SECURITY POLICY

The MaverickRE Information Security Program is based on a continuous risk management cycle, with a focus on implementing security and privacy controls, rapid detection and response to potential incidents, and continuous monitoring and testing of control effectiveness.

The program is overseen by executive management, with defined information security policies that are reviewed and approved annually.

Key Components and Controls

The program includes several controls to ensure the security, confidentiality, and integrity of the MaverickRE Digital Marketing Solution and its customer information.

1. Governance and Oversight

Leadership and Policies: Defined policies are reviewed and approved annually by management, and updates are communicated to employees and relevant external parties. An Information Security Policy is published, available to all employees, and reviewed and updated annually.

Information Security Committee (ISC): The ISC meets at least quarterly to discuss security-related operations, issues concerning internal controls, and delivery on key performance metrics.

Internal Controls Assessment: The organization documents its internal controls and continuously monitors their effectiveness. An assessment of control effectiveness and efficiency is reviewed by management at least annually, and identified deficiencies are remediated in a timely manner.

Risk Management: A formal risk management process is defined and implemented, overseen by top-level management. A formal risk assessment is completed at least twice per year to identify, evaluate, and mitigate risks, and management maintains select insurance for risk transfer if required.

 2. Access Control and Authentication

Role-Based Access: The Company implements role-based access controls that limit access to sensitive information to only those individuals who require it based on job function, active employment, and management approval.

Authentication: Access to systems requires a unique username and password, with password complexity standards including a minimum length of 15 characters for highly sensitive applications.

Multi-Factor Authentication (MFA): MFA is enforced for user accounts with administrative access to production systems. Remote access to the network and system infrastructure is limited via MFA to appropriate individuals.

Access Reviews: Management performs a periodic user access review of all in-scope systems (application, network, source code, databases) at least quarterly.

Access Provisioning: New user access is approved and provisioned by management based on job function and business need, and terminated users' access is removed upon termination.

3. Data Protection and Encryption

Data at Rest: All data classified as potentially sensitive is encrypted at the database level while at rest. Customer data is also encrypted at-rest using strong encryption algorithms.

Data in Transit: Transport Layer Security (TLS) is used to protect data sent over the internet to and from the application server. All data in transit is encrypted.

Key Management: Encryption keys used to protect data are stored and managed in accordance with the cryptography policy, and access is restricted to authorized personnel. Sensitive authentication data (like service accounts and encryption keys) is stored in a key management system.

Endpoint Security: All laptops with access to the Company's network are configured to enforce hard drive encryption. Antivirus/antimalware software is installed and kept up to date on workstations, laptops, and servers.

4. Vulnerability and Change Management

Vulnerability Scanning and Testing: Continuous vulnerability scanning of the infrastructure is performed. Ongoing quarterly vulnerability scanning and annual web application penetration testing are completed on the production platform. Issues identified are assessed, prioritized, and tracked to final remediation.

Change Control: A strict change control process is in place for production environment changes, requiring IT and Engineering review and approval. All system changes are tested, reviewed, and approved prior to implementation. Separate environments are used for development and production.

Code Review: Code review is conducted to ensure security and quality issues are addressed, and is performed by personnel independent of those who developed the code. All commits to source code libraries are logged, and a review by someone other than the initiator is required for every pull request.

Third-Party Libraries: A review of open-source third-party libraries is carried out to address security issues.

5. Incident Management and Recovery

Incident Response: Management has implemented an incident management and response policy that outlines the requirements for responding to anomalies. Security incidents are documented, reviewed, and tracked to final remediation, and a root cause analysis is conducted.

Reporting: Employees have access to an internal portal to report security incidents, and external clients can report concerns by emailing infosec-reporting@ylopo.com.

Business Continuity and Disaster Recovery (BCDR): The Company has established a BCDR plan that is reviewed, tested, and updated on an annual basis. Daily snapshots of production databases are performed.

 The Information Security Policies are made available to all personnel on the corporate intranet.