1. Information Security Policy
Purpose
The purpose of this policy is to define the framework for securing information assets of LEMONADESHOPUS LLC against all
internal, external, deliberate, or accidental threats.
Scope
This policy applies to all employees, contractors, systems, and data managed by LEMONADESHOPUS LLC within the United
States and United Kingdom jurisdictions.
Policy
- We follow recognized security standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework.
- We perform regular risk assessments and review our controls.
- Security training is conducted annually for all personnel.
- Incident reporting mechanisms and escalation paths are clearly defined.
- Backups are maintained and regularly tested.
- All systems must be updated with the latest security patches.
- Access controls are enforced based on the principle of least privilege.
- Data encryption is mandatory for sensitive information both at rest and in transit.
2. Access Control Policy
Purpose
To restrict access to information and information systems to authorized users, processes, or devices.
Policy
- Access is granted based on role and business need (Principle of Least Privilege).
- All users must use Multi-Factor Authentication (MFA) for administrative access.
- Passwords must be at least 8 characters long and include uppercase, lowercase, numeric, and special characters.
- User access rights are reviewed at least annually.
- Access logs are retained for monitoring and auditing purposes.
3. Data Classification & Protection Policy
Purpose
To classify and protect information based on sensitivity and regulatory requirement.
Policy
- Data is classified into: Public, Internal, Confidential, and Restricted.
- Personal data and sensitive data are encrypted at-rest (AES-256) and in-transit (TLS 1.2+).
- Access to data is logged and monitored.
- Data minimization is practiced—only the necessary data is collected and retained.
- Data retention periods comply with regional laws (e.g., GDPR, CCPA).
4. Incident Response Policy
Purpose
To establish a structured approach to detect, respond to, and recover from security incidents.
Policy
- An Incident Response Team (IRT) is assigned with clear roles and responsibilities.
- All incidents must be reported within 24 hours of detection.
- Incident response steps: Identification → Containment → Eradication → Recovery → Review.
- Drills are performed annually to assess the readiness of our response.
- All incidents are documented and reviewed post-mortem.