Cyber Security Policy

At Naestinn Pvt Ltd ("Naestinn," "we," "us," or "our"), cyber security is a top priority. This Cyber Security Policy establishes the framework for protecting our information assets, systems, and networks from unauthorized access, disclosure, disruption, modification, or destruction.

This policy applies to all employees, contractors, consultants, and third parties who have access to Naestinn's information systems and data.

This policy covers:

• All information systems, networks, and devices owned or managed by Naestinn
• Client data and proprietary information entrusted to Naestinn
• Cloud services, third-party applications, and external integrations
• Physical and digital access to Naestinn facilities and resources

Encryption

All sensitive data is encrypted both at rest and in transit using industry-standard encryption protocols (AES-256, TLS 1.3).

Data Classification

We classify data into categories (Public, Internal, Confidential, Restricted) and apply appropriate security controls based on sensitivity.

Backup & Recovery

Regular automated backups are performed, with secure off-site storage. We maintain a comprehensive disaster recovery plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

Principle of Least Privilege

Users are granted the minimum level of access necessary to perform their job functions. Access rights are reviewed quarterly.

Multi-Factor Authentication (MFA)

MFA is mandatory for all employees and contractors accessing Naestinn systems, especially for administrative and privileged accounts.

Password Policy

• Minimum 12 characters with complexity requirements
• Password rotation every 90 days for privileged accounts
• No password reuse for the last 12 passwords
• Use of password managers is encouraged

Our network security measures include:

• Firewalls: Next-generation firewalls with intrusion detection and prevention systems (IDS/IPS)
• Network Segmentation: Separation of production, development, and corporate networks
• VPN: Secure VPN access for remote workers with end-to-end encryption
• Monitoring: 24/7 network monitoring and logging for suspicious activities

We maintain a comprehensive Incident Response Plan (IRP) to quickly identify, contain, and remediate security incidents.

Response Process

1. Detection & Reporting: Immediate reporting of suspected incidents to the security team
2. Assessment: Rapid evaluation of incident severity and impact
3. Containment: Isolation of affected systems to prevent spread
4. Eradication: Removal of threats and vulnerabilities
5. Recovery: Restoration of normal operations
6. Post-Incident Review: Analysis and documentation of lessons learned

All employees and contractors must:

• Complete mandatory security awareness training annually
• Report suspicious emails, links, or activities immediately
• Use only approved software and applications
• Never share passwords or access credentials
• Lock workstations when unattended
• Follow the Clean Desk Policy for physical security

All third-party vendors and service providers with access to Naestinn systems or data must:

• Undergo security assessments before onboarding
• Sign Non-Disclosure Agreements (NDAs) and Data Processing Agreements (DPAs)
• Comply with our security standards and policies
• Participate in periodic security audits

Naestinn is committed to compliance with applicable laws, regulations, and industry standards, including:

• GDPR (General Data Protection Regulation)
• ISO 27001 Information Security Management
• SOC 2 Type II compliance
• CCPA/CPRA (California privacy laws)

We conduct regular internal and external security audits to ensure ongoing compliance and identify areas for improvement.

This Cyber Security Policy is reviewed and updated at least annually or whenever significant changes occur in our technology environment, threat landscape, or regulatory requirements.