessing the company’s information or information processing, storage, or transmission equipment, while on the company premises (owned, rented, leased, or borrowed) or remotely.

Information resources that have been entrusted to the company by any entity external to the company (i.e. Customers, Staff, and others).
Documents, messages, and other communications created on or communicated via the company systems are considered the company’s business records and, as such, are subject to review by third parties in relation to audits, litigation, process improvement, and compliance.

Training

Management shall ensure that employees, contractors and third-party users:

All new hires are required to complete information security awareness training as part of their new employee onboarding process and annually thereafter. New hire onboarding will be completed within 60 days after the date the employee or contractor is hired. Ongoing training will include security and privacy requirements as well as training in the correct use of information assets and facilities.

Additional specialized training will be required for individuals responsible for maintaining systems. Specialized topics would include spam, phishing, OWASP Top Ten list, and SANS Top 25 list. In addition, consistent with assigned roles and responsibilities, incident response and contingency training to personnel will be done:

I. within 90 days of assuming an incident response role or responsibility;
II. as required by information system or policy changes; and
III. once a year thereafter.

The organization will document that the training has been provided to all employees.

All employees are required to acknowledge in writing their understanding of the Information Security Program which includes a Code of Conduct upon hire and annually thereafter.

Clean Desk/Work Area Policy

Authorized users will ensure that all sensitive/confidential materials are removed from their workspace and locked away when the items are not in use or an employee leaves his/her workstation.

Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.

File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended. Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.

Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location. Printouts containing Restricted or Sensitive information should be immediately removed from the printer.

Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.

Whiteboards containing Restricted and/or Sensitive information should be erased.

Treat mass storage devices such as external hard drives or USB drives as sensitive and always secure and encrypt them.

All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.

Enforcement

CAST AI Management, under the explicit authority granted by the company CEO, retains the authority and responsibility to monitor and enforce compliance with this Policy and other policies, standards, procedures, and guidelines. Monitoring activities may be conducted on an on-going basis or on a random basis whenever deemed necessary by Management and may require investigating the use of the Company’s information resources. The company reserves the right to review any and all communications and activities without notice.

CAST AI will take appropriate precautions to ensure that monitoring activities are limited to the extent necessary to determine whether the communications or activities are in violation of Company policies, standards, procedures, and guidelines or in accordance with normal business processing performance or quality activities.

Violation of the controls established in this Policy is prohibited and will be appropriately addressed. Disciplinary actions for violations may include verbal and/or written warnings, suspension, termination, and/or other legal remedies and will be consistent with our published HR standards and practices.

Employee Sanctions

CAST AI’s discipline policy and procedures are designed to provide a structured corrective action process to improve and prevent a recurrence of undesirable employee behavior and performance issues. It has been designed to be consistent with CAST AI cultural values, Human Resources (HR) best practices, and employment laws.

CAST AI reserves the right to combine or skip steps depending on the facts of each situation and the nature of the offense. The level of disciplinary intervention may also vary. Some of the factors that will be considered are whether the offense is repeated despite coaching, counseling, or training, the employee’s work record, and the impact the conduct and performance issues have on the organization.

Corrective Action Procedure

Step 1: Verbal Warning and Counseling
This initial step creates an opportunity for the immediate supervisor to schedule a meeting with an employee to bring attention to an existing performance, conduct, or attendance issue. The supervisor should discuss with the employee the nature of the problem or the violation of company policies and procedures. The supervisor is expected to clearly describe expectations and the steps the employee must take to improve performance or resolve the problem.

Step 2: Formal Written Warning
If the employee does not promptly correct any performance, conduct or attendance issues that were identified in Step 1, a written warning will become formal documentation of the performance, conduct, or attendance issues and consequences. The employee will sign a copy of the document to acknowledge receipt and understanding of the formal warning. During Step 2, the immediate supervisor and HR representative will meet with the employee to review any additional incidents or information about the performance, conduct or attendance issues as well as
any prior relevant corrective action plans. Management will outline the consequences for the employee of his or her continued failure to meet performance or conduct expectations.

A formal performance improvement plan (PIP) requiring the employee’s immediate and sustained corrective action will be issued after a Step 2 meeting. A warning outlining that the employee may be subject to additional discipline up to and including termination if immediate and sustained corrective action is not taken may also be included in the written warning.

Step 3: Suspension and Final Written Warning
There may be performance, conduct, or safety incidents so problematic and harmful that the most effective action may be the temporary removal of the employee from the workplace. When immediate action is necessary to ensure the safety of the employee or others, the immediate supervisor may suspend the employee pending the results of an investigation. Suspensions that are recommended as part of the normal progression of this progressive discipline policy and procedure are subject to approval from a next-level manager and HR.

Step 4: Recommendation for Termination of Employment
The last step in the progressive discipline procedure is a recommendation to terminate employment. Generally, CAST AI will try to exercise the progressive nature of this policy by first providing warnings, a final written warning or suspension from the workplace before proceeding to a recommendation to terminate employment. However, CAST AI reserves the right to combine and skip steps depending on the circumstances of
each situation and the nature of the offense. Furthermore, employees may be terminated without prior notice or disciplinary action.
Management’s recommendation to terminate employment must be approved by HR and the supervisor’s immediate manager.

Performance and Conduct Issues Not Subject to Progressive Discipline Behavior that is illegal is not subject to progressive discipline, and such behavior may be reported to local law enforcement authorities. Theft, substance abuse, intoxication, fighting and other acts of violence at work are grounds for immediate termination.