Information Security Policy
(Effective as of: December 16, 2025)
Table of Contents
1. Approach to Information Security
2. Purpose
3. Scope
4. Aquatic Informatics Information Security Program Measures
4a. Program Governance
4b. Risk Assessment
4c. Awareness & Training
4d. Personnel Security
4e. Supplier Risk Management
4f. Identification & Authentication
4g. Access Control
4h. Auditability
4i. Configuration Management
4j. System & Communication Protection
4k. System & Services Acquisition
4l. Media Protection
4m. Security Assessment & Authorization
4n. Maintenance
4o. System & Information Integrity
4p. Physical & Environmental Protection
4q. Contingency Planning
4r. Incident Response
5. Compliance and Review
1. Approach to Information Security
Information Security at Aquatic Informatics (AQI) is about building trust through reliable systems and robust protection of customer data. We strive to ensure confidentiality, integrity, availability, and compliance across all digital assets managed by Aquatic Informatics. Our approach enables secure digital transformation and empowers customers with confidence in our solutions.
2. Purpose
Information technology is a rapidly evolving and complex field. Protecting customer data and maintaining reliable systems is essential to AQI’s reputation and operational integrity. AQI is committed to providing a secure digital environment that ensures appropriate access to information whenever needed, while addressing complex and emerging threats. All security controls adhere to legal, regulatory, and compliance requirements. Every AQI employee, contractor, vendor, and authorized partner is expected to exercise diligence and vigilance in safeguarding our information and digital assets and maintain awareness through regular security training.
This policy establishes the organization’s commitment to safeguarding information assets, ensuring confidentiality, integrity, and availability through a risk-based approach aligned with industry standards (NIST, ISO 27001, GDPR).
3. Scope
The AQI Information Security policy applies to Aquatic Informatics employees, associates, contingent workers, contractors, vendors, service providers, consultants, and authorized agents who use or access AQI data and IT assets—collectively referred to as “users.” It also applies to all systems owned by Aquatic Informatics and its affiliates, whether hosted in AQI’s on-premises or in cloud environments.
4. Aquatic Informatics Information Security Program Measures
4a. Program Governance
The AQI Information Security Program is led by the Information Security Management System (ISMS) Committee, made up of Senior Security, Infrastructure, and Engineering leaders that report to the Chief Technology Officer.
The ISMS Committee’s goal is to implement and manage the Information Security Program by ensuring that security is integrated into the organizational strategy and aligning security objectives with business goals. This includes security strategy review, risk-based security roadmap, budget allocation for security initiatives, and measurement. In addition, the ISMS Committee is also responsible to ensure compliance with legal, regulatory, and customer expectations, which include adherence to the ISO 27001:2022 standard, GDPR framework, and general alignment with NIST standards.
The ISMS Committee is supported by a number of technical and non-technical teams, including Architecture, Cyber Operations, GRC, Product Security, and Cloud and Vulnerability Management.
4b. Risk Assessment
Approach
- Identify and mitigate risks proactively.
- Use a formal risk management framework.
Policy Statements
- Aquatic Informatics shall conduct formal risk assessments on AQI information systems and data at least annually to identify, evaluate, and prioritize risks.
- A centralized risk register shall be maintained and updated regularly to document identified risks, their status, and mitigation actions.
- Documented risk treatment plans shall be developed and implemented to address identified risks through mitigation, transfer, acceptance, or avoidance strategies.
- Threat modeling shall be performed for all new projects and significant system changes to proactively identify and address potential security threats.
- Regular vulnerability scanning and analysis shall be conducted across all systems and applications to detect and remediate security weaknesses promptly.
4c. Awareness & Training
Approach
- Foster a security-first culture.
- Provide role-specific training annually.
Policy Statements
- Aquatic Informatics shall require all employees, contractors, and relevant third parties to complete mandatory security awareness training annually to ensure understanding of organizational security policies and practices.
- Continuous phishing simulation exercises shall be conducted to assess user awareness and reinforce best practices for identifying and reporting suspicious emails.
