1. Overview
This Information Security Policy is the governing document for all information security activities at InContext Solutions. It establishes executive management's commitment to protecting the confidentiality, integrity, and availability of information assets, and provides the authoritative framework from which all subordinate security policies, standards, procedures, and guidelines derive their authority.
InContext Solutions recognizes that information is a critical business asset. The protection of client data, proprietary research methodologies, intellectual property, and operational systems is essential to sustaining customer trust, meeting contractual obligations, and achieving strategic objectives. This policy affirms that information security is a shared responsibility embedded in every business function, technology decision, and employee action.
This policy is approved by executive leadership and constitutes a binding directive for all personnel, contractors, and third parties who access, process, store, or transmit InContext Solutions information assets.
2. Scope
This policy applies to:
- All information assets — including digital data, physical records, intellectual property, source code, client deliverables, research data, and business communications regardless of format or medium.
- All information systems — including servers, workstations, mobile devices, cloud services, applications, databases, network infrastructure, and development environments operated by or on behalf of InContext Solutions.
- All personnel — including full-time and part-time employees, temporary staff, interns, executives, and board members.
- All third parties — including contractors, consultants, vendors, partners, and service providers who access InContext Solutions information or systems.
- All locations — including corporate offices, remote work environments, data centers, cloud regions, and any facility where InContext Solutions data is processed, stored, or transmitted.
There are no exclusions from the scope of this policy. Any system, process, or individual interacting with InContext Solutions information assets is subject to the requirements set forth herein and in subordinate policies referenced throughout this document.
3. Information Security Objectives
InContext Solutions pursues the following information security objectives:
Protect Confidentiality
Ensure that information is accessible only to those authorized to access it. Client data, proprietary methodologies, and sensitive business information must be protected from unauthorized disclosure through appropriate access controls, encryption, and classification schemes as defined in the Data Protection Policy.
Preserve Integrity
Safeguard the accuracy and completeness of information and processing methods. Data must be protected from unauthorized or accidental modification, and systems must produce reliable, consistent outputs.
Maintain Availability
Ensure that authorized users have timely and reliable access to information and associated systems when needed. Business-critical systems must meet defined availability targets and be supported by resilience and recovery capabilities as outlined in the Business Continuity Policy.
Sustain Customer Trust
Demonstrate to clients, partners, and stakeholders that InContext Solutions operates a mature, auditable information security program that meets or exceeds industry expectations and contractual commitments.
Comply with Legal and Regulatory Requirements
Meet all applicable legal, regulatory, and contractual obligations related to information security and data protection, including but not limited to GDPR, CCPA, SOC 2 Type II requirements, and client-specific security provisions.
Support Business Objectives
Align information security investments and controls with business strategy, enabling innovation and growth while managing risk to acceptable levels.
4. Governance Structure
Executive Leadership
Executive leadership bears ultimate accountability for information security. This includes approving this policy, allocating adequate resources, setting risk appetite, and ensuring that security objectives are integrated into strategic planning. The executive team receives regular reporting on security posture, risk exposure, and program effectiveness.
Information Security Team
The Information Security (InfoSec) team is responsible for the design, implementation, operation, and continuous improvement of the Information Security Management System (ISMS). This includes developing security policies and standards, conducting risk assessments, managing security incidents, overseeing compliance activities, and providing security guidance to the organization.
Department Heads and Asset Owners
Department heads serve as owners of the information assets within their functional areas. Asset owners are responsible for classifying information, defining access requirements, ensuring compliance with applicable policies, and accepting residual risk for assets under their stewardship.
All Employees and Personnel
Every individual with access to InContext Solutions information or systems is a security participant. All personnel are responsible for understanding and complying with this policy and all subordinate security policies, completing required security awareness training, and promptly reporting security incidents or concerns.
Information Security Management System
InContext Solutions maintains a formal ISMS aligned with ISO/IEC 27001 principles. The ISMS provides the systematic approach through which security risks are identified, assessed, treated, and monitored. It encompasses the full lifecycle of security controls from design through retirement and is subject to regular internal audit and management review.
5. Risk Management
Risk Appetite
InContext Solutions maintains a low risk appetite for threats to client data confidentiality, system integrity, and service availability. The organization accepts that some residual risk is inherent in business operations and seeks to reduce risk to levels that are demonstrably reasonable and proportionate to the value of the assets being protected.
Risk Assessment Methodology
Risk assessments are conducted in alignment with ISO 31000 and NIST SP 800-30 principles. The methodology includes:
- Asset identification — cataloging information assets, their owners, and their value to the organization.
