Contact Us

Information Security Policy

 

Effective Date: 9th April 2026
Version: 1.0
Owner: Tony Arcus

Approval: Approved by Tony Arcus

AINET.BIZ is our website name, and our EIN/trading as name.

1. Purpose

AINET.BIZ is committed to protecting the confidentiality, integrity, and availability of our information assets, including customer data, intellectual property, systems, and networks. This Information Security Policy establishes the framework to identify, mitigate, and monitor information security risks relevant to our business operations.

This policy ensures compliance with applicable laws, regulations, and industry standards while supporting our business objectives and maintaining trust with customers, partners, and stakeholders (including vendors like Plaid).

2. Scope

This policy applies to all employees, contractors, consultants, temporary staff, and third parties who access, process, store, or transmit AINET.BIZ's information assets. It covers all systems, networks, data (electronic and physical), and facilities under our control.

3. Policy Statement

AINET.BIZ shall maintain a documented Information Security Management approach aligned with recognized frameworks such as NIST Cybersecurity Framework or ISO 27001 principles.

We will:

  • Identify risks through regular assessments of threats, vulnerabilities, and impacts to our information assets.
  • Mitigate risks by implementing appropriate technical, administrative, and physical controls.
  • Monitor risks continuously through logging, auditing, vulnerability scanning, and incident detection processes.
    Review and improve our security posture on an ongoing basis.

4. Key Principles and Commitments

  • Confidentiality: Information is accessible only to authorized individuals.
  • Integrity: Information is accurate, complete, and protected from unauthorized modification.
  • Availability: Information and systems are accessible and usable when needed.
  • Risk-Based Approach: Security controls are proportional to the identified risks and business impact.
  • Compliance: We adhere to relevant laws (e.g., data protection regulations) and contractual obligations.
  • Continuous Improvement: We conduct periodic reviews, risk assessments, and training to enhance our security program.
  • Accountability: All personnel are responsible for upholding this policy; violations may result in disciplinary action, up to termination.

5. Roles and Responsibilities

  • Leadership / Tony Arcus: Overall accountability for the information security program, including policy approval, resource allocation, and risk oversight.
  • IT / Security Team: Day-to-day implementation of controls, monitoring, incident response, and technical risk assessments.
  • Employees and Contractors: Comply with this policy, complete required training, report security incidents promptly, and follow procedures for data handling, access, and acceptable use.
  • All Personnel: Participate in risk identification and mitigation where relevant.

6. Risk Management Approach (Identification, Mitigation, and Monitoring)

We operationalize risk management as follows:

  • Identification: Conduct regular risk assessments (at least annually or after significant changes) to identify threats, vulnerabilities, and potential impacts. This includes asset inventory, threat modeling, and vulnerability scanning.
  • Mitigation: Implement controls such as access management, encryption, malware protection, secure development practices, employee training, and physical security measures. Risks are prioritized and treated (avoid, mitigate, transfer, or accept) based on business needs.
  • Monitoring: Use logging, monitoring tools, intrusion detection, and periodic audits to detect anomalies. Security events and incidents are reviewed and escalated as needed.
  • Review: Risks and controls are evaluated regularly, with findings documented and actioned.

Supporting procedures (e.g., Risk Assessment Procedure, Incident Response Plan) detail these activities and are maintained internally.

7. Core Security Controls

  • Access Control: Least privilege principle; multi-factor authentication (MFA) where appropriate; regular access reviews.
  • Data Protection: Encryption for sensitive data in transit and at rest; secure data handling and disposal.
  • Awareness and Training: Mandatory security training for all personnel upon onboarding and annually.
  • Incident Response: Documented process for detecting, responding to, and recovering from security incidents, including breach notification where required.
  • Vulnerability Management: Regular patching, scanning, and remediation.
  • Third-Party / Vendor Management: Security requirements are assessed for vendors and partners.
  • Acceptable Use: Guidelines for device usage, internet/email, and personal device policies (detailed in supporting Acceptable Use Policy).

8. Enforcement and Compliance

  • Violations of this policy may result in disciplinary action, including termination and potential legal consequences.
  • Exceptions to this policy must be documented, risk-assessed, and approved by Tony Arcus.
  • Compliance is monitored through internal audits and self-assessments.

9. Policy Review and Updates

This policy will be reviewed at least annually or following significant incidents, regulatory changes, or business transformations. Updates will be communicated to all relevant parties.

10. Contact Information

For questions or to report a security concern, contact: Tony Arcus, +1-808-498-7146, tony@ai.net.nz, tony@ainet.biz.

Acknowledgment
By accessing AINET.BIZ systems or data, all personnel acknowledge they have read, understood, and agree to comply with this policy.