Hubcar Information Security Plan

1. Objectives

• Protect the confidentiality, integrity, and availability of information assets
• Reduce the likelihood and impact of unauthorized access, misuse, loss, or disclosure
• Adopt zero trust principles so that access is continuously verified instead of implicitly trusted
• Define accountability for security decisions and control operation
• Support compliance with internal policies, contractual requirements, and applicable laws

2. Scope

• Production, staging, and supporting technical environments
• Administrative, operational, financial, and customer-facing systems
• Privileged, standard, emergency, and third-party access pathways
• Electronic information in transit, at rest, and during processing

3. Roles and responsibilities

• Management approves this plan, supports enforcement, and provides oversight for security priorities and remediation
• Document owners coordinate updates, maintain supporting procedures, and track review evidence
• System and data owners approve access according to business need and risk
• Managers validate that team members retain only the access required for their current responsibilities
• Workforce members and contractors must follow security requirements and report suspected incidents or control gaps

4. Security control commitments

• Access is granted according to least privilege and need-to-know principles
• Authentication, authorization, and privileged access are managed through defined control processes
• Identity and access management capabilities are centralized where practical to provide unified authentication, consistent authorization, and better visibility over access events
• A defined and documented access control policy governs least privilege, role-based access, and the procedures for granting, modifying, and revoking access
• Role-based access control is implemented where practical so access rights can be assigned consistently according to organizational responsibilities
• Zero trust principles are applied so that users, devices, and sessions are evaluated continuously before and during access
• Robust multi-factor authentication is required for appropriate access scenarios, especially for privileged or sensitive environments, using strong methods such as TOTP, push verification, or biometrics where supported
• Access is revoked or modified immediately when workforce members leave the organization or change roles, using automated workflows where supported
• Vulnerability scanning and timely remediation are required to reduce exposure to known weaknesses and emerging threats
• Software, platforms, and dependencies are monitored for end-of-life status so unsupported components can be upgraded, isolated, or replaced in a timely manner
• Sensitive data is protected with encryption, secure transmission, and restricted handling where applicable
• System changes follow review and approval practices intended to preserve service integrity
• Continuous monitoring and security telemetry are used to detect anomalous activity and support timely response
• Microsegmentation and logical separation are used where appropriate to limit lateral movement and contain risk
• Logging, monitoring, backup, and incident response activities support detection, recovery, and accountability
• Third-party services are evaluated and managed according to security expectations relevant to their role
• HR and identity-related signals are integrated where practical to reduce delay, manual error, and inconsistent access handling

5. Zero trust access architecture

• Strong authentication, including robust multi-factor authentication, is used to increase confidence in user identity
• Device and session context are evaluated where practical to support risk-based access decisions
• Continuous monitoring is used to identify abnormal behavior, privilege misuse, or control bypass attempts
• Microsegmentation and logical isolation are used to reduce unnecessary connectivity between systems and sensitive resources
• Access is limited to the minimum set of resources required for the approved business purpose

6. Robust multi-factor authentication

• Time-based one-time passwords (TOTP), push-based verification, and biometric verification are supported or preferred MFA methods where appropriate and technically feasible
• MFA is prioritized for privileged access, administrative functions, sensitive systems, remote access flows, and other elevated-risk scenarios
• Authentication methods are evaluated for strength, usability, operational resilience, and resistance to phishing or replay-style attacks
• Fallback, recovery, and enrollment processes are designed to preserve security while maintaining controlled access continuity
• MFA coverage is reviewed over time so the organization can strengthen protection as systems, user populations, and threat conditions evolve

7. Centralized identity and access management

• A unified authentication approach is preferred to reduce fragmented identity stores and inconsistent login controls
• Access rights are managed through centralized processes or platforms so approvals, provisioning, modification, and revocation remain traceable and consistent
• Access activity and identity events are monitored through centralized logging or observability workflows to improve oversight and investigation capability
• Centralized IAM data supports governance, certification, audit preparation, and evidence retention
• Administrative effort is reduced by standardizing identity lifecycle processes, role mapping, and policy enforcement across the environment

8. Documented access control policy

• Least privilege is applied so users receive only the minimum access required for approved responsibilities
• Role-based access control is used where practical to align permissions with job functions and reduce inconsistent entitlement assignment
• Requests to grant or expand access require documented approval based on business justification and appropriate ownership
• Access changes resulting from transfers, promotions, temporary assignments, or risk changes follow defined modification procedures
• Access revocation follows defined procedures for termination, contract end, role change, or removal of business need
• The access control policy is reviewed and updated regularly so it remains aligned with security requirements, operating changes, and industry expectations

9. Role-based access control implementation

• Roles are defined based on business functions, operational responsibilities, and system access needs
• Permissions are assigned to roles before being assigned to individual users whenever practical, reducing one-off entitlement sprawl
• Role definitions, role owners, and approved permission sets are maintained and reviewed to keep access aligned with current business operations
• User access is granted by role assignment, adjusted when responsibilities change, and removed when the role no longer applies
• RBAC supports scalability, improves oversight, and reduces administrative effort by standardizing how access is provisioned and maintained

10. Management approval and governance

11. Periodic access reviews and access audits

• Access reviews are performed at least quarterly and additionally after significant organizational, role, or system changes
• The review scope includes privileged accounts, administrative access, third-party access, inactive users, and sensitive systems
• Managers and system owners validate that each granted access right remains appropriate for the user's current responsibilities
• Identified excess or outdated permissions are removed or remediated within defined operational timelines
• Completed reviews are documented and retained as evidence for governance, audit, and follow-up purposes

12. Automated deprovisioning and role-change access management

• Termination events trigger immediate revocation of logical access to company systems, applications, and privileged accounts
• Transfer, promotion, or role-change events trigger timely access modification so legacy permissions are removed and new access is granted according to approved business need
• Automated workflows are preferred for joiner-mover-leaver events to reduce reliance on manual tickets or delayed follow-up
• Where practical, HR systems or equivalent source-of-truth personnel records are integrated with identity and access management processes to initiate access changes
• Exceptions, failures, or delayed deprovisioning events are escalated, tracked, and remediated promptly

13. End-of-life software monitoring and lifecycle management

• Inventories of relevant software and technology components are reviewed to identify current and upcoming EOL items
• Unsupported or soon-to-be unsupported components are risk assessed and prioritized for upgrade, replacement, isolation, or retirement
• Security, engineering, and operational stakeholders coordinate remediation plans and target timelines based on business criticality and exposure
• Exceptions requiring temporary continued use of EOL components are documented, risk accepted through governance, and monitored with compensating controls where necessary
• Lifecycle planning is incorporated into maintenance activities to encourage timely updates and reduce dependency on unsupported software

14. Vulnerability management and remediation SLA

• Regular vulnerability scans are performed against relevant systems, applications, dependencies, and environments according to risk and operational scope
• Findings are assessed, prioritized, and tracked through remediation workflows until closure or formally approved risk acceptance
• Severity-based remediation targets are defined and followed, such as critical vulnerabilities within 7 days, high within 30 days, medium within 90 days, and low within 180 days unless a stricter requirement applies
• Exceptions, blocked remediations, or accepted residual risks are documented, approved through governance, and revisited on a defined cadence
• Validation or rescanning is performed after remediation to confirm the vulnerability has been addressed effectively

15. Maintenance and updates