INFORMATION SECURITY POLICY

Redline Design - Information Security Policy 1. Introduction & Purpose This Information Security Policy (the "Policy") is an official directive from the leadership of Redline Design. It underscores our unwavering commitment to safeguarding the information assets critical to our operations, the sensitive data entrusted to us by our clients, and our overall business reputation from a wide array of security threats. The digital marketing landscape, while offering immense opportunities, also presents significant risks, including phishing attacks, data breaches, and account takeovers, which can lead to severe financial, regulatory, and reputational damage if not proactively managed. The purpose of this Policy is to establish a comprehensive framework of standards, procedures, and responsibilities to protect Redline Design's information assets. This protection is founded on the core principles of Confidentiality, Integrity, and Availability (CIA Triad). Confidentiality: Ensuring that information is accessible only to those authorized to have access. Integrity: Safeguarding the accuracy and completeness of information and processing methods. Availability: Ensuring that authorized users have access to information and associated assets when required. The scope of this Policy is comprehensive, applying to all employees (full-time, part-time, temporary), contractors, consultants, third-party vendors, and any other individuals or entities who have access to Redline Design's information systems, networks, and data, regardless of location. It covers all information assets owned, leased, or managed by Redline Design, including but not limited to hardware, software, data (electronic and physical), client materials, Customer Relationship Management (CRM) systems, email lists, customer databases, Pay-Per-Click (PPC) platform accounts, and social media profiles. Effective implementation of this Policy requires a foundational commitment from leadership to foster a security-conscious culture throughout Redline Design. This structured approach aligns with established cybersecurity frameworks, such as the Governance pillar of the NIST Cybersecurity Framework, which emphasizes establishing policies, procedures, and processes to manage and monitor organizational risk. 2. Roles and Responsibilities The effective implementation and maintenance of this Information Security Policy require clear assignment of roles and responsibilities. Designated Security Lead (e.g., Chief Information Security Officer (CISO), CTO, or Managing Director): Holds overall responsibility for the development, implementation, and enforcement of this Information Security Policy and related security programs. Oversees the information security risk management process, leads the Incident Response Team (IRT), ensures regular security awareness training, reports to executive management on the status of Redline Design's security posture, and approves policy exceptions. IT Department/Personnel: Responsible for the day-to-day implementation, management, and monitoring of technical security controls. Manages system patching, backups, secure configurations, provides technical support during security incidents, and monitors network and system logs for suspicious activity. Department Managers: Ensure that their respective teams understand and comply with this Policy and associated procedures, promote security awareness within their departments, report security concerns, and ensure new team members are appropriately onboarded with respect to security requirements. All Employees, Contractors, and Users ("Users"): Must understand and comply with this Information Security Policy, protect Redline Design and client information assets, use strong passwords/passphrases, adhere to multi-factor authentication requirements, report any suspected security incidents immediately, and participate in mandatory security awareness training. Human Resources (HR) Department: Integrates security awareness into the employee onboarding process, conducts background checks for sensitive roles, manages the security aspects of employee offboarding, and assists in communicating security policies and training initiatives. 3. Asset Management & Data Classification Effective information security begins with a thorough understanding of the assets that require protection and their level of sensitivity. Asset Inventory: Redline Design shall maintain a comprehensive inventory of its critical information assets, including hardware, software, data, client-specific assets, and digital marketing platforms. The inventory shall be reviewed and updated at least annually. Data Classification Levels: All Redline Design information assets must be classified according to their sensitivity.  

Highly Confidential / Restricted: Information whose unauthorized disclosure could cause severe financial loss, legal liability, or significant reputational damage. Examples include client-provided Personally Identifiable Information (PII), strategic business plans, and authentication credentials for critical systems. Access is on a strict need-to-know basis with MFA, storage must be encrypted, transmission must be encrypted, and disposal must be secure (e.g., cryptographic erasure). Confidential: Sensitive business information intended for internal use. Unauthorized disclosure could cause moderate harm. Examples include detailed client campaign strategies, internal financial reports, and employee records. Access is role-based, storage should be encrypted, transmission must be encrypted, and disposal must be secure. Internal Use Only: Information not intended for public disclosure, where unauthorized disclosure could lead to minor impact. Examples include internal project plans and operational procedures. Access is limited to Redline Design personnel, stored on company-managed systems, transmitted over secure channels, and disposed of via standard deletion. Public: Information explicitly approved for public release. Examples include press releases and published marketing materials. No specific handling restrictions apply beyond general IT good practice. 4. Access Control Access control ensures that Users can only access the information and resources necessary to perform their job duties. Principle of Least Privilege (PoLP): Redline Design adopts the Principle of Least Privilege. Users shall be granted only the minimum level of access rights necessary for their job responsibilities. Access rights are reviewed regularly. User Identification, Authentication, and Authorization:  Unique User IDs: Each User shall be assigned a unique User ID. Sharing credentials is strictly prohibited. Strong Passwords/Passphrases: All Users must use strong, unique passwords/passphrases (minimum 12 characters, mix of character types) and are prohibited from reusing them across systems. Multi-Factor Authentication (MFA): MFA shall be enforced for access to all critical systems, cloud services, client accounts, and any system containing Confidential or Highly Confidential/Restricted data. Access Reviews: Access rights to systems and data shall be reviewed periodically (at least quarterly for critical systems). Remote Access Policy: All remote access to the internal network must use an approved, encrypted Virtual Private Network (VPN). Devices used for remote access must meet endpoint security requirements. Storing sensitive data on personal devices is prohibited unless explicitly authorized and secured. 5. Data Security Protecting data throughout its lifecycle—at rest, in transit, and during processing—is paramount. Data Encryption:  Data at Rest: Sensitive data, particularly Confidential or Highly Confidential/Restricted, stored on servers, laptops, and removable media must be encrypted. Data in Transit: All sensitive data transmitted over public networks must be encrypted using protocols such as TLS version 1.2 or higher. Data Backup Policy: Critical data must be backed up regularly. Backups must be stored securely, with at least one encrypted copy maintained offsite. Restoration procedures must be tested regularly. Clean Desk Policy: Sensitive physical documents must be secured when workstations are unattended. Users must lock their computer screens when leaving their desks. Sensitive information on whiteboards should be erased when no longer needed. 

