Information Security Policy

Information Security Policy for Uyhyde, LLC DBA The Little Sober Bar

Date: 06/10/2025

---

Contents

1. Introduction
2. Information Security Policy
3. Acceptable Use Policy
4. Disciplinary Action
5. Compliance Policy
6. Information Security Procedures and Standards
7. Protect Stored Data
8. Information Classification
9. Access to Sensitive Cardholder Data
10. Physical Security
11. Protect Data in Transit
12. Disposal of Stored Data
13. Security Awareness and Procedures
14. Network Security
15. System and Password Policy
16. Anti-virus Policy
17. Patch Management Policy
18. Remote Access Policy
19. System Administration Access Policy
20. Vulnerability Management Policy
21. Configuration Standards
22. Change Control Process
23. Audit and Log Review
24. Secure Application Development
25. Penetration Testing Methodology
26. Incident Response Plan
27. Roles and Responsibilities
28. Third-Party Security and Cardholder Data
29. User Access Management
30. Access Control Policy
31. Wireless Policy
32. Encryption Policy
33. Appendices

1. Introduction

This document outlines the security measures and policies for managing Uyhyde, LLC's information security, ensuring protection against unauthorized use and data breaches. All employees must read and sign acknowledgment of understanding and agreement. The policy is subject to annual updates and revisions by management.

2. Information Security Policy

Uyhyde, LLC is committed to safeguarding sensitive cardholder information daily. Measures must be enforced to protect privacy and ensure compliance with applicable regulations. Employees are required to:

• Handle company and cardholder data sensitively.
• Limit personal use of company systems, ensuring it doesn’t affect performance.
• Protect sensitive information; unauthorized disclosure is prohibited.
• Keep account information secure.
• Receive managerial approval before installing software or hardware.
• Report security incidents promptly.

3. Acceptable Use Policy

Personal use of company systems should be reasonable and not impact operations. Employees must maintain confidentiality and security of company data, ensuring all resources are used responsibly and appropriately.

4. Disciplinary Action

Non-compliance with these policies will result in disciplinary action, potentially including termination. Ignorance or poor judgment is not an excuse for violating security standards.

5. Compliance Policy

Compliance with all relevant laws and standards is mandatory. All data processing activities must identify laws and regulations applicable, and scope, including diagrams and data storage repositories, should be documented accordingly.

6. Information Security Procedures and Standards

Documentation related to security must be current, accurate, and reflect changes in regulations or standards. It includes procedures, standards, and asset lists.

7. Protect Stored Data

Sensitive data must be securely stored and properly disposed of when no longer needed. Displayed PANs must be masked, and certain data like CVV and PINs must not be stored.

8. Information Classification

Data is classified by sensitivity—Confidential, Internal Use, and Public. Appropriate handling measures apply to each.

9. Access to Sensitive Cardholder Data

Access must be controlled and authorized. Roles should define access needs, and data sharing with third parties requires strict controls.

10. Physical Security

Access to sensitive data must be restricted physically and electronically. Devices accepting card data should be secured and regularly inspected.

11. Protect Data in Transit

Transporting sensitive data requires authorization and encryption. End-user messaging technologies should not send unencrypted cardholder data.

12. Disposal of Stored Data

Data no longer needed must be securely disposed of following documented procedures.

13. Security Awareness and Procedures

Regular training and awareness programs are mandatory to maintain high security awareness among employees and contractors.

14. Network Security

Firewalls and network security measures are crucial to protect the cardholder environment, with access limited and connections monitored.

15. System and Password Policy

Standards align with industry best practices, enforcing strong password policies and secure system configurations.

16. Anti-Virus Policy

All systems must run updated antivirus software, with logs retained according to policy.

17. Patch Management Policy

Systems must have up-to-date patches to protect against vulnerabilities, installed per vendor release within a month.

18. Remote Access Policy

Remote access must be secure, strictly controlled, and monitored regularly, with accounts disabled when not needed.

19. System Administration Access Policy

Secure administrative access with multi-factor authentication is essential, and all actions must be monitored.

20. Vulnerability Management Policy

Regular vulnerability assessments must be conducted, with rescans ensuring remediation of high vulnerabilities.

21. Configuration Standards

All systems handling cardholder data must adhere to configuration standards, with updates managed per security assessments.

22. Change Control Process

Changes to resources must follow a documented process that ensures management review, authorization, and risk assessment.

23. Audit and Log Review

Audit logs should be maintained, reviewed regularly, and alerts managed by designated staff for security oversight.

24. Secure Application Development

Security must be integrated into the software development lifecycle, with developers adhering to secure coding practices.

25. Penetration Testing Methodology

Conduct tests to identify vulnerabilities following best practices, documenting all findings with actionable recommendations.

26. Incident Response Plan

A tested plan is in place for security incidents, outlining reporting and resolution processes, with roles and responsibilities defined.

27. Roles and Responsibilities

Clear roles for information security, including responsibility for maintaining policies, conducting audits, and ensuring PCI-DSS compliance.

28. Third-Party Security and Cardholder Data

All third-party engagements must adhere to security requirements, with defined responsibilities and compliance verification processes.

29. User Access Management

Formal processes control user access, ensuring appropriate authorization levels and prompt deactivation of former user accounts.

30. Access Control Policy

Access to systems is restricted based on roles with continuous review, and unauthorized access is prevented through strict policies.

31. Wireless Policy

Wireless devices are regulated to prevent unauthorized connections, with quarterly testing for compliance.

32. Encryption Policy

Strong encryption standards are enforced for data storage and transfers, ensuring secure management of encryption keys.

33. Appendices

• Appendix A: Agreement to Comply Form
• Appendix B: Asset/Device List and Third-Party Providers

Appendix A – Agreement to Comply Form

I, [Employee Name], agree to comply with Uyhyde, LLC's Information Security Policies, understanding they impact my role and duties. I acknowledge potential disciplinary action for non-compliance and agree to report potential breaches or violations promptly.

Appendix B – Asset/Device List and Third-Party Providers

Maintained and updated continuously, detailing all assets involved in data processing and third-party services with compliance validation.

This policy provides Uyhyde, LLC a comprehensive framework for safeguarding information, ensuring compliance, and protecting cardholder data. Regular reviews and updates align with industry practices and regulatory requirements.