Security Policy

1. Security Commitment

Faltrox is committed to maintaining the highest standards of information security to protect our clients, business, and data. As a cybersecurity services provider, we hold ourselves to rigorous security standards and undergo regular third-party audits.

This Security Policy outlines our approach to securing systems, data, and infrastructure in accordance with industry frameworks including SOC 2 Type II, ISO 27001:2022, NIST Cybersecurity Framework, and CIS Controls.

2. Information Security Framework

2.1 Governance

• Security Leadership: Chief Information Security Officer (CISO) reporting to executive leadership
• Risk Management: Quarterly risk assessments using NIST 800-30 methodology
• Policy Framework: Comprehensive security policies reviewed and updated annually
• Compliance: SOC 2 Type II certified, ISO 27001:2022 aligned, PCI-DSS Level 1 Service Provider
• Board Oversight: Quarterly security reporting to leadership

2.2 Security Controls

• Access Control: Role-based access control (RBAC), least privilege, multi-factor authentication (MFA)
• Encryption: AES-256 at rest, TLS 1.3 in transit, full-disk encryption on all endpoints
• Network Security: Zero-trust architecture, network segmentation, next-generation firewalls, IDS/IPS
• Endpoint Protection: Endpoint Detection & Response (EDR), automated threat hunting, application whitelisting
• Monitoring: 24/7 Security Operations Center (SOC), SIEM correlation, automated alerting, continuous vulnerability scanning

3. Data Protection & Privacy

3.1 Client Data Security

• Data Classification: All client data classified as Confidential with appropriate handling procedures
• Isolation: Client assessment data segregated per engagement with dedicated encryption keys
• Retention: Assessment data securely deleted 90 days post-delivery unless extended retention requested
• Disposal: Cryptographic erasure and DOD 5220.22-M compliant data sanitization
• Backup: Encrypted backups with 3-2-1 strategy (3 copies, 2 media types, 1 off-site), tested quarterly

4. Infrastructure Security

4.1 Cloud Security

• Providers: Tier-1 cloud providers (AWS, Azure, GCP) with SOC 2/ISO 27001 certifications
• Configuration: CIS Benchmarks applied, automated compliance scanning (AWS Config, Azure Policy)
• IAM: Cloud IAM with MFA enforcement, temporary credentials, automated access reviews
• Monitoring: CloudTrail/Activity Logs, GuardDuty/Defender threat detection, Cloud Security Posture Management (CSPM)

4.2 Application Security

• SDLC: Secure Software Development Lifecycle with security gates at each phase
• Testing: Annual third-party penetration tests, continuous SAST/DAST scanning
• Dependencies: Automated SCA (Software Composition Analysis), patching within 30 days

5. Incident Response & Business Continuity

• 24/7 Response: Incidents triaged and escalated per NIST SP 800-61 framework
• Detection: Automated threat detection, behavioral analytics, threat intelligence integration
• RTO/RPO: Recovery Time Objective (RTO) 4 hours, Recovery Point Objective (RPO) 1 hour

6. Responsible Vulnerability Disclosure

We welcome security researchers to report potential vulnerabilities responsibly:

• Scope: Faltrox-owned websites, applications, and infrastructure (*.faltroxsecurity.com)
• Reporting: Email security@faltroxsecurity.com