- Specialized security training shall be provided based on job roles and responsibilities, ensuring personnel have the knowledge required to manage security risks associated with their functions.
4d. Personnel Security
Approach
- Vet personnel before granting access.
- Reinforce security obligations throughout and after employment.
Policy Statements
- Aquatic Informatics shall conduct background checks on all employees, contractors, and third-party personnel prior to granting access to sensitive systems or data.
- All personnel with access to Aquatic Informatics information assets must sign confidentiality agreements to ensure the protection of sensitive data.
- Employees and contractors shall complete mandatory acceptable use training to understand responsibilities related to system and data security.
- Access rights shall be revoked within 24 hours of termination, and all company-issued hardware must be returned promptly to prevent unauthorized access.
- Roles and responsibilities for security shall be clearly defined and assigned to ensure accountability and compliance with security policies.
- Aquatic Informatics shall implement monitoring mechanisms to detect and mitigate potential insider threats, including anomalous behavior and unauthorized activities.
- Personnel shall receive training on identifying and reporting security incidents to ensure timely escalation and response.
4e. Supplier Risk Management
Approach
- Assess and monitor vendor security.
- Enforce contractual security obligations.
Policy Statements
- Aquatic Informatics shall conduct comprehensive vendor risk assessments prior to onboarding and during the lifecycle of the relationship, including security reviews of any system integrations to ensure compliance with organizational standards.
- All vendor and third-party contracts shall include mandatory security clauses that define minimum security requirements, breach notification obligations, and compliance expectations.
- Aquatic Informatics shall implement continuous monitoring of vendors and service providers to identify emerging risks, validate compliance, and ensure ongoing security posture.
- Only vendors and service providers listed on the Aquatic Informatics Approved Vendor List shall be permitted to deliver products or services, ensuring alignment with security and compliance requirements.
4f. Identification & Authentication
Approach
- Verify identities before granting access.
- Use strong authentication mechanisms.
Policy Statements
- Aquatic Informatics shall require all users to have unique user IDs to ensure accountability and traceability of system activities.
- Multi-Factor Authentication (MFA) shall be enforced for all critical systems and remote access to strengthen identity verification and reduce unauthorized access risks.
- Passwords shall meet defined complexity requirements, including minimum length, character diversity, and periodic rotation, to prevent compromise.
- All authentication mechanisms used within Aquatic Informatics systems must be formally approved by the Information Security team to ensure compliance with security standards.
- Session timeout controls shall be implemented to automatically terminate inactive sessions, reducing the risk of unauthorized access.
- Authentication credentials shall be stored securely using industry-standard encryption and hashing techniques to prevent unauthorized disclosure.
- Shared accounts shall be tightly restricted, frequently audited, and authentication credentials rotated at least annually or immediately when an individual no longer requires access.
4g. Access Control
Approach
- Enforce least privilege and need-to-know principles
Policy Statements
- Aquatic Informatics shall require formal approval from authorized personnel before granting access to any system or resource.
- Access rights for employees, contractors, or third parties must be revoked within 24 hours of employment termination or contract conclusion to prevent unauthorized access.
- Access privileges shall be assigned based on job roles and responsibilities, ensuring the principle of least privilege is enforced across all systems.
- Regular reviews of user access rights shall be conducted to validate appropriateness and remove unnecessary privileges.
- Critical tasks and system functions shall be divided among multiple individuals to prevent conflicts of interest and reduce the risk of fraud or misuse.
4h. Auditability
Approach
- Maintain transparency and traceability of system activities.
- Ensure compliance through continuous monitoring.
Policy Statements
- Aquatic Informatics shall define and maintain a standardized logging framework to ensure consistent capture of security-relevant events across all systems.
- All security events shall be logged in a centralized system to enable efficient monitoring, correlation, and analysis.
- Audit logs shall be protected against unauthorized access, modification, and deletion, and retained in accordance with regulatory and business requirements.
- Automated alerting mechanisms shall be implemented to detect and notify relevant teams of anomalous activities or potential security incidents.
- Periodic reviews of audit logs shall be conducted to validate compliance, identify suspicious activities, and ensure the effectiveness of security controls.
