Skip Navigation
Contact Us
Madison, Wisconsin
Powderkeg Web Design

Powderkeg Security Policy

1. Purpose

This Information Security Policy establishes the framework and principles by which Powderkeg Web Design protects the confidentiality, integrity, and availability of its information assets. It provides a consistent set of requirements and guidelines to safeguard data, systems, and people from security threats.

2. Scope

This policy applies to all employees, contractors, consultants, temporary workers, and third-party service providers of Powderkeg Web Design, as well as all information systems, networks, devices, and data owned, leased, or managed by the company.

3. Roles & Responsibilities

  • Security Team / Department Managers: Maintains technical controls, performs vulnerability assessments, and monitors security events. Ensure team compliance, enforce access controls, and report security incidents.
  • Employees & Contractors: All Powderkeg Web Design Employees adhere to policy requirements, complete security training, and promptly report incidents.

4. Access Control

  • Authentication:
    • Passwords must meet complexity requirements (minimum 12 characters, mix of letters, numbers, symbols).
    • Multi-factor authentication (MFA) is mandatory for remote access and privileged accounts.
  • Authorization:
    • Access is granted on a least-privilege basis, reviewed quarterly.
    • Role-Based Access Control (RBAC) defines permissions per job function.
  • Onboarding/Offboarding:
    • New accounts provisioned only upon manager approval.
    • Departing employees’ access revoked within 24 hours of termination.

5. Data Classification & Handling

  • Classification Levels:
    • Public: Information approved for public release.
    • Internal: Non-sensitive information for internal use.
    • Confidential: Sensitive business data requiring protection.

6. Network & System Security

  • Perimeter Defense: Firewalls configured to deny all inbound traffic by default, only allowing approved services.
  • Patch Management: Critical patches applied within 10 business days. All updates are forced if they go over the set threshold set by IT.
  • Malware Protection: Server side solution that works along side a MDM.  Updates are managed directly by the server, with the necessary portions installed on systems via push as soon as they are available.

7. Incident Response & Reporting

  • Detection & Reporting:
    • All employees must report suspected security events immediately to the IT Security Team.
  • Response Procedures:
    • Incident Response Team assembles within 1 hour of detection.
    • Containment, eradication, and recovery steps documented in an Incident Report.
  • Post-Incident Review:
    • Conduct root cause analysis within 5 business days.
    • Implement corrective actions and update policies as needed.

8. Physical Security

  • Facility Access: Badge-based entry; guest sign-in required.
  • Device Security: Laptops and Mobile devices protected by PIN/biometric.
  • Asset Inventory: Maintain an up-to-date register of all hardware assets.

9. Training & Awareness

  • Onboarding Training: All new hires complete security awareness training within 30 days.
  • Ongoing Education: Mandatory phishing simulations and refresher courses at least twice per year.