1. Executive Summary

This Information Security Policy establishes the foundation for protecting Planned Packaging of Illinois Corp.'s (PPOIC) information assets, including personal data, business information, and IT systems. This policy defines clear roles, responsibilities, and security requirements to ensure confidentiality, integrity, and availability of information.

Key Highlights:

• Comprehensive information security governance framework
• Clearly defined roles and responsibilities for information security
• Risk-based approach to security controls
• Integration of security into all business processes
• Annual review and continuous improvement process

NIST 800-53 PM, PL, PS NIST CSF ISO 27001:2022 CyberVadis

2. Purpose and Scope

2.1 Purpose

The purpose of this policy is to:

• Establish information security as a core business priority
• Define organizational security governance structure
• Assign clear responsibilities for information security
• Establish security principles and requirements
• Ensure compliance with legal and regulatory requirements
• Protect PPOIC's information assets from threats
• Maintain customer and stakeholder trust

2.2 Scope

This policy applies to:

• All PPOIC employees, contractors, consultants, and third parties
• All information assets (data, systems, networks, facilities)
• All locations where PPOIC conducts business
• All business processes that use, store, or transmit information

3. Information Security Governance

3.1 Governance Structure

Governance Body	Composition	Responsibilities
Executive Management	CEO, COO, CFO, CIO	• Approve information security strategy • Allocate resources for security initiatives • Review security performance quarterly • Provide executive sponsorship
Information Security Leadership	CIO (Clarence Simms), IT Manager, DPO	• Develop and maintain security policies • Implement security controls • Manage security operations • Report to executive management
Department Heads	COO, CFO, HR Director, Operations Managers	• Implement security in their departments • Ensure employee compliance • Identify departmental security needs • Participate in security initiatives

3.2 Roles and Responsibilities

3.2.1 Chief Information Officer (CIO)

Position: Clarence Simms

Primary Information Security Responsibilities:

• Overall accountability for information security program
• Develop and maintain information security policies
• Lead IT and security teams
• Manage security budget and resources
• Report security posture to executive management
• Coordinate security audits and assessments
• Serve as primary contact for security matters
• Ensure compliance with security regulations

3.2.2 Chief Operating Officer (COO)

Position: Devin Delaughter

Information Security Responsibilities:

• Integrate security into operational processes
• Ensure physical security of facilities
• Support security initiatives across operations
• Allocate operational resources for security
• Coordinate with CIO on operational security needs

3.2.3 Chief Financial Officer (CFO)

Position: Tamika Boga

Information Security Responsibilities:

• Approve security budgets and expenditures
• Manage cyber insurance program
• Oversee financial aspects of security compliance
• Ensure security of financial systems and data

3.2.4 IT Department

Information Security Responsibilities:

• Implement and maintain technical security controls
• Monitor systems for security incidents
• Perform security updates and patch management
• Manage user access and authentication
• Conduct security vulnerability assessments
• Provide security support to users
• Maintain security documentation

3.2.5 All Employees

Information Security Responsibilities:

• Comply with all information security policies
• Protect assigned credentials and devices
• Report security incidents immediately
• Complete required security training
• Use information assets responsibly
• Follow acceptable use guidelines

4. Information Security Principles

4.1 Core Security Objectives

Objective	Definition	Implementation
Confidentiality	Ensure information is accessible only to authorized individuals	Access controls, encryption, data classification
Integrity	Maintain accuracy and completeness of information	Change controls, backups, validation, audit trails
Availability	Ensure authorized access to information when needed	Redundancy, backups, disaster recovery, monitoring

4.2 Security by Design

PPOIC integrates security into:

• New system development and implementations
• Business process design
• Third-party vendor selection
• Facility and infrastructure planning
• Product and service development

4.3 Defense in Depth

PPOIC employs multiple layers of security controls:

• Perimeter Security: Firewalls, intrusion prevention
• Network Security: Segmentation, monitoring, encryption
• Application Security: Secure coding, testing, access controls
• Data Security: Encryption, classification, DLP
• Endpoint Security: Antivirus, device management, hardening
• Physical Security: Access controls, surveillance, environmental controls
• Administrative Security: Policies, procedures, training, awareness

4.4 Risk-Based Approach

Security controls are implemented based on:

• Risk assessment results
• Data classification and sensitivity
• Business impact analysis
• Cost-benefit considerations
• Regulatory requirements

5. Information Security Requirements

5.1 Access Control

• Principle of Least Privilege: Users granted minimum access necessary
• Need-to-Know: Access based on business role requirements
• User Account Management: Formal provisioning/deprovisioning process
• Strong Authentication: Complex passwords, MFA for sensitive systems
• Regular Review: Quarterly access rights reviews

5.2 Data Protection

• Data Classification: All data classified per Data Inventory and Classification Policy
• Encryption: Sensitive data encrypted at rest and in transit
• Data Loss Prevention (DLP): Monitoring and controls to prevent data exfiltration
• Secure Disposal: Data securely deleted per retention policy
• Backup and Recovery: Regular backups with tested recovery procedures

