This Cybersecurity Policy establishes the guidelines and practices required to protect the organization’s digital assets, data, and infrastructure from cyber threats. This policy adheres to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to align with industry best practices.  This Policy ensures that  Clevr effectively identifies, protects against, detects, responds to, and recovers from cybersecurity threats in alignment with the NIST Cybersecurity Framework.

Purpose and Scope

The purpose of this policy is to:

• Safeguard the confidentiality, integrity, and availability of organizational data.
• Mitigate risks associated with cybersecurity threats.
• Ensure compliance with applicable legal, regulatory, and contractual obligations.

This policy applies to all employees, contractors, and third parties accessing the organization’s information systems.

Framework Overview

The organization follows the NIST Cybersecurity Framework, which is divided into five key functions:

• Identify
• Protect
• Detect
• Respond
• Recover

Key Security Functions

Identify (ID)

• Asset Management (ID.AM): Maintain an inventory of personnel, physical devices, software, and data to ensure all assets are tracked and secured. Clevr maintains an inventory of personnel, physical devices, software, and systems.
• Business Environment (ID.BE): Align cybersecurity roles and responsibilities with the organization’s objectives. Effective use of Clevr software depends on third-party integrations and cross-departmental collaboration.
• Governance (ID.GV): Document and maintain policies, procedures, and processes to guide cybersecurity practices. Clevr maintains its organizational information in alignment with governance requirements.
• Risk Assessment (ID.RA): Conduct regular assessments to identify and prioritize risks to the organization’s assets and operations. Clevr regularly analyzes system assets and prioritizes mitigation of cybersecurity risks.
• Supply Chain Risk Management (ID.SC): Evaluate and manage cybersecurity risks within the supply chain. Clevr ensures that external information system service providers are assessed for compliance.

 Protect (PR)

• Access Control (PR.AC): Implement strict access control measures, ensuring only authorized personnel have access to critical data and systems. Clevr implements strict access control measures using role-based access control.
• Awareness and Training (PR.AT): Provide cybersecurity and privacy training to all employees and contractors. Annual training is mandatory for all employees to address privacy and security best practices.
• Data Security (PR.DS): Protect data at rest and in transit through encryption, backups, and other safeguards. Data is encrypted using AES-256 encryption at rest and TLS 1.2 for data in transit.
• Information Protection Processes (PR.IP): Continuously improve policies and procedures to ensure effective data protection. The Clevr team continuously reviews and improves processes to address security vulnerabilities.
• Maintenance (PR.MA): Perform regular maintenance and updates of IT systems to mitigate vulnerabilities. Clevr utilizes Microsoft Azure hosting services to ensure system updates are applied effectively.
• Protective Technology (PR.PT): Utilize technical solutions (e.g., firewalls, intrusion detection systems) to safeguard information systems. Audit logs are documented and reviewed in accordance with security policies.

Detect (DE)

• Anomalies and Events (DE.AE): Monitor and identify unusual activities that could indicate potential security threats. Clevr uses proactive metric instance monitoring to detect anomalies.
• Security Continuous Monitoring (DE.CM): Use real-time monitoring tools to detect malicious activities or system failures. Clevr is hosted on the Microsoft Azure infrastructure, leveraging its monitoring tools.
• Detection Processes (DE.DP): Establish and maintain roles, responsibilities, and procedures for incident detection. Roles and responsibilities for detection are well-defined and communicated.

Respond (RS)

• Response Planning (RS.RP): Develop and execute a response plan to address cybersecurity incidents. Clevr's response plan is executed upon the knowledge of an incident.
• Communications (RS.CO): Ensure clear communication during incidents, both internally and externally. Clevr team members are trained in their respective roles for incident communication.
• Analysis (RS.AN): Conduct thorough analysis of incidents to identify root causes and prevent recurrence. In the event of an incident, the Clevr team will conduct a full analysis.
• Mitigation (RS.MI): Implement measures to contain and resolve incidents effectively. Clevr implements containment measures to address identified threats.
• Improvements (RS.IM): Review and enhance the response plan based on lessons learned. Lessons learned from incidents are used to refine the response plan.

Recover (RC)

• Recovery Planning (RC.RP): Establish and implement recovery plans to restore systems and services after an incident. Clevr maintains a recovery plan that is regularly tested.
• Improvements (RC.IM): Update recovery plans based on post-incident reviews and findings. Clevr reviews its recovery plans post-incident to incorporate improvements.

Roles and Responsibilities

• Executive Management: Provide oversight and allocate resources to implement this policy.
• Security Team: Monitor systems, enforce cybersecurity measures, and respond to incidents.
• Employees and Contractors: Adhere to cybersecurity training and comply with security practices.
• Third Parties: Ensure compliance with organizational cybersecurity standards when accessing systems.

Policy Maintenance

• This policy will be reviewed and updated annually or as needed to address emerging threats and changes in the regulatory environment.
  

This Cybersecurity Policy ensures that the organization effectively identifies, protects against, detects, responds to, and recovers from cybersecurity threats in alignment with the NIST Cybersecurity Framework.