Neosofia Policies

Introduction

Welcome to the Neosofia Policies document. This document outlines the policies that Neosofia follows to ensure data integrity, security, and quality management across all its operations.

Information Technology (IT)

Design Principles

  • Everything as Code (or config) (or markdown) in a public source code control system.
  • Automate everything that can be automated.

Data Integrity and Privacy (DIP)

The following policies are designed to ensure that all Neosofia data assets are protected from unauthorized or unintended data access or manipulation.

Level 1 DIP

Neosofia must adopt the following level one DIP policies:

IDPolicySOPGuidesImplementationEvidence
POL-IT-0001All emails, without exception, will be deleted after 90 daysN/AProton Sieve FiltersProton Sieve Filter Code, Proton Filter List, Configured Filter Screen ShotConfigured Filter Test
POL-IT-0002All chat messages, without exception, will be deleted after 90 daysN/AZoom Team chat settingsConfigured Chat Retention Screen ShotTBD
POL-IT-0003All systems must have multifactor authentication (MFA) enabled. Authenticator apps with biometric verification are preferred for MFA, with SMS as a fallback option if app-based MFA is not an option.N/AProton MFA, Zoom MFA, Cloudflare MFAProton MFA Global Setting Zoom MFA Global Setting Cloudflare MFA Global SettingTBD
POL-IT-0004Once per year, all documents not accessed or modified for over 365 days will be archived for long-term storage. Once per year, all long-term storage documents older than two years will be purged. This policy does not apply to financial or legal documents that must be retained for more than two years.N/ATBD: Currently confirming if Proton Drive supports data retention policy settings or tools to manually complyTBDTBD
POL-IT-0005Neosofia will define and maintain system backup and recovery SOPs to protect client, company, and employee data from loss, unintended manipulation, and improper data residency. The 3-2-1-1-0 backup principle will be employed for all data.System Backup and Recovery SOPN/ATBDTBD
POL-IT-0006All EASs will employ encryption at rest and in flight.TBD: add EAR and EIF to vendor qualification SOP.N/AN/AN/A
POL-IT-0007All company workstations and servers will employ disk-level encryption to ensure all cached information saved from EASs or entered by a client, is encrypted at restTBD: add to system administration SOPWindows BitLocker, Mac OS FileVault, Linux LUKS + ClevisPVE LUKS Setup AutomationBen's Windows Desktop Ben's Mac Desktop Neosofia PVE Server

Level 2 DI

In addition to the level 1 DI, Neosofia should adopt the following level two data integrity policies:

  • All networking equipment will enforce EIF.

  • EASs are accessed through a SSO solution. An EAS that does not support SSO may be used if the data it manages is classified as low sensitivity.

  • Passwords will be no less than 15 characters in length and rotated on an annual basis.

  • Accounts will be locked after 5 failed login attempts and reset after 1 hour. Lockouts will alert all SAs.

  • API Access tokens will be rotated on an annual basis.

  • MFA must be app-based, not SMS based.

  • All company workstations will employ a 30-minute screen saver timeout to force re-authentication. For portable systems, lid shut events will force re-authentication, and all employees that leave their workstation unattended must lock the screen in public spaces.

  • EASs must employ role-based access and follow the principle of least privilege.

  • All company workstations will require username and password authentication to unlock the disk encryption.

  • All employees will be trained on anti-phishing tactics.

  • EASs must have audit trails and access logs pushed into a central location.

  • Workstations will use sinkhole DNS providers for anti-malware protection.

  • Workstations and servers will have security patches applied no less than once per month.

  • All systems will employ UPS backup power systems and have graceful shutdown procedures defined/tested.

  • All file-sharing activity will be logged.

  • Documents may only be shared with internal company employees via pre-defined functional teams.

  • If documents/data must be shared with clients, service providers, or external contractors, access must be password protected and limited to 28 days.

Level 3 DI

In addition to the level 1 and 2 DI policies, Neosofia will consider adopting the following level three data integrity policies:

Monitoring
  • All system logins will be logged and analyzed for atypical access patterns (SIEM).
  • All EASs will be logged and analyzed for atypical access patterns (SIEM).
  • All logs will be monitored for PII leaks (SIEM).
Networking
  • Zone-based networking must be employed (to keep evil printers at bay).
  • IPS and IDS must be employed.
  • Honeypots must be employed.
  • Firewall with networking blocks for UN-sanctioned countries.
  • RADIUS managed VLAN assignment and separation.
  • Self-hosted services will be air-gapped from any third-party service providers.
  • N+1 Firewall redundancy for all data centers and non-home offices.
  • N+1 Power redundancy Dual UPS+independent power rails for all data centers and non-home offices.
  • N+1 WAN redundancy for all data centers and non-home offices.
  • Multi-zone and Multi-region operations for critical business functions.
Data Centers and Offices
  • Biometric access and logging for all non-home locations.
  • Camera monitoring with AI face detection and event analysis will be employed at all data centers and non-home offices.
Other
  • MFA applications must be managed by Neosofia.
  • All EASs will only be accessible from a company-approved/managed device.
  • Outbound emails to external addresses may not have attachments.
  • Workstations will not allow access to USB storage devices.
  • Workstations will have antivirus software installed.

Employee Experience (EE)

  • EE will define SOPs for recruiting, onboarding, and offboarding.
  • EE will define training (LMS) and qualification (CV) management SOPs.

Quality Management (QM)

  • In coordination with all BUs, QM will define a QMS that includes:
    • Incident Management SOPs.
    • Document Management (GDP) SOPs.
    • Vendor Management SOPs.
    • Deviation Management SOPs.
    • Risk Management SOPs.
    • Records (evidence) Management SOPs.
    • Quality Assurance including audit procedures and SMT oversight/responsibilities SOPs.
  • An employee with a QM role can not assume roles outside the QM department.

Client Services (CS)

Operations (OP)

Ethics

  • Fraud, Bribery, and Disclosure SOPs.

Continuity

  • Business Continuity SOPs.

Vendor Management

Vendor Qualification

  • All third-party service providers must have a SOC2 or ISO 27001 certification.
  • All services must be manageable and observable via an API.
  • Third-party services must have a "free" tier.
  • Self-hosted services must have an active open-source community backing with a path to paid hosting options.