Information Security Policy

Last Updated: October 16, 2025

 

1.0 Purpose and Policy Statement

This Information Security Policy (ISP) establishes the framework for protecting the information assets of WatchUr6, Inc., its employees, and, most importantly, its clients. As a provider of premier cybersecurity services, including Audit Readiness, outsourced Cybersecurity, and Disaster Resiliency, WatchUr6, Inc. is committed to the highest standards of information security.

Our policy is to protect the Confidentiality, Integrity, and Availability (the “CIA Triad”) of all information assets against all threats, whether internal or external, deliberate or accidental. This policy provides the authority and direction for the implementation and enforcement of information security controls across the organization. The security of our own and our clients’ data is paramount to our reputation, our legal and regulatory compliance, and the trust our clients place in us.

 

2.0 Scope

This policy applies to all WatchUr6, Inc. personnel, including full-time and part-time employees, contractors, consultants, temporary staff, and any third parties who have access to WatchUr6, Inc. or its client’s information assets.

This policy covers all information assets, including but not limited to:

  • Data (client, corporate, employee) in any form (digital, physical).
  • All computer and communication systems, networks, and applications owned or managed by WatchUr6, Inc.
  • The WatchUr6, Inc. corporate website (www.watchur6.com or similar).
  • All physical facilities, including the corporate office in Sacramento, California.

 

3.0 Roles and Responsibilities

  • Management: Management is responsible for providing clear direction, visible support, and adequate resources to implement and maintain this policy. Management holds the ultimate responsibility for the security of WatchUr6, Inc.’s information assets.
  • Information Security Officer (ISO): The ISO (or designated security lead) is responsible for developing, implementing, and maintaining the information security program, managing security incidents, conducting risk assessments, and ensuring compliance with this policy.
  • All Personnel: All personnel are responsible for understanding and complying with this policy and all supporting security procedures. Every individual has a duty to protect the company and client data they handle and to report any suspected security incidents immediately.

 

4.0 Data Classification and Handling

All data must be classified and handled according to its sensitivity. The following classifications shall be used:

  • Level 3: Client Confidential: The most sensitive data classification. This includes all non-public client data, such as system configurations, vulnerability assessments, audit findings, incident response data, network diagrams, intellectual property, and any data covered by compliance frameworks like HIPAA (Protected Health Information – PHI) or CMMC (Controlled Unclassified Information – CUI). This data requires the highest level of protection, including encryption at rest and in transit, strict access controls, and logging.
  • Level 2: WatchUr6 Confidential: Sensitive internal data that, if disclosed, could harm WatchUr6, Inc. This includes financial records, strategic plans, employee Personally Identifiable Information (PII), and proprietary internal processes. This data requires strong protection and must not be shared outside the company without proper authorization.
  • Level 1: Internal: Data intended for internal use only but not considered highly sensitive. This includes internal communications, procedural documents, and general project information.
  • Level 0: Public: Information explicitly approved for public distribution. This includes marketing materials, press releases, and information on the public website.

 

5.0 Access Control Policy

Access to information systems and data shall be granted based on the principles of Least Privilege and Need-to-Know.

  • Authentication: All access to systems containing Client Confidential or WatchUr6 Confidential data must be protected with strong authentication. Passwords must meet complexity requirements, and Multi-Factor Authentication (MFA) must be enabled wherever technically feasible.
  • Authorization: Role-Based Access Control (RBAC) shall be used to ensure personnel only have access to the information and systems required to perform their job functions.
  • Access Reviews: User access rights shall be reviewed at least quarterly and immediately upon a change in role or termination of employment/contract.
  • Onboarding/Offboarding: Formal processes must be followed for granting access to new personnel and for revoking all access for departing personnel on their last day of employment.

