logo

Security

Information Security Policies

Approved By: Chief Executive Officer

Classification: Confidential (Internal Use Only)

Review Cycle: Annual or upon material change

Applies To: All employees, contractors, and third-party vendors

1. Introduction and Purpose

ManaKnight Digital Inc. ("ManaKnight Digital") is committed to protecting the confidentiality, integrity, and availability of all information and systems entrusted to its care. This document establishes the Standard Information Security Policies governing the organization's use, management, and protection of information assets.

These policies are designed to protect ManaKnight Digital, its clients, and its employees from information security risks, and to ensure compliance with applicable privacy and data protection legislation including (but not limited to) Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial privacy laws.

Non-compliance with these policies may result in disciplinary action, including termination of employment or contract, and may expose the organization to legal liability.

2. Information Classification

All information assets managed by ManaKnight Digital must be classified according to the following scheme:

Classification Description Examples Handling
Public Information intended for public release Marketing materials, website content No restrictions
Internal General business information not for public release Internal memos, process docs Internal access only
Confidential Sensitive business or client information Client data, contracts, financials Need-to-know; encrypted at rest
Restricted Highly sensitive; disclosure would cause serious harm Credentials, PII, security configs Strict controls; encrypted; logged access

3. Access Control Policy

3.1 Principle of Least Privilege

Access to information systems and data must be granted based on the minimum permissions necessary for an individual to perform their job function. Access rights must be reviewed quarterly and upon role changes.

3.2 User Account Management

  • All users must have unique, individually assigned accounts; shared accounts are prohibited
  • User accounts must be created through an approved provisioning process with documented authorization
  • Accounts must be disabled or removed within 24 hours of an employee's termination or departure
  • Privileged accounts (admin/root) must be used only when necessary and require additional approval
  • Access rights must be reviewed at least quarterly

3.3 Password and Authentication Requirements

  • Minimum password length: 14 characters
  • Passwords must include uppercase, lowercase, numbers, and special characters
  • Multi-factor authentication (MFA) is mandatory for all systems handling Confidential or Restricted data
  • MFA is mandatory for all remote access to company systems
  • Passwords must not be reused within the last 12 passwords
  • Password managers are encouraged and may be provided by the company
  • Default credentials must be changed immediately upon system deployment

4. Data Protection and Privacy Policy

4.1 Data Minimization

ManaKnight Digital collects and retains only the personal and business data necessary for legitimate operational purposes. Data no longer needed must be securely destroyed.

4.2 Encryption Requirements

  • All Confidential and Restricted data must be encrypted at rest using AES-256 or equivalent
  • All data in transit must be encrypted using TLS 1.2 or higher
  • Encryption keys must be managed securely and rotated annually
  • Unencrypted transmission of sensitive data via email or unsecured channels is prohibited

4.3 Data Retention and Destruction

  • Data retention schedules must be documented and followed for all data categories
  • Client data must not be retained beyond contract termination unless legally required
  • Physical media containing sensitive data must be shredded; digital media must be securely wiped using NIST 800-88 compliant methods
  • Certificates of destruction must be obtained for hardware disposal

4.4 Privacy Compliance

ManaKnight Digital complies with applicable privacy legislation. Personal information collected from clients or employees is handled in accordance with our Privacy Policy and applicable law.

5. Acceptable Use Policy

5.1 Authorized Use

Company-provided technology assets (computers, mobile devices, software, network access) are provided for business purposes. Limited personal use is permitted provided it does not compromise security, productivity, or company reputation.

5.2 Prohibited Activities

The following activities are strictly prohibited on company systems and networks:

  • Accessing, downloading, or distributing illegal content
  • Installing unauthorized or unlicensed software
  • Attempting to bypass, disable, or test security controls without authorization
  • Using company assets for personal financial gain or operating a competing business
  • Sharing credentials with colleagues or third parties
  • Connecting personal devices to company infrastructure without IT approval
  • Accessing company data from unsecured public Wi-Fi without VPN

6. Endpoint and Device Security

  • All company-managed devices must have approved endpoint protection (antivirus/EDR) installed and active
  • Operating systems and software must be kept current with security patches within 30 days of release for critical patches, 90 days for non-critical
  • Full-disk encryption is mandatory on all laptops and mobile devices
  • Devices must be configured to lock automatically after 5 minutes of inactivity
  • Remote wipe capability must be enabled on all mobile devices with access to company data
  • Lost or stolen devices must be reported to management immediately

7. Network Security

  • Production systems must be segregated from development and test environments
  • Firewalls must be deployed and configured to deny traffic by default; only necessary ports and protocols are permitted
  • All remote access must use an approved VPN solution with MFA
  • Wireless networks must use WPA3 or WPA2-Enterprise; guest networks must be isolated from internal networks
  • Network traffic must be monitored for anomalous activity
  • Third-party vendor network access must be time-limited and logged

8. Vulnerability Management

ManaKnight Digital is committed to proactively identifying and remediating security vulnerabilities:

  • Vulnerability scans must be conducted on all internet-facing systems at least monthly
  • Internal network vulnerability scans must be conducted at least quarterly
  • Penetration testing must be conducted annually by a qualified third party (refer to Penetration Test Report)
  • Critical vulnerabilities (CVSS 9.0+) must be remediated within 72 hours of discovery
  • High vulnerabilities (CVSS 7.0-8.9) must be remediated within 30 days
  • Medium and low vulnerabilities must be tracked and remediated within 90 days

9. Incident Response Policy

9.1 Incident Classification

Security incidents are classified by severity to ensure appropriate response:

  • P1 Critical: Active breach, ransomware, data exfiltration (immediate response required)
  • P2 High: Suspected compromise, malware detection, insider threat (response within 4 hours)
  • P3 Medium: Policy violation, suspicious activity (response within 24 hours)
  • P4 Low: Minor policy breach, phishing attempt blocked (response within 5 business days)

9.2 Incident Response Procedure

  • Identification: Detect and confirm the incident
  • Containment: Isolate affected systems to prevent spread
  • Eradication: Remove the threat and root cause
  • Recovery: Restore systems and verify integrity
  • Post-Incident Review: Document lessons learned and update controls

9.3 Breach Notification

In the event of a personal data breach, ManaKnight Digital will notify affected individuals and relevant regulatory authorities as required by applicable law. Notification timelines will comply with PIPEDA and other applicable legislation.

10. Third-Party and Vendor Security

  • All vendors with access to Confidential or Restricted data must execute a Data Processing Agreement or equivalent
  • Vendor security practices must be assessed prior to engagement and at least annually thereafter
  • Third-party access to company systems must be time-limited, logged, and revoked upon contract completion
  • Vendor incidents impacting ManaKnight Digital data must be reported to us within 24 hours of discovery

11. Security Awareness and Training

  • All employees and contractors must complete security awareness training within 30 days of joining
  • Annual security awareness refresher training is mandatory for all staff
  • Phishing simulation exercises will be conducted at least semi-annually
  • Security bulletins will be distributed as needed to inform staff of emerging threats

12. Policy Compliance and Enforcement

Compliance with this policy is mandatory. Violations will be addressed through ManaKnight Digital's disciplinary procedures, which may include termination of employment or contract. Employees who become aware of policy violations have an obligation to report them to management.

This policy will be reviewed annually and updated as required to reflect changes in the threat landscape, regulatory environment, or organizational structure.

Approved by: Ryan, Chief Executive Officer, ManaKnight Digital Inc.
Date: May 5, 2026