Information Security Policy

Effective Date: [1st October 2024]
Approved By: Musab Abbasi (CEO)

Blockmob Labs is committed to safeguarding the confidentiality, integrity, and availability of information assets, both for the organisation and our clients. This Information Security Policy provides a framework for protecting data against unauthorised access, breaches, and other threats.

1. Objective

The purpose of this policy is to:

Protect Blockmob Labs’ information assets from threats, whether internal or external, deliberate or accidental.
Comply with applicable laws, regulations, and contractual obligations.
Ensure a secure environment for the development and deployment of Web3, blockchain, and decentralized technologies.

2. Scope

This policy applies to:

All employees, contractors, and third-party vendors.
All information systems, devices, applications, and networks owned or managed by Blockmob Labs.
All data, including client information, business records, and intellectual property.

3. Roles and Responsibilities

Information Security Officer (ISO): Oversees implementation and compliance with this policy.
Employees and Contractors: Must follow security protocols and report any incidents.
IT Team: Responsible for enforcing technical controls and managing security systems.
Third-Party Vendors: Must comply with security requirements outlined in contracts.

4. Key Principles

4.1 Information Classification

Data is classified into levels (Confidential, Internal, Public) based on its sensitivity.
Access to data is restricted based on classification and business need.

4.2 Access Control

Role-based access control (RBAC) ensures employees have access only to the data and systems necessary for their role.
Multi-factor authentication (MFA) is mandatory for all critical systems.
Access reviews are conducted quarterly to verify permissions.

4.3 Data Protection

Encryption: All sensitive data is encrypted in transit (e.g., TLS 1.2+) and at rest (e.g., AES-256).
Data Retention: Data is retained only as long as necessary and securely deleted thereafter.
Backups: Regular backups are performed and stored securely to ensure data recovery.

4.4 Network Security

Firewalls, intrusion detection/prevention systems (IDS/IPS), and anti-malware solutions are implemented across all networks.
Secure VPNs are required for remote access to company systems.

4.5 Application Security

Secure coding practices are followed, including input validation, output encoding, and regular code reviews.
Automated tools and penetration testing are used to identify and mitigate vulnerabilities in Web3, DApp, and blockchain projects.

5. Incident Management

Incident Reporting: All employees must immediately report suspected or actual security incidents.‍
Response Plan: A documented incident response plan outlines detection, containment, resolution, and post-incident analysis.
Notification: Affected parties are notified promptly in the event of a breach.

6. Compliance and Audits

Blockmob Labs complies with GDPR, CCPA, and other relevant regulations.
Regular audits are conducted to ensure adherence to this policy and identify areas for improvement.

7. Employee Training

All employees receive mandatory security awareness training upon onboarding and annually thereafter.
Training includes topics such as phishing, password management, and secure development practices.

8. Third-Party Management

Vendors must sign security agreements outlining their obligations to protect data.
Periodic assessments of third-party security practices are conducted.

9. Policy Maintenance

This policy is reviewed annually or when significant changes occur to ensure it remains effective and aligned with industry standards.

10. Violations

Violations of this policy may result in disciplinary action, up to and including termination of employment or contracts. Legal action may also be pursued where applicable.

For Questions or Reporting Issues
‍
Contact our Information Security Officer at [security@blockmob.io].