Access Control Policy

SCOPE

This policy applies to all information, assets, systems, and processing facilities, including logical and physical access.

PURPOSE

Defines rules for provisioning and revoking access within Cloudmadeez LLC.

TERMS AND DEFINITIONS

• ISG: Information Security Group
• LT: Leadership Team
• Logical Access: Identification, authentication, authorization protocols
• Access Control: Regulates who or what can view/use resources
• MFA: Multi-factor authentication
• Privilege: Special right or advantage
• Privileged Access: Admin/super-user access
• SSO: Single Sign-On
• Password: Secret phrase for access
• Least Privilege: Minimum access required to perform job

RESPONSIBILITIES

Ownership lies with ISG and relevant teams handling access.

POLICY

• Access granted under least privilege principle
• Group-based access preferred over user-based
• Access changes logged and reviewed periodically
• Inactive accounts reviewed after 30/90 days
• Access removed immediately on employment change
• Privileged access requires MFA and expiration management
• Third-party access requires sponsorship and defined expiration
• Provisioning via email/ticketing tools, revocation within 24 hours
• Quarterly access reviews with audit records

Backup & Restore Policy

PURPOSE

This policy aims to define the rules for taking data backups and testing the restoration.

SCOPE

The policy covers backups of all types of data and information within the Cloudmadeez LLC (herein referred to as Organization).

DEFINITION

• Backup: A copy of file, data, or information made in case the original is lost or damaged.
• Backup Server: A backup server enables the backup of data, files, applications, and/or databases on a specialized in-house or remote server.
• Incremental Backup: One in which successive copies of the data contain only the portion that has changed since the preceding backup.
• Differential Backup: A method that copies all files that have changed since the last full backup.
• Recovery Test: A process to ensure that the backup and recovery plan functions properly during a real emergency.

RESPONSIBILITIES

The primary ownership of implementing this policy is with the IT and DevOps Team and the ISG.

POLICY

• All backups shall be executed in an automated way based on frequency and timing to minimize impact.
• All backups shall be available on two different systems in two locations.
• Backup data shall be encrypted where required by legislation, regulation, or customer contracts.
• Cloud backup data must reside in a different physical region/zone than source data.
• Cloud backups must be stored on redundant media at alternate locations.

Data Backups and Frequency

Below types of data shall be backed up:

• Emails on Outlook – Real-time
• Application server (Azure)
• Database (Azure) – Full Daily, Incremental Daily (Auto)
• Files/Folders on SharePoint
• Client/User Data on Azure
• Source Code on Azure DevOps – Real-time

Backup Restoration Testing

• Database: Annually (Last 35 days only)
• Microsoft 365: Never (Service Provider responsibility)
• Source Code: Quarterly (No Limit)
• Records of restoration tests shall be maintained.
• Follow incident management in case of errors/failures.

Backup Monitoring

• Backup systems monitored at least quarterly.
• Status dashboards required for IT management oversight.

Business Continuity and Disaster Recovery Policy

PURPOSE

Details the planning and operation of business continuity and disaster recovery at Cloudmadeez LLC.

SCOPE

Applies to all employees, contractors, operations, and third parties.

TERMS AND DEFINITIONS

• ISMS, ISG, LT, CEO
• BCP: Business Continuity Plan
• DRP: Disaster Recovery Procedure
• BIA, MAO, RTO, RPO

RESPONSIBILITIES

DevOps and IT Team are responsible. Refer to escalation matrix and emergency contact tables.

POLICY PRINCIPLES

• Focus on disruption outcomes, not causes
• Plans must be scalable, adaptable, and promote local decisions
• Formal BIA guides continuity planning
• Plans exclude low-risk and cost-prohibitive events with approval
• Annual testing (tabletop, simulation, partial/full test)
• Training required for involved stakeholders

CLOUD-SPECIFIC CONSIDERATIONS

• Ensure SaaS infrastructure resiliency
• Account for outages and cross-region restoration
• Follow shared responsibility model for cloud continuity

Change Management Policy

PURPOSE

This policy aims to control the planned and unplanned changes within the environment and infrastructure of Cloudmadeez LLC (herein referred to as the Organization), including the cloud.

