Information Security Policy

Information Security Policy

The scope of this Information Security Management System (ISMS) framework is restricted to all KX offerings.
The KX Security and Compliance Teams are committed to protecting the critical information assets by implementing and continually improving an Information Security Management System (ISMS) to help ensure that its applicable information security objectives are met, and the ISMS is able to adapt to internal and external changes.
The goal of this ISMS is to protect KX and its customers information assets from threats identified, whether internal or external, deliberate or accidental.  By means of this ISMS we will strive to:

• Meet and if possible, exceed customers and stakeholders expectations of KX information security
• Further enhance our brand value and recognition in the market

The objectives of Information Security are:

• Maintain the confidentiality of the information such that only authorized persons have access
• Ensure the integrity of information
• Arrange for the availability of information such that only authorized persons can access the information, assets, and systems whenever required.

The organization shall align with ISO / IEC 27001:2022 as a base security standard and as required by our customers, extend to other security standards such as ISO 27017, ISO 27018, SOC2 Type II, PCI and HIPAA.  The Organization shall establish an information security governance structure to effectively and efficiently manage the ISMS.  The organization shall:

• Identify the information assets and understand their vulnerabilities and the threats (current and future) that may exploit these vulnerabilities resulting in risk to the organization
• Manage the identified risks to an acceptable level through the design, implementation and maintenance of risk treatment plans
• Communicate the information security objectives and its performance in achieving these objectives to all interested parties
• Develop security awareness programs and train the resources to achieve the appropriate skills and competencies required to maintain an effective Information Security Management System (ISMS)
• Comply with local laws and regulations and contractual obligations as relevant to Information Security

The KX Information Security and Compliance Team holds direct responsibility for maintaining this Information Security Policy and providing guidance on its implementation as well as encouraging personal commitment of all staff to conform to the policy requirements.

All personnel under the scope of the ISMS must adhere to this Information Security Policy.  Failure to do so can result in disciplinary actions including termination of employment or contract and prosecution in accordance with the applicable federal, state and local laws.

The scope of this policy and our ISMS is all of KX.
This Information Security Policy is supported by specific policy in the following aspects of Security Management:

• Risk Management– A policy describing KX commitment and approach to Risk Management.  Risks are managed in a standard lifecycle with status reported to senior management at regular intervals
• Human Resource– A policy describing the KX approach to human resources.  The policy includes controls around culture, mandatory annual trainings (including information security), communication, performance evaluation process, Separation process.  HR supports a whistle blower forum for all employees
• Supplier Management– A policy describing the KX approach to supplier management including vendor risk assessment and formal agreements with details of any SLAs required on the supplied product or service.
• Physical and Environmental Security- A policy describing the KX approach to physical and environmental security.  This covers building perimeter security as well as secure protection mechanisms for internal offices, infrastructure, Data Centers and server rooms.
• Business Continuity Management– A policy describing the KX approach to Business Continuity including details used to support backup, disaster recovery and continuity.
• Internal Audit and Compliance– A policy describing the KX approach to Internal Audit and management of compliance by the dedicated Security and Compliance Teams.
• Asset Management– A policy describing the KX approach to asset management.  This includes a formally managed register of all assets in KX environments.  Each asset has a structured set of attributes as its definition.  The policy also has commitments to secure disposal of information, physical devices and removable media
• Access Controls– A policy describing the KX approach to user access management and access controls.  This includes the definition of unique user ID’s (creation, removal, maintenance), access privileges (allocation, approval and review) and formal password controls.
• Cryptography– A policy describing the KX approach to cryptography, data encryption and the encryption standards applied to data at rest and data in transit.
• Communication Controls (Network and Firewalls)– A policy describing the KX approach to security practices for its networks and firewalls.  This includes details of the protection levels set and the restricted controls for such vital resources.
• System Acquisition, Development, Maintenance– A policy describing the KX approach to systems acquisition, development and maintenance of its products and environments.
• Information Security Incident Management– A policy describing the KX approach to the management of any security incidents.  Security incidents are captured and managed in a structured lifecycle.
• Security Readiness Standard, Provisioning and De-provisioning– A policy describing the KX approach to a minimum security standard for all devices when being provisioned to, or deprovisioned from its infrastructure.
• Patch Management– A policy describing the KX approach to patch management across its infrastructure and products.  Patches are applied on a timeframe based on the severity of the vulnerability.
• Security Monitoring and Logging– A policy describing the KX approach to logging and monitoring across the infrastructure to actively track for any security alerts.  Logs are collected and reviewed by the dedicated Security Operations Center (SOC) Team to identify alerts of unauthorized activity.
• Vulnerability Scanning & Penetration Testing– A policy describing the KX approach to vulnerability scanning of the infrastructure and penetration testing of products and environments.  Independent Penetration Testing is conducted a minimum of once per year.
• Health Check of Environments and Devices– A policy describing the KX approach to health checks of environments and devices.  This is based on the CIS benchmark controls.

Approved by: SVP of Compliance
Date: 13 March 2025