 

6.0 Acceptable Use of Technology

  • Company-provided assets (laptops, phones, software) are for business purposes. Limited personal use is permitted provided it does not interfere with job performance or violate any other policies.
  • Personnel are prohibited from installing unauthorized software on company equipment.
  • Use of company assets for any illegal, unethical, or malicious activity is strictly forbidden.
  • Client Confidential data must not be stored on personal devices or transferred to non-approved cloud services (e.g., personal Google Drive, Dropbox).

 

7.0 Network and System Security

  • Network Protection: The corporate network shall be protected by firewalls. All wireless networks must be encrypted using strong, industry-standard protocols.
  • Remote Access: All remote access to the corporate network or client environments must be conducted through a secure, company-approved Virtual Private Network (VPN) with MFA.
  • Vulnerability and Patch Management: All systems must be kept up-to-date with the latest security patches. Regular vulnerability scans shall be performed on all external and internal systems. Critical patches must be applied within 30 days of release.
  • Encryption: All company laptops must have full-disk encryption enabled. All Client Confidential data must be encrypted at rest and in transit using industry-standard cryptographic algorithms (e.g., AES-256, TLS 1.2+).

 

8.0 Website Security Policy

The WatchUr6, Inc. public website is a critical business asset and must be secured accordingly.

  • Secure Communications: The website must enforce HTTPS (TLS 1.2 or higher) for all connections to encrypt data in transit.
  • Data Collection: Any forms on the website that collect personal or contact information must be accompanied by a clear and accessible Privacy Policy. The collected data must be handled in accordance with that policy and protected as WatchUr6 Confidential data.
  • Vulnerability Management: The website and its underlying infrastructure shall be regularly scanned for vulnerabilities. The website shall be developed and maintained following secure coding best practices to mitigate common risks such as those outlined in the OWASP Top 10.
  • Access Control: Administrative access to the website’s backend (Content Management System) shall be restricted to authorized personnel only and require MFA.

 

9.0 Incident Response and Business Continuity

As a core service offering, WatchUr6, Inc. must demonstrate excellence in its own incident response and resiliency.

  • Incident Response Plan (IRP): WatchUr6, Inc. shall maintain a formal IRP that details the process for identifying, containing, eradicating, and recovering from security incidents.
  • Reporting: All personnel are required to immediately report any suspected security incidents, weaknesses, or threats to the Information Security Officer.
  • Business Continuity / Disaster Recovery (BCDR) Plan: A BCDR plan shall be maintained and tested at least annually to ensure that WatchUr6, Inc. can continue its critical business operations and client services in the event of a significant disruption. This includes reliable backups of all critical data.

 

10.0 Physical and Environmental Security

  • Facility Access: Access to the WatchUr6, Inc. office in Sacramento, CA, shall be controlled. A “clean desk” policy is enforced, requiring sensitive documents and removable media to be secured when unattended.
  • Asset Management: A formal inventory of all hardware and software assets shall be maintained.
  • Secure Disposal: All media (digital and physical) containing sensitive information must be securely disposed of via methods such as shredding or cryptographic erasure.

 

11.0 Compliance

WatchUr6, Inc. is committed to complying with all applicable laws, regulations, and contractual obligations.

  • Legal & Regulatory: This includes but is not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
  • Client Frameworks: As we guide clients through SOC 2, HIPAA, and CMMC, our internal security practices will align with the principles and controls of these frameworks to ensure we “practice what we preach.”
  • Security Awareness Training: All personnel will receive security awareness training upon hiring and at least annually thereafter.

 

12.0 Policy Enforcement and Review

  • Enforcement: Violation of this policy may result in disciplinary action, up to and including termination of employment or contract, and may lead to legal action.
  • Policy Review: This policy shall be reviewed at least annually, or upon any significant changes to the business or threat landscape, to ensure its continuing relevance and effectiveness.

 

13. Contact Information

To ask questions or comment about these Terms of Service, please contact us at:

 

WatchUr6, Inc.

Phone: +1 916-647-7553

Email: [email protected]

Website: www.watchur6.com/contact

Address: 1024 Iron Point Rd, Folsom, CA 95630