SCOPE

This policy applies to Cloudmadeez LLC and covers its employees and operations. It applies to all forms of change that impact production, development, testing, configuration, and administration of shared assets, services, and processes managed by the Organization. This includes IT assets, OS and software installation/configuration, networking, public computing services, storage, databases, application development/support, documentation, and access requests.

DEFINITION

• Change: Modification from current state to a different form, nature, or course.
• Standard Change: Pre-authorized, low-risk changes that follow a known procedure.
• Minor Change: Non-standard, minor changes affecting a single user/system.
• Major Change: Non-standard, major changes affecting multiple users/systems/platforms.
• Emergency Change: Urgent changes needing immediate implementation to restore or continue services.
• CR (Change Request): A formal request to implement a change.
• Change Requestor: Person initiating the change request.
• Change Reviewer: Person reviewing and forwarding the change request.
• Change Approver: Person approving/rejecting/postponing the change.
• Change Implementer: Person responsible for executing the change.

RESPONSIBILITIES

The primary responsibility for implementing this policy lies with the department heads. The Information Security Group (ISG) will implement the policy under the guidance of the Leadership Team and in coordination with department heads.

POLICY

The organization ensures adherence to change management directives, life cycles, access controls, separation of duties, test data sanitization, impact inclusion, managerial signoff, and functional testing documentation.

PROCEDURE

1. Change Initiation: A user identifies the need for a change and classifies it (Standard or Emergency).
2. Categorization: Assign category based on impact (Application, Access, Network, Others).
3. Priority Allocation: Assign priority based on impact.
4. Register Change: Register change request (e.g., JIRA ticket).
5. Emergency Change: Tag change as emergency if critical, follow expedited approval.
6. Standard Change Implementation: Sent to implementation team; approvals not required.
7. Normal Change Implementation: Requires approvals and QA before implementation.
8. Build and Test: Change is tested, records maintained.
9. QA Approval: QA validates the implementation success.
10. Change Implementation: Change is implemented in the live environment.
11. Rollback (if needed): Execute rollback if implementation fails.
12. Post-Implementation Review: Conducted by someone other than the initiator, then close CR.

Annexure A - Categorization Guideline

• Standard Change: Pre-authorized changes with low risk, frequently processed, following established procedures. May still require assessments and scheduling.
• Emergency Change: Urgent changes with high impact; scheduling may be skipped. Higher risk possible.

Annexure A2 - Change Priority Matrix

• Priority 1: High-impact changes affecting significant IT operations or multiple customers.
• Priority 2: Partial services affected for multiple customers.
• Priority 3: Single customer services affected.
• Priority 4: Partial services for a single customer, including standard changes.
• Priority 5: No impact on systems/services.

Version

v1

Created By: Adarsh, July 11, 2025

Published By: Adarsh, July 12, 2025

Encryption and Key Management Policy

Purpose

This policy defines Cloudmadeez LLC’s (herein referred to as "Organization") security control requirements for encryption and key management lifecycle.

Scope

This policy applies to all data stored at rest and/or transmitted, including writable media and databases. It applies to the entire organization, employees, contractors, and third parties.

Definition

Sensitive Information: Data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.

Responsibilities

The IT Head and DevOps Head are responsible for implementing this policy.

Cryptography Policy

• All data and information storage media must be identified.
• Best practices should be implemented where technically feasible.
• Methods used in cryptography shall be documented and secured from unauthorized access.
• When selecting new cryptographic technologies, Information Technology must approve them before use.
• Technologies used must be interoperable with other technologies within the company and during external exchanges.
• Technologies must meet applicable legal requirements based on the location of the information assets.
• Encryption algorithms must be AES-compatible or partially AES-compatible, following IETF/IRTF Cipher Catalog standards.
• Algorithms, key lengths, and hash values must be reviewed at least annually.
• Data recovery logic must be implemented to ensure encrypted data is recoverable.
• Implement recovery mechanisms for forensic investigation and law enforcement access.

Encryption Requirements

• Hard disk encryption must use hardware tokens for key management.
• Sensitive information, including personal data or cryptographic keys, requires additional security measures when exchanged.
• A process must be established to decrypt data or restore encryption keys if the original key is lost.
• TLS should be used for network communication.

