eXpress badging has developed comprehensive cybersecurity policies and procedures tailored to our organizational context, risk management strategy, and business priorities. (formerly ID.GV-1)
GV.PO-01: Establishing and Communicating Cybersecurity Policies
eXpress badging has developed comprehensive cybersecurity policies and procedures tailored to our organizational context, risk management strategy, and business priorities.
Key Elements:
-
Alignment with Organizational Context: Policies are crafted considering our mission to provide secure ID badging solutions across various sectors, including healthcare, government, education, and enterprise.
-
Risk-Based Approach: Our policies prioritize risk management, focusing on data confidentiality, system availability, and service integrity, reflecting our low-risk tolerance for security breaches and compliance failures.
-
Core Policy Areas:
-
Data Protection and Encryption Standards
-
User Access and Identity Management
-
Incident Response and Reporting
-
Third-Party and Vendor Risk Management
-
Disaster Recovery and Business Continuity
-
PII and PCI Data Handling Protocols
-
Secure Development and Change Management for the Veonics Portal
-
-
Communication and Accessibility: All policies are documented in the eXpress badging Knowledge Base (HubSpot), accessible to authorized personnel, and reviewed during employee onboarding and regular cybersecurity awareness training sessions.
GV.PO-02: Extending Cybersecurity Policies to Suppliers
eXpress badging ensures that our cybersecurity standards are upheld across our supply chain.
Key Practices:
-
Supplier Security Assessments: We evaluate suppliers to ensure they have appropriate cybersecurity controls consistent with our internal standards, especially those handling sensitive data.
-
Contractual Obligations: Supplier agreements mandate adherence to our security, confidentiality, data protection, and incident reporting requirements.
-
Reliance on Certified Partners: We partner with vendors like AWS and AT&T, selected for their compliance with recognized standards (e.g., SOC 2 Type II reports), ensuring end-to-end supply chain security.
-
Ongoing Oversight: Vendors undergo periodic reassessments, with security obligations embedded into Service Level Agreements (SLAs) and Non-Disclosure Agreements (NDAs).
GV.PO-03: Reviewing and Updating Cybersecurity Policies
To maintain the relevance and effectiveness of our cybersecurity policies, eXpress badging follows a structured review process.
Review Process:
-
Annual Reviews: All cybersecurity policies and procedures are reviewed at least annually by the Security and Compliance Team, incorporating updates due to:
-
Changes in regulatory requirements (e.g., GDPR, CCPA, PCI DSS)
-
Emerging cybersecurity threats and vulnerabilities
-
Technological advancements or changes in organizational mission
-
-
Trigger-Based Updates: Policies are updated in response to significant events such as security incidents, technology upgrades, major service changes, or findings from penetration tests and audits.
-
Stakeholder Communication: Policy changes are communicated through email announcements, updates in the Knowledge Base, and discussions during quarterly security awareness sessions to ensure all stakeholders are informed.
-
Audit Readiness: Documentation of all reviews, changes, and communications is maintained to ensure preparedness for internal and external cybersecurity audits.
This structured approach ensures that eXpress badging's cybersecurity policies remain robust, up-to-date, and effectively communicated, aligning with the NIST CSF GV.PO categories.