1. Purpose

The purpose of this Information Security Policy is to protect Casey Logistics Inc.’s information assets from all internal, external, deliberate, or accidental threats. This policy establishes guidelines to ensure the confidentiality, integrity, and availability of information, systems, and infrastructure that support business operations.
________________________________________

2. Scope

This policy applies to all employees, contractors, vendors, and third-party partners who access, store, process, or transmit Casey Logistics Inc.’s information. It covers all forms of information, including electronic, physical, and verbal communication, as well as all information systems, networks, and devices.

3. Policy Statements

3.1 Access Control

• Access to Casey Logistics Inc.’s systems and data shall be granted based on the principle of least privilege (POLP).
• User accounts must be authenticated through secure methods, such as strong passwords and multifactor authentication (MFA).
• Access rights must be reviewed regularly and updated when roles or employment statuses change.

3.2 Data Classification and Handling

• All information must be classified as “Confidential,” “Internal Use,” or “Public.”
• Sensitive data (e.g., customer information, financial records, trade secrets) must be encrypted during transmission and storage.
• Physical documents containing sensitive information must be securely stored and shredded when no longer needed.

3.3 Network and System Security

• Firewalls, intrusion detection/prevention systems (IDS/IPS), and antivirus software must be implemented and regularly updated.
• Regular vulnerability assessments and penetration tests shall be conducted.

3.4 Incident Response

• All security incidents must be reported immediately to the Information Security Team.
• A formal incident response plan shall be maintained, including roles, escalation procedures, and post-incident reviews.

3.5 Employee Responsibilities

• Employees must complete annual cybersecurity training.
• Employees shall report phishing attempts, suspicious emails, or any security anomalies.
• Personal devices used for work must adhere to company security standards.

3.6 Third-Party Security

• Vendors and contractors must adhere to Casey Logistics Inc.’s security requirements.
• Contracts with third parties must include security clauses and data protection agreements.

3.7 Data Backup and Recovery

• Regular backups must be conducted and stored in secure, offsite locations.
• Backup integrity must be tested periodically.
• A disaster recovery plan must be maintained to ensure business continuity.
________________________________________

4. Policy Enforcement

• Violations of this policy may result in disciplinary action, up to and including termination of employment or contracts.
• Non-compliance by third parties may result in contract termination or legal action.
________________________________________

5. Governance and Review

• This policy will be reviewed annually by the Information Security Team and updated as necessary to address new threats or changes in business operations.

• Feedback and recommendations are welcome and should be directed to the Information Security Team.

6. Definitions

• Confidential Information: Data that could cause significant harm if disclosed.
• Least Privilege: Limiting user access to the minimum necessary to perform their job functions.
• Incident: Any event that threatens the confidentiality, integrity, or availability of information.

7. Approval

This policy is approved by senior management and is effective as of October 2, 2024

Authorized by:
Jay W. Casey
Casey Logistics Inc.