Mobile Device Security (MDM/BYOD): Company-owned devices will be managed with security settings. Personal devices used for work must comply with the BYOD policy, which includes requirements for device registration, MDM software, strong passcodes, and encryption. Loss or theft of a device used for work must be reported immediately. 6. Network Security A layered approach to network security is essential to protect against network-based threats. Firewall Management: Firewalls shall be implemented at the network perimeter and reviewed regularly. Intrusion Detection/Prevention Systems (IDS/IPS): IDS/IPS solutions shall be deployed to monitor for and block malicious activity. Secure Wi-Fi Network Configuration: All wireless networks must use strong encryption (WPA2 or WPA3). A separate, isolated guest Wi-Fi network shall be provided for visitors. Network Vulnerability Management: Regular network vulnerability scanning and periodic penetration testing shall be conducted. Network Segmentation: The network may be segmented to isolate critical systems or environments handling highly sensitive data. 7. System Security The security of individual systems is critical to prevent exploitation. System Hardening: All systems must be securely configured ("hardened") by removing unnecessary services and changing default credentials. Malware Protection: Enterprise-grade antivirus/anti-malware software must be installed and maintained on all servers and workstations. Users are prohibited from disabling it. Secure Software Development Practices: If Redline Design develops custom software, it must adhere to secure software development lifecycle (SSDLC) practices. 8. Physical Security Physical security is a critical component of a holistic information security strategy. Equipment Security: Servers and critical network equipment shall be located in secure areas.  Secure Disposal of Media: Physical media containing sensitive data must be securely disposed of (e.g., shredding, degaussing). 9. Personnel Security Employees and contractors are a key part of the defense against security threats. Security Awareness Training: All Users must undergo regular security awareness training upon onboarding and at least annually thereafter. Training covers this policy, threat recognition (phishing, malware), safe internet use, and incident reporting. 

Background Checks: Background checks may be conducted for roles with access to highly sensitive data, subject to local laws. Onboarding and Offboarding Procedures: Formalized procedures manage access rights throughout a User's lifecycle. Upon termination, all access rights must be promptly revoked and company assets returned. Confidentiality and Non-Disclosure Agreements (NDAs): All employees and contractors must sign confidentiality agreements. Acceptable Use: Users must not use Redline Design resources for illegal activities or personal gain that conflicts with company interests. 10. Third-Party/Vendor Management Third-party vendors can introduce security risks if not properly managed. Due Diligence: Before engaging a third party that will handle sensitive data, Redline Design must assess their security posture. Contractual Security Requirements: All contracts must include specific security and data protection clauses, including confidentiality, data breach notification, and audit rights. Regular Review: The security posture of critical third parties should be reviewed periodically. 11. Social Media Use Policy (Acceptable Use of Social Media) Official Redline Design Brand Accounts: Only designated personnel are permitted to manage official social media accounts. Accounts must use strong passwords and MFA. Employee Personal Use of Social Media: Employees must act responsibly. If identifying as an employee, a disclaimer ("Opinions are my own") must be included. Disclosing confidential information is strictly prohibited. Professional conduct is required. Official Social Media Brand Accounts for Clients: Only designated personnel are permitted to manage official social media accounts. Accounts must use strong passwords and MFA. 12. Monitoring, Logging, and Auditing Continuous monitoring and auditing are essential for a proactive security strategy. System and Network Logging: Sufficient logging shall be enabled on critical systems and network devices. Logs must be protected and reviewed regularly for suspicious activity. Security Audits: Redline Design will conduct periodic internal security audits and may engage third-party auditors for external assessments. 13. Change Management A formal change management process is essential to minimize risks from changes to IT systems. Formal Change Request Process: All significant changes must go through a formal request, risk assessment, approval, and testing process. All changes must be documented. 

14. Policy Exceptions & Violations Policy Exceptions: Requests for exceptions must be submitted in writing to the Designated Security Lead, will only be granted for legitimate business needs, and must be documented. Policy Violations: Failure to comply may result in disciplinary action, up to and including termination. Suspected violations should be reported immediately. 15. Policy Review and Updates This Policy will be reviewed at least annually or more frequently as needed. The Designated Security Lead is responsible for overseeing the review process. Updates will be communicated to all Users.