Get Free Consultation

Information Security Policy

Information Security Policy

Issued by Brainstack Technologies (operated by Aqueduct Advisors Private Limited).

Version: 1.2 | Date: 5 May 2026

Policy Statement Summary

Brainstack Technologies is committed to safeguarding the confidentiality, integrity, and availability of all information assets entrusted to the organisation by clients, employees, and partners. This policy defines security responsibilities, standards, and procedures to protect against threats, ensure compliance with applicable regulations, and support a culture of security awareness.

1. Purpose

This policy establishes a comprehensive framework for protecting information assets from internal and external threats. Objectives include reducing security incidents, ensuring all employees complete mandatory training, and maintaining full compliance with legal, regulatory, and contractual obligations.

2. Scope

This policy applies to all employees, contractors, consultants, temporary staff, vendors, and authorised third parties who access, process, or manage Brainstack Technologies data, systems, or networks — whether on-premises, remote, cloud-hosted, or outsourced environments.

3. Definitions

  • Confidential Data— Information classified as non-public and protected by law or contract.
  • Incident— Any event that compromises confidentiality, integrity, or availability of information assets.
  • Least Privilege— Granting users only the access necessary to perform their role.
  • ISO— Information Security Officer.
  • SDLC— Software Development Life Cycle.

4. Roles and Responsibilities

RoleResponsibility
Executive ManagementProvide leadership, resources, and oversight for implementation and compliance.
Information Security Officer (ISO)Develop, maintain, and enforce security policies; monitor compliance; and manage incident response.
IT DepartmentImplement and maintain technical controls, monitor threats, and manage secure configurations.
ManagersEnsure departmental compliance, conduct training, and support security initiatives.
Employees / ContractorsFollow all security requirements, report incidents, and protect company assets.
Vendors / Third PartiesComply with security clauses in contracts and follow approved integration standards.

5. Core Security Domains

5.1 Data Classification and Handling

  • All data shall be classified as Public, Internal, Confidential, or Restricted upon creation or receipt.
  • Handling, storage, and transmission controls shall match the classification level.
  • Client data is classified as Confidential or Restricted by default.
  • Data owners are responsible for assigning and reviewing classification labels.

5.2 Access Control

  • Access to systems and data follows the principle of least privilege.
  • Multi-factor authentication (MFA) is required for all remote and privileged access.
  • User access is reviewed quarterly and revoked immediately upon role change or termination.
  • Shared or generic accounts are prohibited; each user must have a unique credential.

5.3 Incident Management

  • All employees must report suspected security incidents to the ISO within 24 hours of discovery.
  • The ISO shall triage, investigate, and coordinate response for every reported incident.
  • A post-incident review shall be conducted within 5 business days of resolution.
  • Incident records shall be retained for a minimum of 3 years for audit and compliance purposes.

5.4 Employee Security Awareness

  • All employees and contractors shall complete security awareness training within 30 days of joining and annually thereafter.
  • Phishing simulation exercises shall be conducted at least twice per year.
  • Role-specific training shall be provided for staff handling Confidential or Restricted data.

5.5 Protection of Proprietary and Intellectual Property

  • All proprietary code, designs, and documentation shall be stored in access-controlled repositories.
  • Non-disclosure agreements (NDAs) are required for all employees, contractors, and vendors with access to proprietary information.
  • Removal of proprietary data from company systems without authorisation is strictly prohibited.

5.6 Acceptable Use and System Security

  • Company systems, networks, and devices shall be used primarily for authorised business purposes.
  • All endpoints shall run approved anti-malware software and receive timely security patches.
  • Users shall not install unauthorised software or disable security controls on company-managed devices.

6. Compliance & Enforcement

Compliance with this policy is mandatory for all personnel within scope. Violations may result in disciplinary action, up to and including termination of employment or contract, and may be referred for legal proceedings where applicable. All exceptions to this policy must be documented, approved by the ISO, and reviewed at least annually.

7. Monitoring & Audit

Brainstack Technologies shall continuously monitor systems, networks, and user activity to detect and respond to security threats. Internal audits of information security controls shall be conducted at least annually. Audit findings shall be reported to Executive Management and tracked to remediation.

8. Risk Management

An annual risk assessment shall be performed to identify, evaluate, and prioritise information security risks. Risk treatment plans shall be maintained for all identified risks above the accepted threshold. The risk register shall be reviewed quarterly by the ISO and reported to Executive Management.

9. Annexures

Annexure A: Cloud Security Policy

  • All cloud services must be approved by the ISO before deployment.
  • Data stored in the cloud shall be encrypted at rest and in transit.
  • Cloud provider security certifications (e.g., SOC 2, ISO 27001) shall be verified annually.
  • Access to cloud management consoles shall require MFA and follow least-privilege principles.
  • Cloud configurations shall be reviewed quarterly for misconfigurations and drift.

Annexure B: Remote Work Security Policy

  • Remote workers shall use company-approved VPN connections for accessing internal systems.
  • Work devices shall have full-disk encryption enabled.
  • Sensitive data shall not be stored on personal devices without ISO approval.
  • Screen lock must be enabled and activate after no more than 5 minutes of inactivity.
  • Remote workers shall ensure their home network uses WPA2/WPA3 encryption or better.
  • Printing of Confidential or Restricted documents at home is prohibited unless explicitly authorised.

Annexure C: Secure SDLC Policy

  • Security requirements shall be defined at the start of every project.
  • Code reviews shall include security-focused review checkpoints.
  • Static application security testing (SAST) shall be integrated into CI/CD pipelines.
  • Third-party libraries and dependencies shall be scanned for known vulnerabilities before use and monitored continuously.
  • Penetration testing shall be conducted before major releases or at least annually.
  • Secure coding guidelines shall be maintained and updated at least annually.

Annexure D: Data Privacy & Compliance Policy

  • Personal data processing shall comply with all applicable data protection laws, including GDPR, DPDP Act 2023, CCPA, and the Australian Privacy Act.
  • Data subject / Data Principal requests (access, correction, deletion) shall be fulfilled within statutory timeframes.
  • Privacy impact assessments shall be conducted for new projects or systems that process personal data.

Annexure E: Backup & Disaster Recovery Policy

  • Critical data and systems shall be backed up daily, with backups stored in geographically separate locations.
  • Backup restoration shall be tested at least quarterly to verify integrity and recoverability.
  • A disaster recovery plan shall be maintained, reviewed annually, and tested through tabletop exercises or live drills.

Approval and Sign-off

This policy was reviewed and ratified on 13 September 2025 (v1.1) and re-issued as v1.2 on 5 May 2026.

Information Security Officer: Naveen Khanna

Date: 5 May 2026