5.3 Network Security

• Perimeter Protection: Firewalls, IPS/IDS at network boundaries
• Network Segmentation: Separation of production, development, guest networks
• Wireless Security: WPA3 encryption, separate guest networks
• Remote Access: VPN required for remote connections
• Network Monitoring: Continuous monitoring for anomalies

5.4 System Security

• Hardening: Systems configured per security baselines
• Patch Management: Critical patches within 30 days, high within 60 days
• Antivirus/Anti-malware: Deployed on all endpoints with real-time protection
• Logging and Monitoring: Security events logged and reviewed
• Vulnerability Management: Regular scanning and remediation

5.5 Application Security

• Secure Development: Security requirements in SDLC
• Code Review: Security review for custom applications
• Testing: Security testing before production deployment
• Third-Party Applications: Security assessment before procurement

5.6 Physical and Environmental Security

• Access Control: Badge access to facilities and server rooms
• Visitor Management: Sign-in, badges, escort requirements
• Surveillance: CCTV cameras at entry points and sensitive areas
• Environmental Controls: Fire suppression, HVAC, power for data centers
• Clean Desk Policy: Sensitive documents secured when unattended

6. Security Operations

6.1 Security Monitoring

PPOIC maintains continuous security monitoring including:

• SIEM (Security Information and Event Management) system
• Network traffic analysis
• Endpoint detection and response (EDR)
• Log aggregation and correlation
• Alert triage and investigation

6.2 Incident Response

PPOIC maintains an Incident Response Plan including:

• Incident detection and reporting procedures
• Incident classification and prioritization
• Incident Response Team activation
• Containment, eradication, and recovery procedures
• Post-incident review and lessons learned

(See Data Breach Notification Procedure for personal data breaches)

6.3 Vulnerability Management

Activity	Frequency	Responsibility
Vulnerability Scanning	Weekly (internal) Quarterly (external)	IT Security
Penetration Testing	Annually	External Vendor + IT
Remediation Tracking	Ongoing	IT Security
Risk Assessment	Annually	CIO + Management

7. Security Awareness and Training

Training Type	Audience	Frequency
General Security Awareness	All employees	Annually + new hire
Phishing Training	All employees	Quarterly simulations
Data Protection Training	All employees handling personal data	Annually
Secure Coding Training	Developers	Annually
IT Security Training	IT staff	Ongoing
Management Security Training	Managers and above	Annually

7.1 Training Content

• Information security policies and procedures
• Password security and authentication
• Phishing and social engineering recognition
• Physical security and clean desk practices
• Mobile device and remote work security
• Incident reporting procedures
• Data classification and handling
• BYOD and acceptable use

8. Third-Party Security

8.1 Vendor Security Assessment

Before engaging third parties with access to PPOIC information:

1. Conduct security risk assessment
2. Review vendor security certifications (SOC 2, ISO 27001, etc.)
3. Require completion of security questionnaire
4. Include security requirements in contracts
5. Establish data processing agreements (for personal data)

8.2 Ongoing Vendor Management

• Annual security reviews for critical vendors
• Monitor vendor security incidents and breaches
• Require notification of security changes
• Conduct periodic audits of high-risk vendors
• Maintain vendor inventory and risk ratings

9. Compliance and Audit

9.1 Compliance Requirements

PPOIC maintains compliance with:

• NIST Cybersecurity Framework
• NIST 800-53 controls
• CCPA and state privacy laws
• SOC 2 (if applicable)
• ISO 27001 best practices
• Industry-specific regulations

9.2 Internal Audits

• Frequency: Annually
• Scope: Information security policies, procedures, and controls
• Conducted By: Internal audit or external assessor
• Reporting: Findings reported to CFO and CEO

9.3 External Audits

• CyberVadis assessments
• Customer security audits
• Regulatory examinations
• Certification audits (as applicable)

10. Policy Management

10.1 Policy Review and Updates

• Annual Review: CIO reviews policy annually
• Interim Updates: As needed for regulatory changes, incidents, or business changes
• Approval: CEO approves major policy changes
• Communication: All policy updates communicated to employees

10.2 Policy Exceptions

Exceptions to this policy require:

• Written business justification
• Risk assessment
• Compensating controls
• CIO approval (CEO for high-risk exceptions)
• Annual review of ongoing exceptions

10.3 Enforcement

Violations of this policy may result in:

• Retraining and counseling
• Formal disciplinary action
• Suspension or termination of employment
• Legal action (for willful violations or criminal activity)

Appendix A: RACI Matrix for Information Security

Activity	CIO	IT Dept	COO	CFO	Managers	Employees
Security Policy Development	A	R	C	C	I	I
Security Control Implementation	A	R	C	I	I
Incident Response	A	R	C	I	C	I
Security Training Delivery	A	R	C		I
Security Budget Approval	R	C	C	A
Departmental Security Compliance	A	C	C		R	I
Policy Compliance (Individual)	A	C			C	R

Legend:

• R = Responsible: Does the work
• A = Accountable: Ultimately answerable
• C = Consulted: Provides input
• I = Informed: Kept updated

Document Approval