Application of Encryption

Data in Transit

Includes, but is not limited to:

• Data transmitted via Internet connections
• Email transmissions
• Remote access connections
• File transfers to third parties
• Administrative access to IT systems

Data in Storage

Includes, but is not limited to:

• Backup and removable media
• Mobile device drives (e.g., laptops, phones, tablets)
• Application/database fields and tables or electronic files

Transmission Encryption Methods

• TLS: Encrypts communication over the Internet.
• VPN: Uses public networks to provide secure services to remote personnel (RSA encryption methods).
• SFTP: Transfers files securely using SSH; encrypts passwords and sensitive data over public networks.
• TLS/SSH: Encrypts passwords and authentication data for privileged accounts.

Encryption Levels

• Symmetric cryptosystems must use keys of at least 128 bits.
• Asymmetric cryptosystems must use key lengths of at least 1024 bits.

Key Management

• Cryptographic measures and techniques shall be implemented to protect keys.
• Organizations must protect keys from unauthorized use, modification, and loss.
• Key lengths must align with best practices or technological feasibility.

Information Security Policy

Purpose

This document aims to provide Cloudmadeez LLC (herein referred to as the Organization) with a policy that communicates the need to protect the Confidentiality, Integrity, and Availability of information assets. It ensures that information and information systems are available to intended users, protected against unauthorized access and modification, and compliant with relevant legislative, regulatory, and contractual requirements. It aims to motivate employees to maintain responsibility, ownership, and knowledge about information security to minimize the risk of incidents and ensure continuity of service, even during major security events. The organization also aims to comply with international standards for information security, such as SOC2.

Scope

This policy applies to Cloudmadeez LLC, its employees (including contractors), and its operations.

Definition

• Information Processing System – Subsystems of the information system in which data are recorded and processed following formal procedures.
• Information – An asset of value to an organization that must be suitably protected.
• Confidentiality – Ensuring information is not made available or disclosed to unauthorized individuals, entities, or processes.
• Integrity – Safeguarding the accuracy and completeness of assets.
• Availability – Ensuring authorized entities can access and use information upon demand.
• Information Security – Preservation of the confidentiality, integrity, and availability of information in any medium (electronic, paper-based, or other storage media).

Roles and Responsibilities

The Information Security Manager is responsible for implementing, maintaining, and enforcing the policy.

Policy

• Ensure Confidentiality, Integrity, and Availability of information assets.
• Use information and processing systems securely to support strategic goals.
• Establish an Information Security Management System (ISMS) to implement, operate, monitor, and improve security controls.
• Handle information securely throughout its lifecycle—creation, storage, processing, transmission, and disposal.
• Classify information based on confidentiality, integrity, and availability requirements.
• Identify and mitigate all information-related risks promptly.
• Train employees and raise awareness about their information security responsibilities.
• Restrict access to authorized users as per business needs.
• Secure personnel, information, and systems from physical and environmental threats.
• Identify, control, and monitor risks associated with third-party vendors or suppliers.
• Manage and control changes to information systems securely.
• Report and manage all security incidents promptly.
• Define, implement, and test Business Continuity Plans.
• Comply with all applicable legal and regulatory information security requirements.
• Continuously review and improve the organization's information security posture.
• Employees must not disclose, copy, alter, or destroy information unless properly authorized.
• Take measures to protect confidential information within their professional scope.
• Apply data masking to reduce exposure of personal data and comply with requirements.
• Delete and securely store data no longer required.
• Follow approved information security policies, procedures, standards, and guidelines.
• Do not attempt to circumvent or subvert any security controls.
• Collect and analyze threat information to support informed decision-making and reduce impact.