- Comprehensive compliance reports shall be generated and maintained to demonstrate adherence to legal, regulatory, and internal security requirements.
4i. Configuration Management
Approach
- Maintain secure baselines for all systems.
- Control changes through formal processes.
Policy Statements
- Aquatic Informatics shall maintain an up-to-date inventory of all IT assets and review it regularly to ensure accuracy and accountability.
- All systems shall be deployed using hardened configuration baselines aligned with industry best practices to minimize vulnerabilities.
- Changes to system configurations shall be subject to formal change control processes, including approval and documentation, to prevent unauthorized modifications.
- Rollback procedures shall be designed for all deployments
- Automated tools shall be used to monitor configurations continuously and detect deviations from approved baselines.
- A structured patch management program shall be implemented to ensure timely application of security patches and updates across all systems.
- All configuration changes shall undergo a security review prior to implementation to validate compliance with security standards and risk mitigation requirements.
4j. System & Communication Protection
Approach
- Secure data in transit and at rest.
- Implement layered network defenses.
Policy Statements
- Aquatic Informatics shall implement network segmentation to isolate critical systems and reduce the risk of lateral movement by unauthorized entities.
- All communications over untrusted networks shall be encrypted using TLS/SSL protocols to ensure confidentiality and integrity of transmitted data.
- Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) shall be deployed and maintained to monitor, filter, and block unauthorized or malicious traffic.
- API gateways shall be secured with authentication, authorization, and encryption mechanisms to protect data exchanges between internal and external systems
- Systems shall consider resilience requirements aligned to customer commitments in adverse scenarios
- Remote access to Aquatic Informatics systems shall be permitted only through secure channels such as VPNs with multi-factor authentication.
- Only authorized assets and external components shall be permitted to connect to Aquatic Informatics systems, with strict validation and monitoring controls in place.
4k. System & Services Acquisition
Approach
- Ensure secure system development lifecycle management.
- Embed security in procurement.
Policy Statements
- Aquatic Informatics shall enforce a Secure Software Development Lifecycle (SSDLC) for all internally developed and externally procured applications, integrating security controls throughout design, development, testing, and deployment.
- All Requests for Proposals (RFPs) and procurement processes shall include explicit security requirements to ensure vendors and service providers meet Aquatic Informatics’ security standards.
- Source code for all critical applications shall undergo formal code reviews and static analysis to identify and remediate vulnerabilities before deployment.
- All third-party components and libraries shall be validated for security integrity and compliance with Aquatic Informatics’ standards prior to integration into production systems.
- Dynamic security testing shall be conducted on applications during pre-production and post-deployment phases to detect runtime vulnerabilities and ensure secure functionality.
4l. Media Protection
Approach
- Protect data at rest and in transit.
- Control physical and logical media access.
Policy Statements
- Aquatic Informatics shall ensure that all sensitive data remains within security-approved environments, whether on-premises or in authorized cloud platforms.
- All sensitive data at rest shall be encrypted using industry-standard encryption algorithms to protect confidentiality and integrity.
- Cloud storage environments storing sensitive data shall implement robust security controls, including encryption, access restrictions, and continuous monitoring, to safeguard stored data.
- Media containing sensitive information shall be securely disposed of through approved methods such as shredding or cryptographic wiping to prevent unauthorized recovery.
- The use of removable media for storing or transferring sensitive data shall be avoided unless explicitly authorized and secured according to policy requirements.
- Physical and logical access to media storage areas shall be restricted to authorized personnel only, with appropriate logging and monitoring in place.
4m. Security Assessment & Authorization
Approach
- Validate security posture before system deployment.
- Maintain continuous compliance.
Policy Statements
- Aquatic Informatics shall maintain a formal security certification process to validate that systems meet established security requirements before deployment or significant changes.
- Regular penetration testing shall be conducted on critical systems and applications to identify and remediate vulnerabilities before they can be exploited.
- A continuous monitoring program shall be implemented to track security controls, detect anomalies, and ensure ongoing compliance with security standards.
