ffective Date: May 1, 2026

Last Updated: May 1, 2026

​

Purpose Define security requirements and controls to protect the confidentiality, integrity, and availability of Silver Awakening systems, data, and services provided via www.silverawakening.com.

​

Scope Applies to all employees, contractors, vendors, consultants, and any users or systems that access, process, store, or transmit Silver Awakening data or use Silver Awakening systems and services.

​

1. Roles & Responsibilities

• Executive Sponsor: approves security strategy and resources.

• Security Owner: maintains this policy, oversees program, incident response, audits.

• System Owners: implement and maintain security controls for their systems.

• IT/DevOps: manage infrastructure, patching, backups, monitoring.

• Developers: follow secure development lifecycle and code review requirements.

• All Personnel: follow security policies, report incidents, protect credentials
   

2. Asset Management

• Inventory: maintain an up-to-date inventory of hardware, software, data stores, and cloud services.

• Classification: data classified as Public, Internal, Confidential, or Restricted. Handling and retention follow classification rules.
   

3. Access Control

• Principle of least privilege applied to systems and data.

• Role-based access controls (RBAC) and documented access approvals required.

• Strong authentication required for administrative and remote access; MFA enforced where supported.

• Accounts reviewed regularly; unused accounts disabled/removed.
   

5. Data Protection

• Encryption in transit (TLS) required for all web, API, and remote connections.

• Sensitive data encrypted at rest where technically feasible.

• Minimize collection of personal data; retain only as necessary and in line with Privacy Policy.

• Secure disposal and sanitization of data and hardware when decommissioned.
   

​6. Secure Development & Change Management

• Secure development practices: threat modeling, code review, SAST/DAST as appropriate.

• Changes to production systems require documented change control and testing.

• Secrets management: no credentials in source code; use secure secret stores.
   

7. Network & Infrastructure Security

• Network segmentation to limit lateral movement.

• Firewalls, WAFs, and access controls to protect services.

• Regular vulnerability scanning and prioritized remediation.

• Patching: apply security patches to servers, libraries, and dependencies on a defined schedule or urgently for critical vulnerabilities.
   

8. Monitoring, Logging & Detection

• Centralized logging for security-relevant events; logs retained per retention policy.

• Continuous monitoring and alerting for suspicious behavior, intrusion attempts, and system health.

• Regular review of logs and security alerts.
   

9. Incident Response & Breach Notification

• Maintain and exercise an incident response plan with defined roles, containment, investigation, remediation, and recovery steps.

• Document incidents and perform post-incident reviews.

• Notify affected parties and regulators as required by law and contractual obligations.
   

10. Business Continuity & Backups

• Regular automated backups for critical systems and data; periodic restoration tests.

• Redundancy and failover measures proportionate to service criticality.
   

11. Third Parties & Subprocessors

• Vendor security assessment prior to engagement; minimum security requirements in contracts.

• Maintain inventory of subprocessors and their data access.

• Require vendors to notify Silver Awakening of security incidents affecting our data.
   

12. hysical Security

• Physical access controls for facilities hosting infrastructure; cloud providers must meet comparable controls and certifications.

• Secure handling and disposal of physical media.
   

13. Training & Awareness

• Security awareness training for all personnel at onboarding and at least annually.

• Role-specific security training for developers, administrators, and others with elevated privileges.
   

14. Compliance & Audit

• Comply with applicable laws, regulations, and contractual obligations (e.g., data protection laws).

• Periodic internal reviews and external audits/assessments as required.
   

15. Enforcement & Exceptions

• Noncompliance may result in disciplinary action up to termination or contract termination.

• Exceptions to this policy require documented risk acceptance and approval by the Security Owner and Executive Sponsor.
   

16. Policy Review

• This policy is reviewed at least annually or when significant changes occur to business, technology, or legal requirements.
   

17. Reporting & Contact

• Report security concerns, incidents, or suspected vulnerabilities to: security@silverawakening.com

• For privacy-related questions: privacy@silverawakening.com