Supporting Policies

• Human Resource Security Policy – Ensures users understand their responsibilities and are suitable for their roles.
• Information Classification Policy – Defines guidelines and baseline controls for protecting organizational data.
• Access Control Policy – Limits access to information and systems to authorized users only.
• Asset Management and Disposal Policy – Ensures proper protection and disposal of information assets.
• Encryption and Key Management Policy – Manages encryption effectively to protect confidentiality, authenticity, and integrity.
• Acceptable Use Policy – Outlines best practices for use of IT and information assets.
• Mobile and Teleworking Policy – Protects information accessed, processed, or stored on mobile devices or during telework.
• Log Management and Monitoring Policy – Records and monitors system events to generate evidence.
• Secure Development and Maintenance Policy – Integrates security throughout system development and maintenance phases.
• Incident Management Policy – Provides a consistent approach for managing incidents and weaknesses.
• Change Management Policy – Controls changes to systems and facilities affecting security.
• Risk Management Procedure – Establishes governance for identifying and addressing security risks.
• Patch and Vulnerability Management Policy – Ensures timely response to technical vulnerabilities.
• Network Management Policy – Protects information within networks and supporting systems.
• Backup and Restore Policy – Defines rules for backing up and restoring data.
• Business Continuity and Disaster Recovery Policy – Plans for maintaining operations during emergencies.
• Vendor Management Policy – Governs relationships with external service providers.

Version and Approval

• Version: v1
• Created By: Adarsh, July 11, 2025
• Approved By: CEO, July 12, 2025
• Published By: Adarsh, July 12, 2025

Password Management Policy

Purpose

This policy defines the rules and guidelines for password management at Cloudmadeez LLC (herein referred to as Organization).

Scope

This policy applies to the entire IT assets, employees, and contractors. It applies to all assets.

Definition

• ISG: Information Security Group
• CISO: Chief Information Security Officer

Responsibilities

The ISG and CISO are responsible for implementing this policy under the guidance of top management and the DevOps Team.

Policy Requirements

Passwords will be managed at the following levels:

• Employees (email, endpoints, web applications, etc.)
• System level (root accounts, service accounts, admin passwords, etc.)

All employee- and system-level passwords must conform to this policy. All passwords will be uniquely associated with a user account.

The ISG will implement procedures for creating, changing, resetting, and communicating initial passwords. Users must change temporary passwords at first login. Default vendor passwords must be changed.

Password sharing is prohibited unless approved by ISG. All systems must adhere to this policy.

Password Creation Requirements

Cloud Infrastructure

• Minimum 14 characters with 1 uppercase, 1 lowercase, 1 number, and 1 special character
• Multi-factor authentication (MFA) must be enabled
• Password and user ID must not be identical
• Must not contain personal information
• Must not be easily guessable
• Must differ from previous 3 passwords
• Passwords expire after 90 days

Email, Endpoints, and Web Applications

• Minimum 8 characters with 1 uppercase, 1 lowercase, 1 number, and 1 special character
• Same rules for uniqueness and personal data as above
• Must differ from previous 3 passwords
• Passwords expire after 90 days

Password Modification

Users may change passwords using the provided password change option in systems per policy.

Password Reset

Reset requests initiated by IT Head via email or phone. ISG or CISO resets password to default and requires change at next login. Records of resets will be maintained.

Password Protection

• Default passwords must be changed upon onboarding
• Passwords must not be reused across systems
• Details not sent via email or SMS in plain text
• Passwords must not be revealed verbally or shared
• Passwords must be encrypted in storage and transmission
• Use of password manager is required
• Admin/superuser passwords stored in personal vaults and updated on resignation or termination

Termination of Employee Relationship

All user IDs and passwords for IT employees must be changed. For others, accounts should be disabled and removed. Department head can request ID retention with password change.

User Responsibilities

• Do not use user ID as password
• Do not share passwords
• Passwords are confidential
• Do not store passwords in unencrypted files
• Report any suspected compromise immediately

Application Development Standards

• Applications must authenticate individual users, not groups
• Passwords must not be stored in clear text or reversible formats
• Role-based access management is required
• Implement OAuth and SSO where applicable

Document Information

• Version: v1
• Created By: Adarsh, July 11, 2025
• Approved By: CEO/Management, July 11, 2025
• Published By: Adarsh, June 13, 2025

Patch & Vulnerability Management Policy

PURPOSE

This policy ensures that vulnerabilities, weaknesses, or exposures in IT and engineering resources or processes are identified, assessed, and remediated to prevent attacks that may lead to security or business risks. This policy outlines the technology and procedures used by Cloudmadeez LLC (herein referred to as Organization) to detect and remediate vulnerabilities and maintain maximum levels of security.