- All third-party vendors and service providers shall undergo security assessments to verify compliance with Aquatic Informatics’ security requirements and contractual obligations.
- All security assessments must be reviewed, approved, and validated by the Information Security Management System (ISMS) team or a designated authority to ensure accuracy and completeness.
4n. Maintenance
Approach
- Perform maintenance securely and efficiently.
- Validate changes before implementation.
Policy Statements
- Aquatic Informatics shall ensure that only authorized and qualified personnel perform maintenance activities on IT systems and infrastructure.
- All remote maintenance activities shall be conducted using secure protocols and authenticated sessions to prevent unauthorized access.
- Comprehensive logs of all maintenance activities shall be maintained to provide traceability and support compliance and audit requirements.
- Systems undergoing maintenance shall be tested before and after changes to validate functionality and security integrity.
- All patches applied during maintenance shall be verified for successful installation and effectiveness in mitigating identified vulnerabilities.
4o. System & Information Integrity
Approach
- Detect and remediate threats promptly.
- Maintain system health and integrity.
Policy Statements
4p. Physical & Environmental Protection
Approach
- Secure facilities against unauthorized access.
- Protect assets from environmental hazards.
Policy Statements
- Aquatic Informatics shall implement or ensure information systems are physically protected
- Access control systems shall be implemented to restrict entry to authorized personnel and maintain secure physical access to information systems.
- Closed-circuit television (CCTV) monitoring shall be deployed in critical areas to deter unauthorized access and support incident investigations.
- Fire suppression systems shall be installed and maintained to protect facilities and information systems from fire-related hazards, ensuring compliance with safety standards.
- All visitors to physical locations of information systems shall be logged and escorted as necessary to maintain accountability and prevent unauthorized access.
- Environmental monitoring systems shall be implemented to track temperature and humidity levels in areas where information systems reside, ensuring optimal conditions for equipment and data availability.
4q. Contingency Planning
Approach
- Ensure resilience through tested recovery strategies.
- Minimize downtime during disruptions.
Policy Statements
- Aquatic Informatics shall maintain and regularly update a documented Business Continuity Plan to ensure critical operations can continue during and after disruptive events.
- A comprehensive Disaster Recovery Plan shall be implemented to restore IT systems and services within defined recovery objectives following a major incident or disaster.
- Backup and restore processes shall be tested at regular intervals to validate Recovery Point Objective (RPO) and Recovery Time Objective (RTO) commitments, ensuring data integrity and system availability.
- Aquatic Informatics shall establish rapid deployment procedures to enable swift restoration of essential services and minimize downtime during emergencies.
- Formal crisis communication protocols shall be maintained to ensure timely, accurate, and consistent information sharing with internal teams, customers, and stakeholders during disruptive events.
4r. Incident Response
Approach
- Respond swiftly to minimize impact.
- Maintain a structured escalation process.
Policy Statements
- Aquatic Informatics shall maintain and regularly update a documented Incident Response Plan that defines roles, responsibilities, and procedures for detecting, responding to, and recovering from security incidents.
- Continuous security monitoring shall be implemented to detect and respond to potential threats in real time, ensuring rapid containment and mitigation of incidents.
- Clear escalation paths shall be established and communicated to ensure timely notification and involvement of appropriate stakeholders during security incidents.
- All relevant evidence related to security incidents shall be preserved in accordance with legal, regulatory, and forensic requirements to support investigations and compliance obligations.
- Only designated and authorized individuals within Aquatic Informatics shall have the authority to formally declare a data breach.
- Customers shall be notified within 72 hours of a confirmed or likely confirmed security breach that impacts the confidentiality, integrity, or availability of the data.
- Following the resolution of an incident, a formal review shall be conducted to identify root causes, assess response effectiveness, and implement improvements to prevent recurrence.
- Aquatic Informatics shall comply with all applicable regulatory requirements for breach notification, ensuring timely and accurate communication to regulators, customers, and other stakeholders.
5. Compliance and Review
This policy will be reviewed annually and updated to reflect evolving threats, regulatory changes, and business needs.