1. Overview

This document outlines the security policies implemented to protect the information and data stored on our server, Focus IT, with a primary focus on cybersecurity and information security. Additionally, we use Calyx Point as our mortgage origination platform to securely store and protect borrower information. These policies apply to all employees, contractors, and third-party users.

2. Cybersecurity Policies

2.1 Access Control

- Access to Focus IT and information systems is restricted to authorized personnel only.

- Role-based access control (RBAC) is used to ensure users only have access to the information necessary for their roles.

- Multi-factor authentication (MFA) is required for accessing sensitive systems.

2.2 Data Protection

- All data is encrypted both in transit and at rest using industry-standard encryption algorithms.

- Regular backups are performed and stored in a secure location.

- Data access on Focus IT and Calyx Point is logged and monitored for anomalies.

2.3 Network Security

- Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) are used to protect the network.

- Regular vulnerability assessments and penetration testing are conducted.

- Remote access is secured through VPNs with end-to-end encryption.

2.4 Incident Response

- A Security Incident Response Plan (SIRP) is established to quickly address and mitigate security incidents.

- Incidents are documented, analyzed, and reported to relevant stakeholders.

3. Information Security Policies

3.1 Data Classification and Management

- Data is classified based on sensitivity: Public, Internal, Confidential, and Restricted.

- Appropriate protection measures are applied depending on the data classification.

3.2 Physical Security

- Physical access to servers and data centers is restricted and monitored.

- CCTV surveillance and security personnel are employed for sensitive areas.

3.3 Acceptable Use Policy

- Users are prohibited from using Focus IT and Calyx Point resources for unauthorized or illegal activities.

- Personal devices connected to the network must comply with company security standards.

3.4 Training and Awareness

- All employees undergo regular security awareness training.

- Phishing simulations and security drills are conducted periodically.

4. Compliance and Review

- Compliance with these policies is mandatory.

- Regular audits are conducted to ensure adherence.

- Policies are reviewed annually or after significant security incidents.

Contact Information

For questions or concerns regarding these policies, please contact at [email protected]