SCOPE

This policy applies to Cloudmadeez LLC and all of their employees and contractors. It covers the following areas:

• Desktop and laptop operating environment
• Server operating environment within the organization and on the cloud
• Network devices and equipment installed within the organization and on the cloud
• Code repository in development, testing, and production environment

DEFINITIONS

• CVSS: The Common Vulnerability Scoring System - a method used to supply a qualitative measure of severity.
• ISG: Information Security Group

RESPONSIBILITIES

The IT Head and DevOps Head are responsible for identifying significant security vulnerabilities and making recommendations about patch installation timelines. The DevOps Head will monitor and track vulnerability alert statuses, including changes and updates, and ensure the CVSS score is updated accordingly.

VULNERABILITY IDENTIFICATION

Security vulnerabilities are identified by:

• Annual external vulnerability scans on public-facing IPs
• Annual external network penetration tests
• Vulnerability scanning after significant infrastructure or application changes
• Monitoring industry publications for zero-day vulnerabilities
• Daily virus scan log reviews
• Regular security log reviews
• Audit-reported issue reviews

VULNERABILITY MANAGEMENT

A vulnerability scanning and assessment provider will sign an agreement, including confidentiality provisions. Upon receiving a report:

• Verify results and validate exposure through penetration testing
• Follow Change Management Policy for all configuration and code changes
• Implement mitigating measures, log exceptions, and get approvals as needed
• Conduct re-scans to ensure effective mitigation

Remediation Timeframes

Based on CVSS v3.1 severity:

• Critical: Remote root/admin access. Remediate within 5 business days or less.
• High: Privileged access risk. Remediate within 10 business days or less.
• Medium: Standard user access risk. Remediate within 30 business days or less.
• Low: Indirect risk, potentially part of a more informed attack. Reasonable timeframe.

The Engineering Guild will generate annual vulnerability status reports to assess policy effectiveness.

PATCH MANAGEMENT

A patch management tool or tracker must be used. Patches are categorized by severity and validated to exclude false positives. All patches must be tested in a test environment before being deployed to production.

Laptops, Desktops, and Endpoint Software

• Latest patches for critical and security updates must be installed based on availability.
• Employees must prioritize patch deployment on their devices.
• The ISG will verify patch status on devices periodically.
• Operating systems and office software will be updated to the latest versions where possible.
• Random sampling will verify patch effectiveness monthly.
• Application patches will be deployed on a need basis.

VERSION & APPROVAL

• Version: v1
• Created by: Adarsh, July 11, 2025
• Approved by: CEO, July 12, 2025
• Published by: Adarsh, July 12, 2025

Physical Security Policy

Purpose

This policy defines the requirements for granting, controlling, monitoring, and removing physical access to Cloudmadeez LLC facilities.

Scope

This policy applies to all individuals with authorized access to Cloudmadeez LLC facilities.

Policy

• Physical access to restricted facilities must be documented and managed.
• Only authorized personnel whose job responsibilities require it may access information resource facilities.
• Access cards/keys must not be shared or loaned. Lost or stolen items must be reported immediately.
• Visitor access must be logged, and visitors must be escorted at all times.
• Facility access must be reviewed periodically, and access removed when no longer required.
• Physical signage should be minimal and practical, without disclosing importance.

Clear Desk & Data Security

• Sensitive data must be secured when unattended or after hours.
• Workstations must be locked when not in use.
• Confidential materials must be stored or shredded appropriately.
• Passwords must not be written or visible on desks or devices.
• USBs and portable devices must be secured.

Equipment Security

• All assets must be covered by warranties or service contracts.
• Regular inspections and tests must be conducted to ensure functionality.
• Asset movement must be tracked, and inventories updated.
• Network cabling must be protected and not routed through unsecured areas.

Document Control

Version: v1
Created By: Adarsh, July 11, 2025
Approved By: CEO/Management, July 13, 2025
Published By: Adarsh, July 13, 2025