Information Security Policy
This page was last updated on Jan 01, 2026
1. Objectives
HashMove Inc. (hereinafter “HashMove”) recognizes that the security of information and technology systems is fundamental to the reliable delivery of its SaaS ERP platform. HashMove is committed to protecting the confidentiality, integrity, and availability (CIA) of information assets that support its cloud-based services, internal operations, and customer environments. The objectives of this policy are to:
- Protect customer data, business information, and system resources hosted within the HashMove SaaS ERP platform.
- Ensure the CIA of information processed, stored, or transmitted through HashMove systems.
- Establish a secure cloud operating environment that supports reliable, scalable, and resilient SaaS service delivery.
- Mitigate risks arising from cyber threats, unauthorized access, system failures, or operational disruptions.
- Ensure compliance with applicable regulatory requirements, contractual obligations, and recognized industry security standards.
- Promote a culture of information security awareness and responsibility across all employees and stakeholders.
2. Scope
This policy applies to:
- SaaS ERP platform infrastructure, cloud-hosted environments, servers, networks, databases, and storage systems
- Application development and software lifecycle management
- Platform operations, monitoring, incident management, system administration, and support
- Customer data processing and integration services
- Supporting business functions (HR, Finance, Legal, Compliance, Facilities, Internal IT)
- Third-party vendors and partners interacting with HashMove systems
3. Applicability
This policy is binding for all:
- Employees, contractors, consultants, temporary staff, interns
- Third-party service providers, vendors, partners, and affiliates
- Visitors or any individual granted access to HashMove systems or facilities
All personnel are required to comply with this policy and supporting procedures, standards, and guidelines.
4. References
- ISO/IEC 27001:2022 – Information Security Management Systems (ISMS)
- ISO/IEC 27001:2013 – Information Security Management Systems (legacy controls)
- Applicable cloud security and SaaS operational best practices
5. Encryption Standards and Key Lifecycle Management
- All sensitive data must be encrypted in transit using TLS 1.2+ or equivalent, and at rest using AES-256 or approved algorithms.
- Cryptographic keys must be generated, stored, rotated, and retired in accordance with a formal Key Management Policy.
- Keys must be restricted to authorized personnel and systems, and all key management operations must be logged and auditable.
- Encryption standards and key practices shall be periodically reviewed to ensure compliance with industry best practices and regulatory requirements.
6. Shared Responsibility Model and Secure Configuration Standards
- Shared Responsibility:
- Cloud Service Provider (CSP): Security of the cloud (infrastructure, facilities, virtualization)
- HashMove: Security in the cloud (configurations, IAM, application security, data protection, network security)
- Roles & Accountability:
- ISF defines policies, monitors compliance, and reviews risks
- Engineering and DevOps implement and maintain secure configurations
- IT/System Owners maintain operational security
- Data Owners classify and protect sensitive data
- Secure Configurations:
- Systems and cloud resources must follow recognized benchmarks (CIS or equivalent)
- Hardening includes disabling unnecessary services, secure OS/application configurations, MFA, and least privilege access
- IaC pipelines must embed security validation
- Monitoring & Compliance:
- Continuous monitoring of configurations
- Automated compliance tools where feasible
- Periodic audits and remediation of drift
- Change Management:
- All changes follow formal risk-assessed change management
- Exceptions documented, approved, and periodically reviewed
7. Vulnerability Management, Penetration Testing, and Patch Management
- Vulnerability Scanning:
- Monthly scans and after major system changes
- Classification of vulnerabilities by severity and risk-based remediation
- Penetration Testing:
- Conducted at least annually, after major updates, or per contractual/regulatory requirements
- Includes network, web applications, APIs, and cloud configurations
- Findings are risk-rated, remediated, and re-tested
- Patch Management:
- Security patches applied based on severity:
- Critical: within 7–15 days
- High: within 30 days
- Medium: within 60–90 days
- Low: during regular maintenance cycles
- Emergency patch procedures exist for actively exploited vulnerabilities
- All patching follows change management procedures
- Security patches applied based on severity:
- Monitoring & Reporting:
- Continuous monitoring of patch and vulnerability status
- Metrics tracked for remediation timelines, SLA compliance, and recurring issues
- Exceptions: Documented risk-assessed, approved, and periodically reviewed
8. Data Retention, Secure Disposal, and Compliance
