Document IIS-GOV-SEC-001 • Version 1.0 • Effective 01 May 2026
This Policy establishes the Information Security Management System (ISMS) of Integrated IT Support Inc. (the “Company”), defines its governance, and sets out the control objectives that protect the confidentiality, integrity, and availability of all information assets entrusted to the Company by its clients, employees, partners, and other stakeholders.
This Policy applies to all information assets in any form (electronic, paper, oral) and across the entire information lifecycle (creation, storage, transmission, processing, disposal). It binds all directors, officers, employees, interns, contractors, and any third party accessing the Company's or its clients' information systems or data.
Integrated IT Support Inc. is committed to operating an enterprise-grade information security program that:
Protects the confidentiality, integrity, and availability of all information assets in proportion to their value and risk.
Aligns with internationally recognised frameworks, including ISO/IEC 27001:2022, the NIST Cybersecurity Framework (CSF) 2.0, NIST SP 800-53, and the Government of Canada IT Security Guidance (ITSG-33).
Meets all applicable legal, regulatory, and contractual obligations, including PIPEDA, CASL, Ontario laws, and client-specific requirements.
Operates a continuous-improvement cycle (Plan-Do-Check-Act) supported by measurable security objectives, internal audits, and management review.
Is led by accountable executive sponsorship, supported by a designated Chief Information Security Officer (CISO) function.
Chief Executive Officer / Executive Leadership: ultimate accountability for information security; approves the Policy; reviews ISMS effectiveness at least annually.
Chief Information Security Officer (CISO): designated officer accountable for the ISMS, risk assessment, control implementation, security operations, incident response, and external assurance reporting.
Information Asset Owners: business owners for each information asset; accountable for classification, access decisions, and compliance with this Policy for their domain.
IT Operations: implements and operates security controls in line with this Policy and the technical standards that support it.
All Personnel: comply with this Policy and supporting procedures, complete mandatory awareness training, and report any suspected incident or weakness.
The Company maintains a tiered documentation structure: this Policy (Tier 1) is supported by topic-specific Standards (Tier 2), Procedures and Work Instructions (Tier 3), and Records (Tier 4). All documents are version-controlled and reviewed at least annually.
The Company applies a documented risk-management process to identify, analyse, evaluate, and treat information security risks. Risk is assessed against confidentiality, integrity, and availability impacts and is rated on a 5x5 likelihood × impact matrix. Risk treatments include mitigation, transfer (e.g., insurance, contractual), avoidance, and informed acceptance by an appropriate authority. The Company maintains an Information Security Risk Register (IIS-GOV-SEC-REG-001) reviewed at least quarterly.
Information assets are classified into four tiers and handled accordingly:
Public — intended for unrestricted disclosure (e.g., marketing materials, this Policy).
Internal — for routine business use within the Company and authorised contractors.
Confidential — sensitive business information requiring restricted access and encryption in transit (e.g., commercial agreements, internal incident reports).
Restricted — highly sensitive information requiring strict access control, encryption in transit and at rest, and explicit data-handling controls (e.g., personal information, client credentials, security configurations, source code with embedded secrets).
Handling rules — including labelling, storage, transmission, printing, copying, and disposal — are defined in the Information Classification & Handling Standard (IIS-SEC-STD-001).
Identity and access management is administered on a least-privilege, need-to-know, and just-in-time basis.
Multi-factor authentication (MFA) is required for all administrative access, remote access, all SaaS and cloud accounts, and access to any client data.
Privileged access is gated through a Privileged Access Management (PAM) workflow with logged session recording for systems above a defined criticality threshold.
Access reviews are performed at least quarterly for privileged accounts and at least semi-annually for standard accounts.
Joiner / mover / leaver processes are formalised, with same-day deprovisioning of access on termination.
Default credentials are forbidden on any system in production; password complexity, length, and rotation rules align with NIST SP 800-63B guidance.
All Company and contractor endpoints used to process Company or client data must run an approved Endpoint Detection & Response (EDR) agent and a current operating system within the vendor-supported patch lifecycle.
Full-disk encryption is mandatory.
Application allow-listing or equivalent controls are applied to high-risk endpoints.
Perimeter and segmentation controls follow defence-in-depth principles; production environments are segmented from corporate networks.
All remote access is via VPN or zero-trust network access with MFA; no direct exposure of management protocols to the public internet.
