Information Security Policy

Version 1.0.2

Introduction

Information security is a holistic discipline, meaning that its application, or lack thereof, affects all facets of an organization or enterprise. The goal of the Ease Solutions Information Security Program is to protect the confidentiality, integrity, and availability (CIA) of data processed, stored, or transmitted within the organization, while supporting business objectives.

Protection of confidentiality, integrity, and availability are foundational principles of information security and can be defined as:

• Confidentiality – Ensuring that information is accessible only to authorized entities, commonly enforced by the “need-to-know” principle.

• Integrity – Safeguarding the accuracy and completeness of information and the systems used to process it.

• Availability – Ensuring that information assets (e.g., systems, networks, data) are accessible and usable by authorized users when needed.

Ease Solutions recognizes that business information is a critical asset. The ability to manage, control, and protect this asset has a direct and significant impact on long-term success.

This document defines the governance framework for information security and serves as the foundation for all supporting security policies and procedures. It ensures that business information assets—and those entrusted to Ease Solutions by stakeholders, partners, customers, and third parties—are appropriately protected.

The Ease Solutions Information Security Program is based on the principles defined herein and its supporting documentation.

Purpose

The purpose of this policy is to outline the security principles, actions, and behaviors required to protect Ease Solutions and its stakeholders from undue information security risks.

Audience

This policy applies to all individuals, entities, and processes that access or interact with Ease Solutions information systems, data, and technology resources.

Responsibilities

Executive Management 

• Ensure a risk-based, organization-wide Information Security Program is implemented to protect all information resources.

• Integrate security into strategic, operational, and budgeting processes.

• Allocate sufficient resources (financial, technical, human) to support security objectives.

• Appoint a qualified Information Security Officer (ISO) and grant them authority to manage the Information Security Program.

• Require the ISO to report at least annually on the effectiveness of the Information Security Program.

Information Security Officer

•  

• Provide regular updates to Executive Management on program status and improvements.

• Ensure compliance with all applicable laws, regulations, standards (e.g., ISO 27001, NIST), and contractual obligations.

• Continuously assess and manage risks to organizational information resources.

• Lead the development and maintenance of security policies, standards, and operational procedures.

• Oversee security awareness and training programs for all personnel, including those with significant security responsibilities.

• Implement a formal risk treatment and corrective action process for addressing identified vulnerabilities or policy deficiencies.

• Establish procedures for ongoing monitoring and continuous improvement of the security program.

• Develop and manage processes for assessing and managing third-party risks.

• Report annually on the program’s effectiveness, including remediation status and risk posture.

All Employees, Contractors, and Other Third-Party Personnel

• Understand and comply with the Information Security Program and associated policies.

• Use information resources in accordance with approved security practices.

• Promptly report any suspected security incidents or policy violations.

• Seek guidance from the ISO when in doubt about security obligations.

Policy

Ease Solutions maintains and communicates an Information Security Program consisting of topic-specific policies, standards, procedures, and guidelines that:

• Protect the confidentiality, integrity, and availability of organizational information resources using a combination of administrative, physical, and technical controls.

• Support business operations and align with strategic goals.

• Comply with all applicable legal, regulatory, and contractual requirements.

• Are reviewed at least annually or upon major changes to the threat or operational environment.

Waivers

Waivers from certain policy provisions may be sought following our internal processes.

Enforcement

Personnel found in violation of this policy may face disciplinary actions, up to and including termination of employment and potential legal consequences.

Third-party entities, including vendors and contractors, may face access revocation, contract termination, or legal action for non-compliance.

Version History