Information Security Policy
Purpose
This Information Security (Infosec) Policy outlines the measures Two Dudes Photo LLC implements to protect sensitive data, including client information, photographs, and business records. Our goal is to ensure confidentiality, integrity, and availability of all data while complying with applicable laws and regulations.
Scope
This policy applies to all employees, contractors, and third-party vendors who handle Two Dudes Photo’s data, systems, or equipment. It covers all forms of data, including digital files, physical records, and communications.
Policy Statements
1. Data Protection
Client Data: All client information (e.g., names, contact/event details) and photographs are considered confidential and must be stored securely
Encryption: Sensitive data, including client photos and personal information, must be encrypted during storage and transmission using industry-standard protocols (e.g., AES-256 for storage, TLS for transfers)
Access Controls: Access to sensitive data is restricted to authorized personnel only. Employees must use unique, strong passwords and multi-factor authentication (MFA) where available
2. Device and System Security
Company Devices: All company-owned devices (e.g., laptops, tablets) must be password-protected and equipped with up-to-date antivirus software
Software Updates: All systems and software, including editing tools and cloud storage platforms, must be regularly updated to address security vulnerabilities
Personal Devices: Personal devices used for work must meet the same security standards as company devices, including encryption and antivirus protection
3. Data Storage and Backup
Secure Storage: Digital files must be stored on secure, encrypted platforms (e.g., cloud services with end-to-end encryption)
Backup Procedures: Data must be backed up regularly (at least weekly) to a secure, encrypted location
Physical Security: Physical records and storage devices must be kept in a locked, access-controlled location when not in use
4. Data Sharing and Third-Party Vendors
Client Consent: Client photographs or data may only be shared with third parties with explicit client consent or as required by contract
Vendor Agreements: All third-party vendors must sign agreements ensuring they meet Two Dudes Photo’s security standards and comply with data protection laws
Secure Sharing: Data shared externally must be transmitted via secure methods (e.g., encrypted file transfer services or password-protected links)
5. Employee Responsibilities
Incident Reporting: Employees must report any suspected security incidents (e.g., data breaches, lost devices, phishing attempts) to management immediately
Confidentiality: Employees must not disclose sensitive client or business information to unauthorized parties
6. Incident Response
Immediate Action: In the event of a security incident, Two Dudes Photo will isolate affected systems, assess the scope, and notify affected clients within 72 hours if required by law
Investigation: All incidents will be investigated to determine the cause and prevent recurrence. Findings will be documented and shared with relevant stakeholders
Client Notification: If client data is compromised, affected clients will be informed promptly with details of the incident and steps taken to mitigate risks
7. Compliance and Review
Legal Compliance: Two Dudes Photo will comply with all applicable data protection laws, including GDPR, CCPA, or other regional regulations, depending on client location
Policy Review: This policy will be reviewed and updated annually or as needed to address new threats, technologies, or legal requirements
Enforcement
Failure to comply with this policy may result in disciplinary action, up to and including termination, and potential legal consequences. Third-party vendors who violate this policy may face contract termination.
Contact
For questions or to report a security concern, contact Two Dudes Photo management at info@twodudesphoto.com.
Last Updated: June 10, 2025