DNS, web, and e-mail are protected with anti-phishing, anti-spoofing (SPF, DKIM, DMARC), and threat-intelligence-fed filtering.
Cloud and SaaS services follow the Cloud Security Standard (IIS-SEC-STD-002), which mandates vendor due diligence (SOC 2 Type II or ISO 27001 evidence), data-residency assessment for personal information (PIPEDA), and configuration hardening per the cloud-provider's security benchmarks.
Customer data resides only in jurisdictions agreed contractually with the client.
Data in transit is protected with TLS 1.2 or higher (TLS 1.3 preferred); legacy protocols are disabled.
Data at rest containing Confidential or Restricted information is encrypted using FIPS 140-3 / FIPS 140-2 validated modules where available.
Cryptographic keys are managed via approved key-management systems with documented rotation, escrow (where required), and revocation procedures.
Vulnerabilities are tracked against published CVSS severity. Critical vulnerabilities (CVSS ≥ 9.0) are remediated or compensating-controlled within 7 calendar days; High (CVSS 7.0–8.9) within 30 days; Medium within 90 days.
Internet-facing assets are subject to authenticated vulnerability scanning at least monthly.
Annual third-party penetration testing is conducted for production systems hosting client data.
All software developed by or for the Company follows a documented Secure Software Development Lifecycle (SSDLC) covering threat modelling, secure coding standards, peer code review, automated SAST/DAST, and dependency scanning.
Production changes follow a formal Change Advisory process with risk assessment, rollback plan, and post-implementation review for material changes.
Security-relevant events from endpoints, identity providers, network appliances, cloud platforms, and applications are centrally logged with sufficient retention (minimum 12 months online, 24 months archival).
A 24x7 monitoring capability — operated internally or through a managed detection & response (MDR) partner — generates alerts on security-relevant anomalies.
Time synchronisation is enforced across all systems via authoritative NTP sources.
The Company maintains a documented Incident Response Plan (IIS-SEC-IR-001) aligned with NIST SP 800-61. The plan covers preparation, detection and analysis, containment, eradication, recovery, and lessons learned. The Company:
Maintains an Incident Response Team (IRT) on call 24x7 for severity-1 and severity-2 incidents.
Notifies affected clients of any incident materially affecting their data within contractually agreed timelines (no later than 72 hours absent contractual override).
Notifies the Office of the Privacy Commissioner of Canada and affected individuals of any privacy breach posing a real risk of significant harm, in accordance with PIPEDA's breach-of-security-safeguards reporting requirements.
Performs a documented post-incident review for every severity-1 and severity-2 incident, including a blameless root-cause analysis and corrective-action plan.
Business-impact analysis (BIA) is performed annually to identify Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical service.
Continuity and recovery plans are documented and tested at least annually.
Backups are taken on a defined cadence, encrypted, and protected against ransomware tampering through immutable or offline copies.
All third parties processing Company or client data are subject to security due diligence proportional to the sensitivity and volume of data.
Standard contracts include data protection, security control, audit, breach notification, and right-to-terminate clauses.
Critical suppliers are reassessed annually.
All personnel must complete security awareness training within 30 days of joining and at least annually thereafter, including phishing-resistance exercises.
Personal accounts and devices may not store unencrypted Confidential or Restricted information.
Use of generative AI tools with Confidential or Restricted information is governed by the Acceptable Use of AI Policy (IIS-GOV-AI-001).
Internal audits of the ISMS are performed at least annually; findings are tracked to closure.
Management review of ISMS performance is held at least annually, including risk-register status, audit results, training metrics, incident statistics, and effectiveness of corrective actions.
The Company tracks roadmap progress toward formal ISO/IEC 27001 certification and SOC 2 Type II attestation as a condition of expanding into higher-assurance government and enterprise engagements.
Approval and Authority
This document has been reviewed and approved by the Executive Leadership of Integrated IT Support Inc. and is issued under the authority of the Office of the Chief Executive Officer. The document is subject to periodic review and may be amended by the Approving Authority. Material amendments are communicated to all employees and key suppliers within thirty (30) days of issuance.
Signed for and on behalf of Integrated IT Support Inc.
Ahmad
Ahmad — Chief Executive Officer
Integrated IT Support Inc.
Date: 11 May 2026
Approved electronically by Ahmad, Chief Executive Officer, on 11 May 2026. This electronic signature is applied with the authority of the named signatory and is valid under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Ontario Electronic Commerce Act, 2000.