1. Purpose and Scope

Jit is committed to protecting the confidentiality, integrity, and availability of all physical and electronic information assets to ensure that regulatory, operational, and contractual requirements are fulfilled. This policy defines the security controls and principles that all personnel and systems must adhere to.

This policy applies to:

• All information created, received, stored, or transmitted by Jit
• All information systems, applications, and networks owned or managed by Jit
• All employees, contractors, consultants, temporary staff, and other workers at Jit
• All third parties that connect to or access Jit systems

2. Related Policies

This Information Security Policy serves as the foundation for Jit's comprehensive Information Security Program. The following subordinate policies provide detailed requirements for specific areas:

Governance and Risk

• Information Security Governance Policy
• Risk Assessment Policy
• Third Party Risk Management Policy
• Responsible Disclosure Policy

Data Protection and Access

• Data Classification Policy
• Data Protection Policy
• Privacy Policy  
• Encryption Policy
• Data Retention Policy
• Access Control Policy
• Password Policy
• AI Usage Policy
• SaaS Usage Policy

Infrastructure and Operations

• Asset Management Policy
• Change Management Policy
• Configuration Management Policy
• Network Security Policy
• Cloud Security Policy
• Vulnerability Management Policy
• Logging and Monitoring Policy

Business Continuity

• Business Continuity Policy
• Disaster Recovery Policy
• Backup and Recovery Policy
• Incident Response Policy

End User and Physical Security

• Acceptable Use Policy
• Mobile Device Policy
• Remote Work Policy
• Clean Desk Policy
• Physical Security Policy
• Visitor Management Policy
• Code of Conduct

Application and Development

• Secure Development and Application Security Policy

Each supporting policy adheres to the principles established in this Information Security Policy while providing detailed controls and procedures for its specific domain. Supporting procedures, standards, and guidelines may exist for each policy to provide implementation guidance.

3. Information Security Principles

Jit implements information security based on fundamental principles providing comprehensive protection of information assets. The organization commits to maintaining these six fundamental security objectives through documented controls and regular assessment.

Security objectives include:

• Confidentiality: Protection against unauthorized information disclosure
• Possession/Control: Maintenance of control over information assets
• Integrity: Prevention of unauthorized modification
• Authenticity: Validation of information origin and legitimacy
• Availability: Ensuring timely access for authorized users
• Utility: Maintaining information usability and relevance

4. Governance

Jit establishes clear ownership and accountability for information security through a comprehensive governance structure. The organization commits to regular review and updates of security policies, standards, and procedures.

Governance structure includes:

• Board level oversight and strategic direction
• Executive management responsibility and accountability
• Dedicated information security personnel
• Clear roles and responsibilities
• Independent assessment and audit functions
• Regular policy review and updates
• Documented exception management process

5. Risk Management

Jit implements a comprehensive risk management program aligned with National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), and the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) 2 Trust Services Criteria. The organization commits to regular risk assessments and maintaining appropriate controls based on risk levels.

Risk management activities include:

• Annual enterprise risk assessments
• System-specific risk analyses
• Third-party risk assessments
• Risk treatment planning
• Continuous monitoring of risk levels
• Regular control effectiveness reviews
• Risk-based decision making processes

6. Operational Requirements

Jit implements controls aligned with the Center for Internet Security (CIS) Critical Security Controls, National Institute of Standards and Technology (NIST) Special Publication 800-53, and the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) 2 Trust Services Criteria. The organization maintains a defense-in-depth approach to security and commits to implementing and maintaining controls across all critical security domains.

6.1 Asset Management

The organization maintains complete inventory and control of hardware and software assets.

Control categories include:

• Enterprise Asset Management
• Software Asset Management
• Data Management and Protection
• Configuration Management
• Secure Asset Disposal

6.2 Access Control

The organization implements the principle of least privilege and need-to-know access.

Control categories include:

• Access Control Management
• Account Management
• Privilege Management
• Remote Access Control
• Identity and Authentication
• Session Management

6.3 Data Protection

The organization protects data throughout its lifecycle based on classification and sensitivity.

Control categories include:

• Data Classification
• Encryption and Key Management
• Data Loss Prevention
• Media Protection
• Information Privacy
• Secure Data Destruction

6.4 Network, Cloud Security and SaaS

The organization implements comprehensive security controls across all network infrastructure, cloud services, and interconnected environments. This includes protection of both traditional network boundaries and cloud-based resources through defense-in-depth strategies.

Control categories include:

• Network Architecture and Design
• Access Control and Authentication
• Perimeter Security
• Communication Security
• Service Provider Security
• Cloud Infrastructure Protection
• Application Security
• Data Transport Security
• Network Monitoring and Analytics
• Remote Access Security

6.5 Operational Security

The organization maintains secure operational practices across all technology environments, emphasizing standardization, automation, and continuous validation of security controls.

Control categories include:

• Change Control
• Configuration Management
• Security Engineering
• Application Lifecycle Security
• Platform Security
• Operational Monitoring
• Technical Vulnerability Management
• Environmental Security
• Resource Management
• Security Automation

6.6 Incident Management

The organization maintains capabilities to detect, respond to, and recover from security incidents.

Control categories include:

• Security Monitoring
• Incident Detection
• Incident Response
• Digital Forensics
• Communications Management
• Continuous Improvement

6.7 Business Continuity

The organization ensures resilience and recovery capabilities for critical systems and processes.

Control categories include:

• Business Impact Analysis
• Continuity Planning
• Disaster Recovery
• Backup Management
• Crisis Management
• Recovery Testing

7. Compliance and Auditing

Jit maintains compliance with applicable regulations and standards through regular assessment and auditing. The organization commits to maintaining certifications and addressing audit findings promptly.

Compliance activities include:

• Regular compliance assessments
• Independent audits
• Control testing
• Gap remediation
• Evidence collection
• Regulatory reporting
• Certification maintenance

8. Training and Awareness

Jit maintains a comprehensive security awareness and training program. The organization commits to ensuring all personnel understand their security responsibilities and receive appropriate training.

Program elements include:

• New hire security training
• Annual awareness training
• Role-specific security training
• Security communications
• Awareness campaigns
• Compliance training
• Performance measurement

9. Enforcement

Jit enforces this policy through technical controls, monitoring, and a disciplinary process. The organization commits to investigating and addressing all policy violations.

Enforcement measures include:

• Technical enforcement controls
• Regular compliance monitoring
• Violation reporting procedures
• Investigation processes
• Disciplinary procedures
• Corrective actions
• Appeals process

10. Policy Management

This policy will be reviewed annually and updated as needed to reflect changes in business requirements, technology, and compliance obligations.

Document Control:

• Policy Owner: Chief Information Security Officer
• Next Review Date: January 30, 2026