Security
Policy

This Security Policy outlines the principles, responsibilities, and requirements adopted by Vortexron Technologies India Pvt. Ltd. ("Vortexron") to ensure the confidentiality, integrity, and availability of information assets. The policy serves as a framework for managing and mitigating security risks to Vortexron's people, systems, operations, clients, and stakeholders.

This policy applies globally to:

• All Vortexron employees, contractors, interns, third-party vendors, and business associates.
• All information assets, systems, applications, networks, and cloud environments owned, leased, or accessed by Vortexron.
• All forms of data, including structured and unstructured, digital and physical.
• All Vortexron physical offices, data centers, development environments, and client sites.

Vortexron adopts a centralized security governance model under the leadership of the Chief Information Security Officer (CISO). Key responsibilities include:

• Defining and updating security policies, standards, and guidelines.
• Conducting regular risk assessments and audits.
• Enforcing security controls across all business units.
• Reporting to executive leadership and compliance committees.

Information and assets shall be classified based on sensitivity and impact:

Each information asset must have an identified owner, responsible for classification, access control, and compliance.

• Access to systems and data shall follow the principle of least privilege and need-to-know.
• Role-based access controls (RBAC) must be implemented.
• All access shall be logged, monitored, and periodically reviewed.
• Multi-factor authentication (MFA) is mandatory for critical systems.

• Sensitive data must be encrypted in transit and at rest using approved algorithms (e.g., AES-256, TLS 1.2/1.3).
• Encryption key management shall follow industry best practices.
• Hashing, digital signatures, and secure protocols are required for integrity validation.

• Access to office premises and data centers shall be controlled using ID badges and biometric or smart card access.
• Surveillance (CCTV), intrusion detection, and secure zones shall be implemented in critical areas.
• Fire suppression, climate control, and power backup systems must be functional.

• Regular patching and vulnerability scanning shall be performed.
• Antivirus, endpoint detection and response (EDR), and firewall solutions must be enabled across all endpoints.
• Change management procedures must be followed for all infrastructure or code deployments.

• Network perimeters must be protected using firewalls and IDS/IPS.
• VPNs shall be used for remote access with encryption.
• Email and collaboration tools must be monitored for phishing and malware.

• Secure coding practices must be followed (e.g., OWASP Top 10 compliance).
• Code reviews and automated security scanning tools are mandatory.
• Systems must be tested for security flaws prior to deployment.

• All third parties with system access must sign data protection and security agreements.
• Vendors must be assessed for compliance and risk posture before onboarding.
• Access by external entities must be logged, reviewed, and time-bound.

• A Security Incident Response Plan (SIRP) is maintained and tested.
• Security incidents must be reported immediately via defined communication channels.
• Incident response teams shall investigate, contain, and remediate all reported events.
• Post-incident reviews will identify root cause and preventive actions.

• Business Impact Assessments (BIA) must be conducted regularly.
• BCDR plans must be documented, tested, and maintained.
• Backup strategies must ensure data recovery objectives (RTO/RPO) are met.

• All employees must complete annual information security training.
• Phishing simulations and targeted learning will be conducted periodically.
• Key personnel (developers, admins, managers) will receive role-specific training.

• Continuous monitoring and SIEM tools must be implemented.
• Internal and external audits will be performed periodically.
• Logs must be retained based on regulatory and business requirements.

• This policy will be reviewed annually and upon major operational or regulatory changes.
• Violations of this policy may lead to disciplinary actions, including termination, legal action, or contract termination for third parties.