Security Policy

Lotus Lagree LLC Studio Information Security Policy

Effective Date: 6/29/2025
Reviewed: 6/29/2025
Next Review: 7/29/2025

1. Purpose

This Information Security Policy outlines the responsibilities and practices followed by Lotus Lagree LLC to ensure the confidentiality, integrity, and availability of all information assets, including sensitive data, and to protect the organization against security breaches, unauthorized access, and other security risks.

2. Scope

This policy applies to all employees, contractors, vendors, and third-party service providers (TPSPs) who have access to any information systems, applications, or customer data managed by Lotus Lagree LLC. This includes but is not limited to personal data of clients, payment information, and internal business operations.

3. Information Security Governance

3.1 Policy Establishment, Publication, and Maintenance

• The Information Security Policy is established and published within the organization and made available to all relevant personnel.
   

• The policy is maintained and disseminated to all relevant personnel, vendors, and business partners to ensure consistent awareness and compliance.
   

3.2 Review and Update

• The policy is reviewed annually (or as needed) to ensure it remains relevant to the organization’s operations and risk environment.
   

• Updates to the policy will be made in response to changes in business objectives, regulatory requirements, and emerging risks.
   

3.3 Roles and Responsibilities

• All personnel are made aware of their responsibilities regarding information security. Specific roles and responsibilities for securing sensitive information and handling security incidents are clearly defined.
   

• Each employee, contractor, and vendor acknowledges their understanding of and commitment to adhering to this policy.
   

4. Acceptable Use Policy for End-User Technologies

4.1 Documentation and Implementation

• All employees and authorized users must adhere to the Acceptable Use Policy for company-provided technologies, including hardware and software.
   

• Explicit approval is required for the use of any non-approved technologies.
   

• The list of approved technologies (both hardware and software) will be provided to employees for reference and compliance.
   

4.2 Technology Use Guidelines

• Only approved devices and software should be used for accessing company information or conducting any business activities, particularly those that process payment or personal data.
   

• Unauthorized use of devices for business-related activities or personal data storage is prohibited.
   

5. Risk Management for Cardholder Data

5.1 Identification and Management of Risks

• Risks related to the Cardholder Data Environment (CDE) are identified, evaluated, and managed periodically.
   

• Risk analysis is conducted annually or whenever a significant change in business operations occurs, ensuring that the likelihood and impact of potential threats are minimized.
   

5.2 Frequency of Risk Assessment

• PCI DSS compliance requirements are reviewed, and targeted risk analyses are conducted to determine how frequently specific security measures must be performed.
   

• These assessments are reviewed annually, and updates are made as needed.
   

6. Security Awareness Education

6.1 Ongoing Education and Training

• A formal security awareness program is implemented to ensure all personnel are aware of the importance of protecting company information and are familiar with information security procedures.
   

• The program includes training on common threats such as phishing, social engineering, and other security vulnerabilities.
   

6.2 Training Topics

• Employees are trained to recognize and report threats such as phishing emails and suspicious activities that could compromise the security of client and payment data.
   

• Additional security awareness materials will be provided as needed.
   

7. Management of Third-Party Service Providers (TPSPs)

7.1 List of TPSPs

• A list of all third-party service providers (TPSPs) with which customer data is shared or that could affect the security of account data is maintained and regularly reviewed.
   

7.2 Third-Party Agreements

• Written agreements with all TPSPs include clear responsibilities for the security of account data.
   

• TPSPs must acknowledge their role in maintaining the security of account data and adhere to PCI DSS guidelines.
   

7.3 Due Diligence and Monitoring

• Due diligence is conducted before engaging any new third-party vendors to ensure they meet security and PCI DSS compliance standards.
   

• TPSP compliance is monitored annually to ensure ongoing adherence to security requirements.
   

8. Incident Response Plan

8.1 Incident Response Procedures

• An Incident Response Plan exists to guide immediate action in the event of a security breach or confirmed compromise of client or payment data.
   

• The plan includes roles, responsibilities, communication protocols, business continuity procedures, data recovery strategies, and legal reporting requirements.
   

8.2 24/7 Availability

• Specific personnel are designated to be available on a 24/7 basis to handle suspected or confirmed security incidents, ensuring a swift and effective response.
   

8.3 Containment and Mitigation

• Incident response procedures will include containment and mitigation steps for various types of security incidents, including the secure handling of data breaches, unauthorized access, and other security threats.
   

9. Compliance and Continuous Improvement

9.1 Ongoing Review and Updates

• The Information Security Policy is continuously monitored, reviewed, and updated to address emerging threats, changes in technology, and evolving regulatory requirements.
   

• Regular audits are conducted to ensure compliance with all relevant security and privacy standards, including PCI DSS.
   

10. Policy Acknowledgement

• All personnel, contractors, and vendors are required to sign an Acknowledgment of Information Security Policy to confirm that they have read, understood, and agree to comply with this policy.