- Retention:
- Data retained per legal, regulatory, contractual, and business requirements
- Retention schedules maintained and periodically reviewed
- Systems implemented to automate retention and deletion where feasible
- Secure Disposal:
- Digital data securely erased or overwritten
- Physical media destroyed when no longer required
- Disposal documented and verified
- Compliance:
- Data handled per GDPR, regional laws, and contractual obligations
- Support for data subject rights, cross-border transfer safeguards, and processing accountability
- Roles:
- Data Owners define retention
- IT/Engineering enforce controls
- ISF oversees monitoring and reviews
9. Endpoint Protection and Application Security Testing
- Endpoint Protection:
- Anti-malware/EDR solutions deployed across endpoints and servers
- Secure device configurations, full-disk encryption, least privilege, MFA, remote wipe
- Continuous monitoring for unauthorized or suspicious activity
- Application Security Testing:
- SAST during development
- DAST during testing/staging
- Open-source dependency scanning
- Secure code reviews and CI/CD integration
- Critical/high vulnerabilities remediated prior to production deployment
- Vulnerability Remediation:
- Logged, risk-rated, and tracked to completion
- Logged, risk-rated, and tracked to completion
- Roles:
- IT/DevOps manage endpoints; Engineering handles SDLC security; ISF monitors compliance
- IT/DevOps manage endpoints; Engineering handles SDLC security; ISF monitors compliance
10. Roles and Responsibilities
- Information Security Function (ISF): Governance, compliance, policy management, risk monitoring
- IT/DevOps: Infrastructure, endpoint, network, patch, and configuration management
- Engineering/Development: Secure SDLC, application security, vulnerability remediation
- Data Owners/Function Heads: Data classification, access approval, retention oversight
- HR & Administration: Personnel security, physical security, secure access
- All Users: Responsible for acceptable system use, reporting incidents, and data protection
11. Identity and Access Management
- Access to HashMove systems, applications, and data shall be controlled through formal Identity and Access Management (IAM) controls.
- Role-Based Access Control (RBAC) shall be enforced across all systems
- Access shall be granted based on:
- least privilege; and
- need-to-know principles
- Multi-Factor Authentication (MFA) shall be required for:
- administrative access;
- remote access; and
- access to sensitive systems and data
- User access rights shall be:
- reviewed periodically and
- revoked promptly upon role change or termination
- Privileged access shall be restricted, monitored, and logged
12. Incident Management and Breach Response
HashMove shall maintain a formal information security incident management process.
- All incidents shall be:
- reported through designated channels;
- classified based on severity;
- tracked to resolution
- Incident response shall include
- detection and reporting;
- containment and mitigation;
- eradication and recovery
- Security incidents involving personal data shall:
- be managed in accordance with applicable data protection laws;
- align with GDPR breach notification requirements
- Root Cause Analysis (RCA) shall be conducted for significant incidents
- Lessons learned shall be incorporated into continuous improvement
13. Business Continuity and Disaster Recovery Alignment
Information security controls shall support HashMove’s Business Continuity Plan (BCP) and Disaster Recovery framework.
- Security measures shall ensure:
- availability of critical systems;
- protection of data during disruption scenarios
- Controls shall align with defined:
- Recovery Time Objectives (RTO) and
- Recovery Point Objectives (RPO)
- Coordination between security and continuity teams shall be maintained during incidents
14. Audit, Compliance, and Continuous Monitoring
- Internal audits shall be conducted periodically
- Evidence of compliance shall be:
- documented; and
- retained
- Audit findings shall be:
- tracked; and
- remediated within defined timelines
- Management shall:
- review security performance; and
- oversee continuous improvement of the ISMS
15. Vendor and Third-Party Security
- Vendors shall undergo:
- security due diligence; and
- risk assessment prior to engagement
- Security requirements shall be:
- defined contractually; and
- enforced throughout the relationship
- High-risk vendors shall be:
- monitored; and
- periodically reassessed
- Third-party access to systems shall be:
- restricted;
- controlled; and
- logged
16. Policy Enforcement and Exceptions
- Violations of this policy may result in disciplinary action, including termination of employment or contractual engagement
- Exceptions to this policy must:
- be documented;
- be risk-assessed;
- be approved by authorized personnel
- Approved exceptions shall be:
- periodically reviewed; and
- revoked where no longer justified
17. Policy Review and Version History
أطلق العنان لعالم من الابتكار
الرؤى والاتجاهات والذكاء - مقدمة من هاش موف.
