π‘οΈ Information Security Organization and Responsibilities
1. Purpose
This document establishes the organizational structure, roles, and responsibilities for information security management at Nemu Inc. It defines accountability for security controls, risk management, and compliance activities across the organization.
1.1 Information Security Program Objectives
The information security program at Nemu Inc. is designed to protect client data and organizational assets from security threats. The program establishes clear objectives and principles to prevent and respond to:
- Unauthorized Disclosure: Preventing unauthorized access to or exposure of client data through access controls, encryption, and monitoring
- Misuse: Ensuring client data is used only for authorized business purposes through acceptable use policies and activity monitoring
- Alteration: Protecting data integrity through change controls, versioning, and validation mechanisms
- Destruction: Safeguarding against unauthorized or accidental deletion through backup procedures, access restrictions, and audit logging
- Other Compromise: Addressing threats including data exfiltration, ransomware, injection attacks, and availability disruptions
1.1.1 Core Security Principles
The information security program operates on the following principles:
- Confidentiality: Client data is protected from unauthorized access through role-based access controls, encryption in transit and at rest, and secure authentication mechanisms
- Integrity: Data accuracy and completeness is maintained through validation controls, change management, and audit trails
- Availability: Systems and data remain accessible to authorized users through redundancy, backup procedures, and incident response capabilities
- Accountability: All access and actions affecting client data are logged and attributable to specific users or systems
- Least Privilege: Users and systems are granted only the minimum access necessary to perform authorized functions
- Defense in Depth: Multiple layers of security controls protect against single points of failure
- Continuous Monitoring: Security controls are monitored for effectiveness and threats are detected through ongoing surveillance
1.1.2 Program Scope
The information security program encompasses all systems, applications, and infrastructure that process, store, or transmit client data, including:
- Node.js APIs and Next.js applications hosted on Render
- Supabase database services storing client information
- Google Workspace collaboration and communication tools
- Third-party services integrated with client-facing systems
- Development, staging, and production environments
- Employee endpoints accessing client data
2. Governance Structure
Nemu Inc. maintains an effective information security governance model aligned with our cloud-native SaaS architecture:
2.1 Executive Leadership (Founders / C-Level)
- Establishes organizational risk appetite and tolerance levels
- Provides final approval for information security and privacy policies
- Allocates resources necessary to maintain the security program
- Reviews security program effectiveness during quarterly business reviews
2.2 Security Lead (CTO or Designated Security Officer)
- Serves as the primary owner of the information security program
- Develops, implements, and maintains security policies and procedures
- Coordinates incident response activities and leads security investigations
- Manages vulnerability assessment and remediation programs
- Conducts vendor security assessments and third-party risk reviews
- Reports security metrics and risk posture to executive leadership
2.3 Engineering Team
- Implements security controls within application code and infrastructure
- Applies secure development practices throughout the software development lifecycle
- Manages CI/CD pipeline security for Node.js APIs and Next.js applications
- Maintains security configurations for Render hosting and Supabase database services
- Ensures timely application of security patches and dependency updates
- Participates in security code reviews and threat modeling activities
2.4 Operations / Support Team
- Manages user access provisioning and de-provisioning processes
- Verifies user identity prior to fulfilling sensitive account requests
- Monitors systems and user activity for potential security concerns
- Serves as first-line detection for security incidents
- Facilitates customer communication during security events
- Documents and escalates suspected security incidents
3. Security Responsibilities by Function
3.1 All Personnel
Every employee and contractor at Nemu Inc. has security responsibilities, including:
- Adhering to all information security and privacy policies
- Completing mandatory security awareness training upon hire and annually thereafter
- Protecting credentials, access tokens, and other authentication materials
- Reporting security incidents, vulnerabilities, or suspicious activity immediately
- Safeguarding confidential company and customer information
- Following secure data handling procedures for customer data
3.2 Technology-Specific Responsibilities
Google Workspace Administration
- Configure appropriate access controls and authentication requirements
- Enable security features including 2FA enforcement
- Monitor audit logs for suspicious access patterns
- Manage data loss prevention (DLP) policies
Supabase Database Security
- Implement row-level security policies
- Manage database user permissions following least privilege principles
- Configure backup and recovery procedures
- Monitor database activity logs
Render Infrastructure Security
- Maintain secure deployment configurations
- Manage environment variables and secrets securely
- Configure network security controls and access restrictions
- Monitor application and infrastructure logs
4. Segregation of Duties
To ensure appropriate checks and balances, Nemu Inc. maintains the following segregation of duties where feasible:
- Code development and production deployment approvals are separated
- Security policy updates require review by personnel other than the author
- Access provisioning requests are approved by managers, not requesters
- Incident investigation involves personnel independent of affected systems
For a small team, certain role combinations are necessary and acceptable with appropriate compensating controls such as enhanced logging, executive oversight, and periodic independent reviews.
5. Authority and Escalation
5.1 Security Lead Authority
The Security Lead has authority to:
- Suspend user access or system functionality in response to active security threats
- Initiate emergency changes to mitigate critical vulnerabilities
- Engage external security experts or incident response services
- Communicate directly with customers regarding security matters
5.2 Escalation Paths
- Critical security incidents: Security Lead β Executive Leadership (immediate)
- Policy violations: Manager β Security Lead β Executive Leadership
- Vendor security concerns: Security Lead β Executive Leadership
- Compliance issues: Security Lead β Executive Leadership
6. Documentation and Review
6.1 Maintenance Schedule
- Security roles and responsibilities are reviewed annually
- Reviews are triggered by significant organizational changes including:
- Leadership changes affecting security roles
- Major system architecture changes
- New regulatory or compliance requirements
- Post-incident lessons learned
6.2 Documentation Requirements
- Current organizational chart with security role assignments
- Security Lead designation documented in HR systems
- Role descriptions maintained in internal knowledge base
- Meeting minutes for security steering committee or risk review sessions
7. Training and Competency
The Security Lead and personnel with significant security responsibilities must:
- Possess appropriate technical knowledge for assigned systems
- Maintain awareness of current security threats and best practices
- Participate in relevant professional development activities
- Document completion of role-specific training requirements
8. Audit Evidence
The following evidence demonstrates compliance with this policy:
- Organization chart clearly identifying security roles
- Security Lead appointment documentation
- Records of security meetings, risk assessments, and incident reviews
- Training completion records for security personnel
- Access review logs showing segregation of duties
- Incident response records demonstrating escalation procedures
9. Compliance Mapping
This policy supports compliance with the following frameworks:
| Framework | Control References |
|---|---|
| SOC 2 Trust Services Criteria | CC1.2 (Management oversight), CC1.3 (Organizational structure), CC5.3 (Responsibilities established) |
| ISO 27001:2013 | A.6.1.1 (Information security roles), A.6.1.2 (Segregation of duties) |
10. Related Documents
- Incident Response Plan
- Access Control Policy
- Security Awareness Training Program
- Risk Assessment Procedures
11. Policy Metadata
| Attribute | Value |
|---|---|
| Document Owner | Security Lead |
| Approval Authority | Executive Leadership |
| Last Reviewed | 11/16/2025 |
| Next Review Date | 11/16/2026 |
| Version | 1.0 |
Questions or Concerns: support@mynemu.com General Support: support@mynemu.com
Β© 2025 Nemu Inc. All rights reserved.
Last updated on