Document Version: 1.0
Effective Date: [01/18/2024]
Approved By: Marian Tolofari, CEO
Review Cycle: Annually or upon material change

⸻

1. Purpose

Kemafy LLC’s Information Security Program (ISP) is established to protect the confidentiality, integrity, and availability of information assets—both internal and client-owned. The program ensures compliance with applicable legal, regulatory, and contractual obligations.

⸻

2. Scope

This program applies to:
• All Kemafy LLC employees, contractors, vendors, and partners
• All information systems (cloud-based, SaaS, web platforms, devices, networks)
• All data handled in IT project consulting, cybersecurity operations, and digital marketing services

⸻

3. Governance Structure

Role Responsibility
CEO / Managing Director Executive oversight of ISP
Information Security Lead Program owner, risk assessor, and compliance monitor
Project & Technical Teams Implement security controls and report incidents
HR & Admin Enforce training and access control policies

⸻

4. Policies & Controls

4.1. Information Classification
• Confidential: Client data, internal strategy, credentials
• Internal Use: Internal communications, work-in-progress documents
• Public: Marketing materials, published blog content

4.2. Access Control
• Principle of least privilege applied
• Role-based access for cloud tools (e.g., hosting, analytics, email systems)
• MFA (Multi-Factor Authentication) enabled on all admin-level access

4.3. Data Security
• All client data is encrypted in transit (TLS) and at rest (AES-256)
• Secure file transfer via SFTP or encrypted cloud drives
• Regular vulnerability scans and patch management

4.4. Incident Response Plan (IRP)
• All suspected incidents are reported to the Information Security Lead within 1 hour
• IRP includes detection, containment, eradication, recovery, and post-incident review
• Major incidents are logged and reviewed quarterly

4.5. Vendor Management
• All third-party platforms (e.g., hosting, email marketing, cloud CMS) undergo security vetting
• NDAs and Data Processing Agreements are enforced

4.6. Business Continuity & Disaster Recovery
• Daily encrypted backups of client projects and servers
• DR procedures documented for critical systems (e.g., web hosting, payment processors)

4.7. Training & Awareness
• All team members undergo annual cybersecurity training
• New hires complete a security orientation during onboarding

⸻

5. Compliance & Framework Alignment

Kemafy LLC aligns its practices with:
• NIST Cybersecurity Framework
• ISO/IEC 27001:2013 principles
• GDPR (for clients in the EU or handling EU resident data)
• HIPAA-readiness (for healthcare clients where applicable)

⸻

6. Monitoring & Continuous Improvement
   • Quarterly internal audits of critical systems
   • External pen tests commissioned annually (for high-sensitivity systems)
   • Continuous improvement through lessons learned from audits and incidents

⸻

7. Document Control

Version Date Author Summary of Changes
1.0 [01/18/2024] Security Lead Initial release