Information Security Policy

1. Purpose

This policy establishes the security controls and practices CloudFive uses to protect the confidentiality, integrity, and availability of client data and systems. It applies to all services delivered by CloudFive and all systems, devices, and accounts used in the delivery of those services.

2. Scope

This policy applies to all CloudFive systems, cloud environments, client data, and third-party integrations used during an engagement. It covers all delivery personnel operating under the CloudFive umbrella.

3. Information Classification

• Confidential: Client data, credentials, proprietary business logic, NDA-covered materials. Must be encrypted at rest and in transit. Access restricted to need-to-know.
• Internal: Operating procedures, tooling configuration, internal communications. Not for public disclosure.
• Public: Marketing materials, open-source repositories, published case studies (with client consent).

4. Access Control

• All cloud console access uses MFA (TOTP or hardware key). Passwords not used without MFA.
• IAM roles follow least-privilege; no standing admin access. Elevated roles are assumed temporarily via AWS IAM role assumption and logged.
• SSH access to servers uses key-based authentication only. Root login is disabled.
• Client credentials (API keys, secrets) are stored in AWS Secrets Manager or equivalent secret store — never in source control or plaintext files.
• Access to client systems is revoked within 24 hours of engagement close.

5. Endpoint Security

• Primary development machine runs macOS with FileVault full-disk encryption enabled.
• OS and software patches are applied within 30 days of release; critical patches within 7 days.
• Screen lock activates after 5 minutes of inactivity.
• No client data is stored on local disk beyond the active engagement window. Data is purged or returned at engagement close.

6. Network Security

• All client work is performed over a secured home office network with WPA3 or equivalent. Public Wi-Fi is avoided; VPN is required if used.
• AWS VPCs are used to segment environments. Security groups follow deny-by-default.
• All data in transit uses TLS 1.2 minimum. TLS 1.3 preferred for new deployments.

7. Data Handling

• Client production data is not used in development or test environments without explicit written consent.
• Backups of client data are encrypted using AES-256 and stored in isolated AWS S3 buckets with versioning enabled.
• Data retention follows the terms of the engagement contract. Default: 90 days post-engagement, then permanent deletion.

8. Third-Party & Subprocessors

Third-party services used in client engagements are documented in the Subprocessor List (separate document). CloudFive does not share client data with third parties except as required to deliver the agreed scope of work. All third-party tools are reviewed for SOC 2 compliance or equivalent prior to use with client data.

9. Vulnerability Management

See the Vulnerability Management Policy (separate document).

10. Incident Response

See the Incident Response Policy (separate document).

11. Policy Review

This policy is reviewed annually and updated within 30 days of any material change in infrastructure, tooling, or regulatory requirements. The current version is maintained in CloudFive's Trust Center.

12. Contact

Security inquiries: todd@cloudfive.net