Security Policy

Overview

COMNEXIA Corporation ("COMNEXIA," "we," "us," or "our") has been protecting client infrastructure and data for over 35 years. Security is not an add-on to our services — it is foundational to everything we do. This Security Policy outlines the measures we take to safeguard client data, infrastructure, and information systems against unauthorized access, disclosure, alteration, and destruction.

As a managed service provider serving over 2,000 businesses, we understand that our clients entrust us with their most critical technology assets. We take that responsibility seriously and maintain rigorous security practices across every aspect of our operations.

Data Protection

Encryption

• Data in Transit: All data transmitted between COMNEXIA systems and client environments is encrypted using TLS 1.2 or higher
• Data at Rest: Client data stored on COMNEXIA-managed systems is encrypted using AES-256 or equivalent industry-standard encryption
• Backup Encryption: All backup data is encrypted both during transfer and at rest in storage repositories

Access Controls

• Role-Based Access: Access to client systems and data is granted on a strict need-to-know basis using role-based access controls (RBAC)
• Multi-Factor Authentication: MFA is required for all administrative access to client environments and internal COMNEXIA systems
• Privileged Access Management: Elevated access is time-limited, logged, and subject to regular review
• Account Lifecycle: Access is promptly revoked when employees change roles or leave the organization

Data Handling

• Data Classification: Client data is classified by sensitivity and handled according to its classification level
• Data Retention: We retain client data only as long as necessary to fulfill service obligations or comply with legal requirements
• Secure Disposal: When data is no longer needed, it is securely erased using methods that prevent recovery

Infrastructure Security

Network Security

• 24/7 Monitoring: Our network operations team continuously monitors client and internal infrastructure for threats and anomalies
• Firewall Management: Enterprise-grade firewalls are deployed and maintained with regularly updated rule sets
• Intrusion Detection & Prevention: IDS/IPS systems are deployed to detect and block malicious activity in real time
• Network Segmentation: Client environments are logically segmented to prevent lateral movement in the event of a breach

Endpoint Protection

• Managed Detection & Response: All managed endpoints are protected with advanced EDR solutions that provide real-time threat detection and automated response
• Anti-Malware: Industry-leading anti-malware solutions are deployed and kept current across all managed devices
• Device Compliance: Managed devices are continuously assessed for compliance with security baselines

Patch Management

• Regular Patching: Critical security patches are evaluated and deployed within defined SLA windows
• Vulnerability Scanning: Regular vulnerability assessments identify and prioritize remediation of security weaknesses
• Third-Party Software: We track and update third-party applications to address known vulnerabilities

Employee Security

• Background Checks: All COMNEXIA employees with access to client systems undergo thorough background screening prior to employment
• Security Awareness Training: Employees complete security awareness training upon hire and participate in ongoing training throughout their tenure
• Phishing Simulations: Regular simulated phishing exercises test and reinforce employee vigilance against social engineering attacks
• Need-to-Know Access: Employees are granted the minimum level of access required to perform their job functions
• Acceptable Use Policy: All employees acknowledge and adhere to our acceptable use and information security policies
• Confidentiality Agreements: Employees sign confidentiality and non-disclosure agreements as a condition of employment

Incident Response

COMNEXIA maintains a documented Incident Response Plan that defines our procedures for identifying, containing, eradicating, and recovering from security incidents. Our incident response process includes:

• Detection & Triage: Security events are detected through monitoring systems and triaged by severity to determine the appropriate response level
• Containment: Affected systems are isolated to prevent further damage while preserving forensic evidence
• Investigation: Our security team conducts a thorough investigation to determine the root cause, scope, and impact of the incident
• Eradication & Recovery: Threats are removed and affected systems are restored to a known-good state
• Client Notification: Affected clients are notified promptly in accordance with our contractual obligations and applicable regulations — typically within 24 to 72 hours of confirmed incident identification
• Post-Incident Review: Every significant incident undergoes a post-mortem review to identify improvements and prevent recurrence

Compliance

COMNEXIA aligns its security practices with recognized industry standards and frameworks, including:

• NIST Cybersecurity Framework (CSF): Our security program is structured around the NIST CSF core functions — Identify, Protect, Detect, Respond, and Recover
• CIS Controls: We implement the Center for Internet Security (CIS) Critical Security Controls as a baseline for our managed environments
• NIST 800-171: Where applicable, we follow NIST SP 800-171 guidelines for protecting controlled unclassified information
• Industry-Specific Requirements: We work with clients to meet sector-specific compliance requirements, including those for automotive dealerships, financial services, and legal firms

We regularly review and update our security practices to stay aligned with evolving standards and emerging threats.

Physical Security

• Office Access: COMNEXIA office facilities are secured with controlled access systems and visitor management procedures
• Data Center Security: Infrastructure hosted in data centers benefits from multi-layered physical security including biometric access, 24/7 video surveillance, and on-site security personnel
• Equipment Disposal: Retired hardware is sanitized or destroyed in accordance with NIST 800-88 guidelines before disposal
• Clean Desk Policy: Employees are required to secure sensitive materials and lock workstations when away from their desks

Third-Party Vendors

COMNEXIA carefully evaluates the security posture of all third-party vendors and partners before engaging their services. Our vendor management process includes:

• Security Assessments: Vendors with access to client data undergo security reviews prior to onboarding and periodically thereafter
• Contractual Safeguards: Vendor agreements include data protection requirements, confidentiality obligations, and incident notification provisions
• Ongoing Monitoring: We monitor vendor compliance with security requirements throughout the duration of the relationship
• Least Privilege: Vendor access is limited to the minimum necessary to deliver their services and is revoked upon contract termination

Changes to This Policy

We may update this Security Policy periodically to reflect changes in our practices, technologies, or regulatory requirements. We will post the updated policy on our website with a revised "Last Updated" date.