- Threat identification — identifying plausible threat sources and threat events relevant to each asset.
- Vulnerability assessment — evaluating weaknesses that could be exploited by identified threats.
- Likelihood and impact analysis — estimating the probability of occurrence and the potential business impact of each risk scenario.
- Risk evaluation — comparing assessed risk levels against the organization's risk acceptance criteria.
Risk assessments are performed at least annually for all critical systems and whenever significant changes occur to the technology environment, business operations, or threat landscape.
Risk Treatment
Identified risks are treated through one or more of the following options:
- Mitigate — implement controls to reduce the likelihood or impact of the risk to an acceptable level.
- Accept — formally acknowledge and accept the risk where treatment costs exceed the potential impact, documented with executive approval.
- Transfer — shift the risk to a third party through insurance, contractual arrangements, or outsourcing with appropriate security requirements.
- Avoid — eliminate the risk by discontinuing the activity or removing the asset that gives rise to it.
Risk Register
A risk register is maintained by the InfoSec team and updated following each risk assessment cycle, after security incidents, and when material changes to the environment occur. The risk register records identified risks, their assessed levels, treatment decisions, control owners, and residual risk ratings. It is reviewed by executive leadership as part of the management review process.
6. Policy Framework
Policy Document Hierarchy
InContext Solutions maintains a structured hierarchy of security documentation:
- Information Security Policy (this document) — Top-level governance document approved by executive leadership. Establishes principles, objectives, and authority.
- Topic-Specific Policies — Address specific security domains (e.g., Data Protection, Acceptable Use, Access Control, Incident Response). Define mandatory requirements within their scope.
- Standards — Specify mandatory technical and operational requirements that implement policy directives (e.g., encryption standards, configuration baselines).
- Procedures — Provide step-by-step instructions for executing specific security tasks (e.g., incident triage procedure, access provisioning procedure).
- Guidelines — Offer recommended practices and advisory information to support policy compliance.
Each level of documentation must be consistent with and traceable to this governing policy.
Policy Review Cadence
All security policies are reviewed at a minimum of once per calendar year. The annual review assesses continued relevance, alignment with current risks and business objectives, regulatory changes, and lessons learned from incidents and audits.
Policy Exception Process
Exceptions to any security policy must be formally requested, documented, and approved. Exception requests must include a business justification, a risk assessment of the exception, proposed compensating controls, and a defined expiration date. Exceptions are approved by the InfoSec team lead and, where the associated risk is elevated, by executive leadership. All active exceptions are tracked and reviewed quarterly.
7. Compliance Obligations
Legal and Regulatory Requirements
InContext Solutions identifies, documents, and monitors compliance with all applicable legal, regulatory, and contractual requirements, including:
- General Data Protection Regulation (GDPR) — for processing of personal data relating to EU/EEA individuals.
- California Consumer Privacy Act (CCPA) / CPRA — for processing of personal information of California residents.
- SOC 2 Type II — adherence to trust services criteria for security, availability, processing integrity, confidentiality, and privacy.
- Contractual obligations — client-specific security requirements, data processing agreements, and service level commitments.
- Industry standards — alignment with ISO/IEC 27001, NIST Cybersecurity Framework, and other recognized frameworks as applicable.
Compliance Monitoring
The InfoSec team maintains a compliance obligations register and conducts periodic assessments to verify adherence. Compliance gaps are documented, assigned remediation owners, and tracked to resolution.
Internal Audit Program
InContext Solutions operates an internal audit program that evaluates the effectiveness of information security controls, the adequacy of the ISMS, and conformance with this policy and subordinate policies. Audit findings are reported to executive leadership, and corrective actions are tracked through the risk register. Refer to the Security Incident Response Policy for audit-related incident escalation.
8. Security Organization
Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| Executive Leadership | Approve policy, allocate resources, set risk appetite, oversee security posture |
| InfoSec Team Lead | Direct ISMS operations, report to executives, approve exceptions, lead incident response |
| InfoSec Team Members | Conduct risk assessments, manage controls, monitor threats, deliver training |
| Department Heads / Asset Owners | Classify assets, enforce policy within departments, accept residual risk |
| IT Operations | Implement technical controls, maintain infrastructure security, support incident response |
| Human Resources | Enforce personnel security, manage onboarding/offboarding security requirements |
| All Personnel | Comply with policies, complete training, report incidents |
Incident Escalation Path
Security incidents are escalated according to the severity framework defined in the Security Incident Response Policy. Critical and high-severity incidents are escalated immediately to the InfoSec team lead and executive leadership. All incidents are documented, investigated, and resolved in accordance with established incident response procedures.
