Information Security Policy (Executive Summary)
1. Purpose
This summary describes the Information Security Management System ("ISMS") of JIL Sovereign Technologies, Inc. (the "Company"). The ISMS is structured around the controls of the International Organization for Standardization (ISO) 27001:2022 standard, the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 Moderate baseline, and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The ISMS scope encompasses all production information systems, all personnel with access to such systems, and all subprocessors that process customer data on the Company's behalf.
2. Governance
The ISMS is governed by the Office of the Chief Information Security Officer, which reports to the Chief Executive Officer and presents at least quarterly to the Board of Directors. Material policy changes require executive approval and are recorded in the policy register. An annual ISMS management review is conducted to assess effectiveness and to set objectives for the following year.
3. Risk Management
The Company maintains a risk register that catalogs risks to confidentiality, integrity, and availability of information assets. Each risk is rated for likelihood and impact, assigned an owner, and tracked through treatment (mitigate, transfer, accept, or avoid). The register is reviewed quarterly. A formal HIPAA Security Rule risk analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A) is conducted at least annually; the executive summary is published at /docs/legal/JIL_HIPAA_Risk_Assessment_Summary.html.
4. Policy Set
The published policy set covers the following twenty-four domains; each is owned by a named function and reviewed at least annually:
| Domain | Owner |
|---|---|
| Acceptable Use | CISO |
| Access Control | CISO |
| Asset Management | Operations |
| Business Continuity and Disaster Recovery | Operations |
| Change Management | Engineering |
| Cryptography and Key Management | CISO |
| Data Classification and Handling | CISO |
| Data Retention and Destruction | General Counsel |
| Endpoint Security | Operations |
| HIPAA Privacy and Security | HIPAA Privacy and Security Officer |
| Human Resources Security | People Operations |
| Identity and Authentication | CISO |
| Incident Response | CISO |
| Information Security Program (this document) | CISO |
| Network Security | Operations |
| Patch and Vulnerability Management | Operations |
| Physical Security (inherited from AWS) | Operations |
| Privacy | Privacy Office |
| Risk Management | CISO |
| Secure Software Development Lifecycle | Engineering |
| Security Awareness and Training | People Operations |
| Subcontractor and Vendor Management | General Counsel and CISO |
| System Logging and Monitoring | Operations |
| Threat and Vulnerability Management | CISO |
5. Material Controls
5.1 Encryption
Transport Layer Security version 1.3 minimum for all client-facing endpoints. Encryption at rest for all persistent storage using AWS Key Management Service customer-managed keys; the highest-sensitivity vault is backed by AWS CloudHSM (FIPS 140-2 Level 3). Annual automatic key rotation enabled.
5.2 Identity and Access
WebAuthn (FIDO2 hardware key) enforced for all privileged access; Time-based One-Time Password (TOTP) is the only fallback. Just-in-time elevation for operator access to customer-tenant data, time-boxed and fully audited. No standing operator access to Protected Health Information.
5.3 Network
Virtual private cloud isolation; private subnets; no internet egress required for inference traffic. Mutual Transport Layer Security for internal service-to-service communication. AWS Web Application Firewall and AWS Shield Standard on public surfaces.
5.4 Logging and Monitoring
AWS CloudTrail and service-level structured logs to an S3 bucket configured with Object Lock Compliance mode and a fifteen (15) year retention. Per-record SHA-256 anchor to the Company's Layer 1 audit ledger ("CourtChain™"). One mechanism satisfies both the HIPAA Security Rule audit-log integrity standard at 45 C.F.R. § 164.312(b) and the Federal Rule of Evidence 902(14) self-authentication standard for civil and criminal evidentiary use.
5.5 Vulnerability Management
Static application security testing in continuous integration (Snyk). Container vulnerability scans on every image build (AWS Inspector). Critical findings remediated within seven (7) days; high within thirty (30); medium within ninety (90). Annual external penetration test; executive summary released to customers within sixty (60) days of completion.
5.6 Incident Response
Documented Incident Response Plan with named roles, escalation tree, and customer-notification matrix. Sixty (60) minute customer notification objective for confirmed Protected Health Information breaches; statutory floor under 45 C.F.R. § 164.410 is sixty (60) days. Quarterly tabletop exercises; lessons-learned register maintained and reviewed at the annual ISMS management review.
6. Personnel
All personnel with access to production systems undergo a background check at hire commensurate with role sensitivity, sign confidentiality and acceptable-use agreements, and complete security and HIPAA training within seven (7) days of hire and annually thereafter. Role-based training modules apply to engineering, operations, support, and legal roles.
7. Compliance Posture
The Company aligns its program to HIPAA (active), NIST SP 800-53 Rev. 5 Moderate (mapped), ISO 27001:2022 (aligned, certification deferred), HITRUST CSF i1 (engagement letter signed; readiness in flight; cert target Q4 2026), and SOC 2 Type II (twelve-month observation period engaged; report target Q3 2027). The Company is not in scope for PCI DSS (no card primary account number storage), GLBA (no consumer financial data), or GDPR (no EEA data subjects in production scope).
8. Continuous Improvement
The ISMS is reviewed annually for adequacy and effectiveness. Findings from internal audits, third-party assessments, customer-driven assessments, and incident post-mortems feed into the risk register and the policy update cycle. The annual review and the management's response are documented and made available to assessors.