Security Policy

CyberKarl Ltd is committed to protecting the confidentiality, integrity, and availability of information entrusted to us by clients, partners, and internal stakeholders. This Information Security Policy outlines the controls, behaviours, and expectations required to maintain a secure and resilient working environment.

This policy applies to all CyberKarl staff, directors, associates, and contractors who access or process CyberKarl information or client information.

Our approach is guided by our core values of discipline, integrity, and trust.

---

1.Purpose

The objectives of this policy are to:

• Protect sensitive information from unauthorised access, misuse, or disclosure
• Ensure secure and responsible use of systems and devices
• Support compliance with legal, regulatory, and contractual obligations (including UK GDPR)
• Reduce the risk of security incidents and maintain client confidence
• Provide clear security expectations for all personnel

---

2. Scope

This policy covers:

• All information processed by CyberKarl
• All systems, networks, and devices used for business purposes
• All staff, directors, and approved associates
• Cloud services, communication tools, email, and file storage systems

---

3. Roles & Responsibilities

CyberKarl Management

• Establish and maintain security controls
• Ensure policies remain up to date
• Approve access to systems and sensitive information

Operations Director

• Oversees security governance and compliance
• Maintains the Access Log and Asset Register
• Ensures incident reporting processes are followed

All Personnel

• Follow security policies and guidance
• Report security incidents without delay
• Protect devices, passwords, and client information at all times

---

4. Access Control

CyberKarl enforces controlled and secure access to systems:

• Access granted on a strict need-to-know basis
• Multi-Factor Authentication (MFA) must be used where available
• Passwords must be strong, unique, and never shared
• Temporary access for associates must be time-bound and logged
• Access must be revoked promptly at off-boarding

---

5. Device & System Security

All devices used for CyberKarl work must:

• Be encrypted and protected with strong authentication
• Have up-to-date security patches and antivirus tools
• Lock automatically when unattended
• Store business information only in approved locations (no local-only storage)

Personal devices may only be used if authorised and properly secured.

---

6. Secure Communications & File Handling

• Use encrypted email or secure file-sharing platforms to transfer client information
• Do not send sensitive documents via unencrypted channels
• Confirm recipient addresses before sending emails
• Avoid storing client data in unauthorised or personal accounts

---

7. Data Classification & Handling

CyberKarl information is classified as:

• Confidential – client information, internal documents, financial data
• Internal – working files, drafts, internal notes
• Public – marketing materials, published content

Handling requirements:

• Confidential data must be encrypted in transit and at rest
• Only approved staff may access client information
• Printed materials must be securely stored or shredded

---

8. Use of AI Systems

AI tools may only be used in line with the AI Acceptable Use & Governance Policy.

In particular:

• No client data may be entered into AI tools without explicit approval
• Outputs from AI must be reviewed for accuracy
• Only approved AI tools may be used

---

9. Third-Party Systems & Suppliers

• Only vetted suppliers may be used for hosting, file sharing, email, or data processing
• Supplier security posture must be reviewed periodically
• Contracts must include appropriate confidentiality and data protection clauses

---

10. Physical Security 

Although CyberKarl operates digitally, personnel must:

• Protect laptops and devices in public spaces
• Avoid discussing sensitive matters in open or insecure environments
• Report device loss or theft immediately

---

11. Incident Reporting & Response

All personnel must immediately report:

• Suspected or actual data breaches
• Unauthorised access attempts
• Lost or stolen devices
• Phishing attempts or suspicious communications

Incidents must be handled following the Data Breach & Incident Response Procedure.

---

12. Business Continuity

CyberKarl maintains:

• Secure cloud-based backup of core documents
• Redundant access to critical systems
• Defined recovery processes in case of disruption

---

13. Training & Awareness

All staff and associates must:

• Complete onboarding security awareness
• Follow ongoing guidance issued by CyberKarl management
• Understand obligations under this and related policies

---

14. Policy Compliance

Failure to comply with this policy may result in:

• Disciplinary action (for internal personnel)
• Termination of contract (for associates)
• Reporting to authorities in cases of legal breach

---

15. Review & Change Control

This policy will be reviewed:

• Annually
• When significant changes occur in technology, risk, or business operations

Updates must be approved by the Operations Director.

---

Version: 1.0

Owner: Operations Director

Last Updated: January 2026