CyberNut Data Security & Privacy Plan

Updated January 1, 2025

Introduction

CyberNut is committed to upholding the highest standards of data security and privacy for all users. Our practices align with the NIST Cybersecurity Framework (v1.1) and evolving industry best practices. This document outlines our safeguards, training, breach-response mechanisms, and data-governance policies.

1. Implementation of Data Security & Privacy Requirements

CyberNut embeds data-privacy and security protocols throughout the entire service life-cycle, adhering to strict operational and compliance guidelines.

2. Safeguards to Protect Personally Identifiable Information (PII)

• All PII is hashed and anonymized before internal use.
• Data is encrypted at rest and in transit with industry-standard protocols.
• Clients can request full data deletion at any time.
• Default data-retention period is five years (client-configurable).

3. Employee & Sub-contractor Training

• All employees complete training aligned with the NIST Risk Management Framework.
• Training is refreshed periodically to cover evolving regulations and risks.
• CyberNut does not use sub-contractors for data processing.

4. Contractual & Policy Commitments

• Employees are bound by internal codes of conduct and data-use agreements.
• A fair-use policy defines roles, access rights, and repercussions for violations.

5. Incident Response & Breach Management

• AWS CloudWatch monitors logs and triggers incident-response protocols.
• Affected parties are notified within 24 hours of breach confirmation.
• Public statements ensure transparency and promote awareness.

6. Data Disposal & Secure Destruction

• Upon client request, data is fully deleted from production and backups.
• Secure destruction follows ISO/IEC 27001-aligned practices.

7. Alignment with Industry Policies

• Internal policies reflect global standards (NIST, ISO 27001, CISA).
• ISO 27001 certification targeted within 2 years; SOC 2 within 3 years.

NIST Cybersecurity Framework v1.1 Alignment

IDENTIFY

• Asset Management: Serverless architecture on AWS Lambda, EC2, and API Gateway with secure provisioning and regular backups.
• Business Environment: Clearly defined mission, appointed DPO, streamlined communication and response protocols.
• Governance: Compliant with all applicable laws and regulations.
• Risk Assessment: Regular risk-appetite assessments and proactive mitigation.
• Risk Management Strategy: Operational risk decisions aligned with tolerances.
• Supply-Chain Risk Management: No reliance on third-party data processors.

PROTECT

• Access Control: Role-based access, least-privilege, MFA enforced.
• Training: Mandatory cybersecurity modules per employee role.
• Data Security: Encryption, backup, and multi-AZ strategies.
• Policies & Procedures: Based on NIST, ISO 27001, CISA guidance.
• Protective Technology: AWS-managed physical infrastructure.

DETECT

• Anomalies & Events: Continuous monitoring with AWS CloudWatch.
• Continuous Monitoring: Automated log analysis and alerts.
• Detection Processes: AWS-managed detection pipeline.

RESPOND

• Response Planning: DPO-led procedures ensure rapid escalation and containment.
• Communications: Built-in stakeholder and law-enforcement coordination.
• Analysis & Mitigation: Root-cause analysis and containment strategies.
• Improvements: Continuous improvement cycles post-incident.

RECOVER

• Recovery Planning: Distributed cloud infrastructure with daily backups supports continuity.
• Improvements: Lessons-learned phase integrated into recovery operations.
• Communications: CSIRT engagement coordinated by the DPO.