Information Security Policy

Last updated: March 12, 2025

Table of Contents

1. Executive Summary
2. Purpose and Guiding Principles
3. Scope
4. Statement of Policy
5. Procedures
6. Roles and Responsibilities
7. Compliance
8. Policy Modifications
9. Communication

1. Executive Summary

The Information Security Policy provides clear principles for protecting information in all forms. It is part of an overall Information Security Program (ISP) that establishes security strategies, responsibilities, compliance measures, and ongoing evaluation methods.

2. Purpose and Guiding Principles

The purpose of this policy is to safeguard Formtabulous information technology resources and protect Personally Identifiable Information (PII). It aims to ensure confidentiality, integrity, and availability of data through core security principles:

• Universal Participation: Everyone is responsible for security.
• Risk-Based Security: Regular risk assessments must be conducted.
• Least Privilege: Access should be restricted to only what is necessary.
• Defense-in-Depth: Multiple layers of security must be implemented.
• Need-to-Know: Information is shared only with those who require it.

3. Scope

This policy applies to all departments, employees, contractors, and third parties handling Formtabulous information technology resources and PII.

4. Statement of Policy

The Information Security Policy outlines clear security requirements and enforcement measures. It is reviewed and approved by management and applies to all employees and partners of Formtabulous.

5. Procedures

• A HIPAA Security Officer must be designated.
• Annual risk assessments are required to evaluate vulnerabilities.
• Reasonable security controls must be in place to protect data.
• Encryption must be used for data storage and transmission.
• Business continuity and disaster recovery plans must be maintained.

6. Roles and Responsibilities

Senior Management:

• Ensure security policies are enforced.
• Appoint an Information Security Coordinator.
• Provide training and resources for security tasks.

Employees:

• Comply with security policies.
• Report security incidents.
• Use company systems for business purposes only.

7. Compliance

Violations of this policy may result in disciplinary action, including termination. Non-compliance may also result in civil or criminal liability.

8. Policy Modifications

This policy may be updated at any time based on new risks or threats. Employees and third parties will be notified of changes.

9. Communication

This policy must be distributed to all employees, contractors, and vendors. Compliance is mandatory, and all parties must review and acknowledge the policy.