Cross-Functional Security Coordination
The InfoSec team coordinates with IT Operations, Engineering, Human Resources, Legal, and business unit leadership to ensure that security considerations are integrated into technology decisions, organizational changes, vendor relationships, and product development. Regular cross-functional meetings are held to review emerging risks, planned changes, and security program status.
9. Communication and Awareness
Policy Communication
This policy and all subordinate security policies are communicated to all personnel upon hire and whenever material updates are made. Policies are accessible through the company's internal documentation systems. All personnel are required to acknowledge their understanding of and commitment to comply with applicable security policies.
Security Awareness Program
InContext Solutions operates a security awareness program that includes:
- Onboarding training — all new personnel complete information security fundamentals training within their first two weeks of employment.
- Annual refresher training — all personnel complete annual security awareness training covering current threats, policy updates, and role-specific security responsibilities.
- Targeted training — role-specific training for personnel in high-risk functions, including software development, system administration, and data handling.
- Simulated exercises — periodic phishing simulations and tabletop exercises to reinforce awareness and test response readiness.
Reporting Obligations
All personnel are required to report suspected security incidents, policy violations, vulnerabilities, and security concerns to the InfoSec team promptly. Reporting channels are communicated during onboarding and reinforced through the awareness program. InContext Solutions prohibits retaliation against individuals who report security concerns in good faith. Refer to the Acceptable Use Policy for detailed reporting guidance.
10. Continuous Improvement
Plan-Do-Check-Act Cycle
The ISMS operates on a Plan-Do-Check-Act (PDCA) cycle to ensure continuous improvement:
- Plan — establish security objectives, identify risks, and define controls and improvement initiatives.
- Do — implement controls, execute security operations, and deliver training and awareness programs.
- Check — monitor and measure control effectiveness through audits, metrics, testing, and incident analysis.
- Act — address identified deficiencies, implement corrective actions, and refine the ISMS based on findings.
Metrics and Key Performance Indicators
The InfoSec team tracks security metrics and KPIs including, but not limited to:
- Number and severity of security incidents
- Mean time to detect and respond to incidents
- Percentage of personnel completing security awareness training
- Results of vulnerability assessments and penetration tests
- Policy exception volume and aging
- Audit finding closure rates
- Risk register trends
Management Review
Executive leadership conducts a formal management review of the information security program at least annually. The review considers security performance metrics, audit results, incident trends, risk register changes, stakeholder feedback, and strategic alignment. Outputs of the management review include decisions on resource allocation, risk acceptance, and program improvement priorities.
Lessons Learned Integration
Findings from security incidents, audits, exercises, and management reviews are systematically captured and incorporated into the ISMS. Lessons learned drive updates to risk assessments, controls, training content, and operational procedures.
11. Policy Review and Maintenance
Annual Review Cycle
This policy is reviewed and, where necessary, updated at least once per calendar year. The annual review is coordinated by the InfoSec team and approved by executive leadership.
Triggered Reviews
In addition to the scheduled annual review, this policy is reviewed and updated in response to:
- Security incidents — significant incidents that reveal gaps in policy coverage or effectiveness.
- Organizational changes — mergers, acquisitions, restructuring, or significant changes to business operations.
- Regulatory updates — new or amended legal, regulatory, or contractual requirements affecting information security.
- Technology changes — adoption of new technologies, platforms, or architectures that materially alter the risk landscape.
- Audit findings — internal or external audit results that identify policy deficiencies.
Version Control
All versions of this policy are maintained under version control. The current effective version is published and accessible to all personnel. Superseded versions are archived for reference and compliance evidence purposes.
Approval Authority
This policy is approved by executive leadership. Material amendments require executive approval prior to publication. Administrative corrections and clarifications may be approved by the InfoSec team lead.
Related Policies
This policy is supported by the following subordinate policies and should be read in conjunction with them:
- Data Protection Policy — personal data processing and privacy compliance
- Acceptable Use Policy — permitted use of information systems and assets
- Security Incident Response Policy — incident detection, response, and recovery
- Business Continuity Policy — resilience, recovery, and continuity of operations
- Network Security Policy — network architecture, segmentation, and perimeter defense
- Access Control Policy — identity management and access authorization
- Data Management Policy — data classification, retention, and disposal
Revision History
| Date of Change | Responsible | Summary of Change |
|---|---|---|
| April 2025 | ICS InfoSec Team | Initial publication |
| March 2026 | ICS InfoSec Team | Published to Trust Center |