FNBubbles420 Org Information Security Policy

Effective Date: July 1, 2025

1. Purpose & Scope

This Policy establishes requirements for protecting FNBubbles420 Org information assets, systems, and networks against unauthorized access, disclosure, alteration, or destruction. It applies to all volunteers, contractors, and systems under organizational control.

2. Data Classification

All information must be classified by sensitivity:

Public: Approved for public release.
Internal: Organizational use only, minimal risk if disclosed.
Confidential: Personal, financial, or sensitive volunteer data; strict access control.
Restricted: Critical systems credentials, encryption keys; highest protection.

3. Acceptable Use

Volunteers must use organizational IT resources for authorized non-commercial purposes only. Prohibited activities include:

Installing unauthorized software or services.
Accessing or transmitting offensive, illegal, or pirated content.
Bypassing security controls or network restrictions.

4. Access Control

Access to systems and data must follow the principle of least privilege:

Unique user accounts with strong passwords (>=12 characters, mixed-case, symbols).
Multi-factor authentication for all remote and elevated access.
Periodic review and revocation of unused accounts.

5. Encryption & Data Protection

Confidential and Restricted data must be encrypted at rest and in transit using industry-standard algorithms (AES-256, TLS 1.2+). Volunteer devices must enable disk encryption and secure backups.

6. Patch Management

All systems and applications must be updated with security patches within 30 days of release. Critical vulnerabilities require patching within 7 days.

7. Incident Response

Any suspected security incident must be reported immediately to the Information Security Lead via Discord or email. An incident response plan will be activated to contain, investigate, and remediate.

8. Third-Party & Vendor Security

Vendors and external services processing organizational data must demonstrate security controls equivalent to this Policy. Contracts must include data protection clauses.

9. Governing Law & Jurisdiction

This Policy and any disputes shall be governed by Michigan law without regard to conflict of laws principles. Legal action must be brought exclusively in Michigan courts.

10. Review & Amendment

This Policy will be reviewed annually by the Board of Directors. Amendments require majority approval and publication with an updated effective date.