Security Policy

This Security Policy is effective dated: June 01, 2024

Control Document: GEF-PP-011, Ver. 1.0

Purpose

The purpose of this Security Policy is to establish a framework for managing the security of galaxefi’s (“Company”) information systems, protecting the confidentiality, integrity, and availability of data, and ensuring compliance with legal and regulatory requirements. This policy aims to mitigate security risks and safeguard the Company’s assets from threats and vulnerabilities.

Scope

This policy applies to all employees, contractors, vendors, and other stakeholders who have access to the Company’s information systems, including but not limited to:

  • Physical infrastructure
  • Network infrastructure
  • Hardware and software
  • Data and information

Definitions

  • Information Systems: All technology resources used to store, process, and transmit data, including computers, servers, networks, and applications.
  • Data: Any information collected, processed, stored, or transmitted by the Company, including personal data, business data, and operational data.
  • Confidentiality: Ensuring that information is accessible only to those authorized to have access.
  • Integrity: Ensuring the accuracy and completeness of information and processing methods.
  • Availability: Ensuring that authorized users have access to information and associated assets when required.

Security Objectives

The Company aims to achieve the following security objectives:

  • Protect the confidentiality of sensitive information.
  • Maintain the integrity of data and information systems.
  • Ensure the availability of information systems and services.
  • Comply with applicable legal, regulatory, and contractual obligations.
  • Foster a culture of security awareness among employees and stakeholders.

Security Controls

Access Control

  • Implement role-based access controls to ensure that users have access only to the information and resources necessary for their job functions.
  • Use strong authentication mechanisms, such as multi-factor authentication (MFA), for accessing sensitive systems and data.
  • Regularly review and update access permissions to reflect changes in job roles and responsibilities.

Data Protection

  • Encrypt sensitive data both in transit and at rest using industry-standard encryption protocols.
  • Implement data classification and handling procedures to ensure that data is protected according to its sensitivity level.
  • Perform regular data backups and ensure that backup data is securely stored and recoverable.

Network Security

  • Use firewalls, intrusion detection/prevention systems (IDS/IPS), and other network security devices to protect the Company’s network infrastructure.
  • Regularly monitor network traffic for suspicious activity and respond promptly to security incidents.
  • Implement network segmentation to isolate critical systems and limit the spread of potential threats.

Physical Security

  • Control physical access to Company facilities and data centers using access control systems, such as keycards and biometric scanners.
  • Ensure that all visitors are authenticated, logged, and escorted while on Company premises.
  • Protect physical assets, such as servers and workstations, from theft and unauthorized access.

Security Awareness and Training

  • Provide regular security awareness training to all employees and stakeholders to educate them about security best practices and the importance of information security.
  • Conduct phishing simulations and other security exercises to test and reinforce security awareness.

Incident Response

  • Establish an incident response plan to promptly detect, investigate, and respond to security incidents.
  • Regularly test and update the incident response plan to ensure its effectiveness.
  • Report security incidents to relevant authorities and affected parties as required by law and contractual obligations.

Compliance and Audit

  • Regularly review and update security policies and procedures to ensure compliance with legal, regulatory, and contractual requirements.
  • Conduct regular security audits and assessments to identify and remediate vulnerabilities.
  • Maintain records of security activities, including access logs, incident reports, and audit findings.

Roles and Responsibilities

  • Chief Information Security Officer (CISO): Responsible for overseeing the implementation and enforcement of the Security Policy.
  • IT Department: Responsible for implementing technical security controls and monitoring the Company’s information systems.
  • Employees and Stakeholders: Responsible for adhering to security policies and procedures and reporting any security incidents or vulnerabilities.

Policy Review and Updates

  • This policy will be reviewed annually and updated as necessary to address emerging threats, technological advancements, and changes in legal and regulatory requirements.
  • Changes to this policy will be communicated to all employees and stakeholders.

Quick Contact

By adhering to this Security Policy, galaxefi commits to protecting its information systems, data, and other assets from security threats, ensuring compliance with legal and regulatory requirements, and fostering a culture of security awareness and responsibility. For questions or concerns about this Policy, please use the following form: