Home Page
Join Mentorship
Security Policy
Welcome! Please read our Security Policy below. This Policy applies to all employees, contractors, consultants, temporary staff, third-party service providers, and any other authorized users (“Users”) who have access to the Company’s information assets.
Security Policy
Last Updated: February 8, 2025.
1. Purpose and Scope
The purpose of this Information Security Policy (“Policy”) is to establish a comprehensive framework for safeguarding the confidentiality, integrity, and availability of TradeTBROS.ai’s (“Company”) information assets. This Policy:
  1. Defines roles, responsibilities, and procedures to protect digital and physical information assets from unauthorized access, alteration, disclosure, or destruction.
  1. Supports compliance with relevant regulations and industry standards, including but not limited to:
  • Gramm-Leach-Bliley Act (GLBA) Safeguards Rule;
  • Securities and Exchange Commission (SEC) Regulation S-P;
  • Federal Trade Commission (FTC) regulations;
  • Applicable state data protection laws;
  • Recognized frameworks such as NIST and ISO 27001.
This Policy applies to all employees, contractors, consultants, temporary staff, third-party service providers, and any other authorized users (“Users”) who have access to the Company’s information assets.
2. Governance and Responsibilities
  1. Chief Information Security Officer (CISO) / Security Lead
  • Responsible for overseeing the development, implementation, and maintenance of the Company’s security program.
  • Manages security risk assessments, incident responses, compliance reviews, and employee security training.
  1. Management
  • Ensures that adequate resources (financial, technical, staffing) are allocated to implement and maintain the security program.
  • Enforces disciplinary measures for non-compliance with this Policy.
  1. Employees and Contractors
  • Must adhere to all security policies, procedures, and guidelines.
  • Report any suspected or actual security incidents immediately to their supervisor or the CISO/Security Lead.
  1. Third-Party Service Providers
  • Required to follow equivalent or more stringent security measures as part of contractual agreements, non-disclosure agreements, or service-level agreements (SLAs).
3. Information Classification
All data and information assets at the Company should be classified based on sensitivity, regulatory requirements, and potential impact if compromised. At a minimum, use the following categories:
  1. Confidential: Includes personally identifiable information (PII), nonpublic personal information (NPI) governed by GLBA, client financial data, investment strategies, trade secrets, and any information that could cause harm if disclosed.
  1. Internal Use: Internal business documentation, policies, processes, and operational procedures that are not public but are not as sensitive as Confidential data.
  1. Public: Information that can be freely shared without risk (e.g., marketing materials, publicly available content).
Appropriate handling, labeling, and access control measures must be enforced based on the classification level.
4. Access Control
  1. User Access Management
  • Access to information systems must be provisioned based on the principle of least privilege, ensuring that users only receive the minimum level of access required to fulfill their roles.
  • All user accounts are subject to unique login credentials (no shared IDs), strong password policies, and regular access reviews.
  1. Authentication and Password Policy
  • Passwords must be complex (e.g., at least 8–12 characters, including upper and lower case letters, numbers, and symbols) and changed regularly (e.g., every 90 days).
  • Multifactor authentication (MFA) is required for remote access, privileged accounts, and critical systems where feasible.
  1. Role-Based Access Control (RBAC)
  • Departments or roles handling Confidential data (e.g., investment portfolios, transaction details) are segregated in a separate security group with clearly defined permission sets.
  1. Terminations and Role Changes
  • Upon termination or role change, user accounts and permissions must be revoked, adjusted, or disabled immediately to prevent unauthorized access.
5. Physical Security
  1. Facility Access
  • All office entrances and secure areas (e.g., server rooms, file storage areas) must be protected by appropriate physical controls, such as key card systems, biometric scanners, or locked cabinets.
  • Visitors must be escorted at all times in restricted areas and sign in/out at reception.
  1. Media and Equipment
  • Confidential documents must be stored in locked cabinets or secure file rooms.
  • Hard drives, USB drives, or other removable media containing sensitive data must be encrypted and securely stored when not in use.
  • When disposing of physical media or devices, use secure destruction methods (e.g., shredding, degaussing, certified disposal services).
6. Data Handling and Protection
  1. Encryption
  • Confidential data in transit over public networks (e.g., email, VPN access) must be encrypted (e.g., TLS/SSL).
  • Data at rest containing highly sensitive or regulated information (e.g., PII, NPI) should be encrypted where feasible.
  1. Storage
  • Cloud storage services must meet industry-recognized security standards and comply with applicable regulations (e.g., SOC 2, ISO 27001 certification).
  • Access to cloud storage solutions must be strictly controlled using strong authentication and authorization policies.
  1. Data Retention and Destruction
  • Retain data only for as long as necessary to meet business and regulatory requirements (e.g., SEC record retention rules).
  • Securely dispose of or anonymize data when no longer required.
  1. Data Loss Prevention (DLP)
  • Implement DLP tools and processes to monitor and protect data from unauthorized transfer or leakage, especially for email and file transfers.
7. Network Security
  1. Network Segmentation
  • Separate sensitive networks (e.g., servers hosting Confidential data) from public-facing services using firewalls, virtual LANs (VLANs), or other segmentation techniques.
  1. Firewalls and Intrusion Detection
  • Deploy up-to-date firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and block malicious traffic.
  • Regularly review firewall rules and access control lists (ACLs).
  1. Patch Management
  • Keep operating systems, applications, and network devices up to date with the latest security patches and fixes.
  • Subscribe to vendor security alerts and apply critical patches promptly following a risk-based approach.
  1. Vulnerability Scanning and Penetration Testing
  • Conduct periodic internal and external vulnerability scans.
  • Perform penetration tests at least annually and after significant changes to critical systems or network architecture.
8. Security Awareness and Training
  1. Mandatory Training
  • All employees, contractors, and relevant third parties must complete security awareness training upon hire and at least annually.
  • Training topics include phishing, social engineering, password hygiene, secure data handling, and incident reporting.
  1. Ongoing Education
  • Provide updates on emerging threats and best practices via regular bulletins, workshops, or internal newsletters.
  • Reinforce compliance obligations under GLBA, SEC regulations, and this Policy.
9. Incident Response and Reporting
  1. Incident Response Plan
  • Maintain a written Incident Response Plan (IRP) detailing procedures for detecting, responding to, and recovering from security incidents (e.g., data breaches, ransomware attacks).
  • Define roles (e.g., Incident Response Team lead, IT representative, legal counsel), communication protocols, and notification timelines.
  1. Reporting
  • Require all Users to immediately report suspected or confirmed security incidents to the designated Incident Response Team or Security Lead.
  • Comply with any mandatory breach notification laws (e.g., state data breach statutes, SEC guidance, FTC regulations) and notify affected individuals, clients, or regulators as required by law.
  1. Investigation and Remediation
  • Document all incident investigations, remediation efforts, and lessons learned.
  • Update security controls and incident response procedures to prevent similar incidents.
10. Third-Party and Vendor Management
  1. Due Diligence
  • Perform security and privacy due diligence on all third-party vendors and service providers who have access to the Company’s data or systems.
  • Ensure vendors meet or exceed the Company’s security standards.
  1. Contracts
  • Include robust data security and confidentiality clauses in contracts, requiring service providers to protect Company data consistent with GLBA, SEC rules, and this Policy.
  • Obtain indemnities or warranties for data breaches caused by vendors, where appropriate.
  1. Monitoring and Audits
  • Require regular security assessments or audits from critical vendors.
  • Terminate relationships with vendors who fail to maintain acceptable security controls.
11. Monitoring, Auditing, and Compliance
  1. Monitoring
  • Monitor system logs, network traffic, and user activity for suspicious behavior or unauthorized access attempts.
  • Use intrusion detection/prevention systems, SIEM (Security Information and Event Management) tools, or other automated solutions.
  1. Auditing
  • Conduct periodic internal and external audits (e.g., SOC 2, ISO 27001) to evaluate the effectiveness of security controls and compliance with this Policy.
  • Maintain audit logs and records as required by SEC and other regulatory bodies.
  1. Regulatory Compliance
  • Maintain written policies and procedures to comply with the GLBA Safeguards Rule, SEC Regulation S-P, and relevant state data protection laws.
  • Ensure that information security measures align with the Company’s Privacy Policy and any additional state/federal regulations (e.g., California Consumer Privacy Act, New York Department of Financial Services cybersecurity requirements).
12. Enforcement
  1. Policy Violations
  • Violations of this Policy may result in disciplinary action, up to and including termination of employment or contract.
  • The Company may seek legal remedies for any breach that causes harm to its operations, clients, or stakeholders.
  1. Reporting Concerns
  • Users who become aware of potential or actual policy violations must report them to the Security Lead, HR department, or a designated compliance officer without fear of retaliation.
13. Policy Maintenance and Review
  1. Review Cycle
  • This Policy shall be reviewed at least annually or when significant changes to the Company’s operations, technology, or regulatory environment occur.
  • Updates or revisions must be approved by senior management or an appointed governance committee.
  1. Publication
  • Make the current version of this Policy available to all employees, contractors, and relevant third parties.
  • Provide new hires with a copy of the Policy upon onboarding.
14. Acknowledgment
All employees, contractors, consultants, and third-party service providers are required to acknowledge that they have received, read, understood, and agree to comply with this Information Security Policy. A record of these acknowledgments shall be maintained by the Company’s HR or Compliance department.
15. Contact Information
For questions or concerns about this Policy, please contact:
Email: Support @ TradeTBRos.ai
© 2025 TBRos.com
All Rights Reserved.