Skip to main content

Legal

Security Policy

Last updated: March 2026

1. Our Security Commitment

Security Brigade InfoSec Private Limited ("Security Brigade") is a CERT-In empanelled cybersecurity firm that has been entrusted with securing the systems and data of over 700 enterprise clients since 2006. We recognise that our clients trust us with their most sensitive assets -- vulnerability findings, security assessment data, system architectures, and credentials. Protecting that trust is foundational to our business.

This Security Policy describes the technical and organisational measures we implement to safeguard client data, our internal systems, and the Lemon assessment platform. Our security programme is designed in accordance with ISO 27001 principles, CERT-In advisory standards, and industry best practices.

2. Information Security Governance

Our information security programme is governed by a dedicated Information Security Management System (ISMS) overseen by senior leadership. Key governance elements include:

  • Security Leadership: An appointed Chief Information Security Officer (CISO) is responsible for the overall security posture, policy enforcement, and incident response oversight.
  • Risk Assessment: We conduct annual enterprise-wide risk assessments and threat modelling exercises, with quarterly reviews of high-risk areas including client data handling and platform infrastructure.
  • Policy Framework: We maintain a comprehensive set of information security policies covering data classification, acceptable use, access management, incident response, business continuity, and vendor management. All policies are reviewed and updated at least annually.
  • Security Committee: A cross-functional Security Committee meets quarterly to review security metrics, audit findings, emerging threats, and policy changes.

3. Data Classification and Handling

All data processed by Security Brigade is classified according to a tiered scheme:

  • Critical: Active vulnerability findings, exploitation artifacts, client credentials, and penetration test evidence. Subject to the highest level of encryption, access restriction, and retention controls.
  • Confidential: Assessment reports, SOWs, NDAs, client architecture diagrams, and engagement communications. Encrypted at rest and in transit, access restricted to engagement team members.
  • Internal: Operational data, internal methodologies, and team communications. Protected by standard access controls and encryption.
  • Public: Marketing content, published advisories, and website content. No access restrictions.

4. Encryption Standards

We employ encryption as a baseline control across all data states:

  • Data at Rest: All client data, vulnerability findings, and assessment artifacts are encrypted using AES-256 encryption. Database volumes, file storage, and backups are encrypted with keys managed through a centralised key management system with automated rotation.
  • Data in Transit: All communications are encrypted using TLS 1.2 or higher. We enforce HSTS, use strong cipher suites, and disable deprecated protocols (SSL 3.0, TLS 1.0, TLS 1.1). Our Lemon platform and all API endpoints require TLS.
  • Report Delivery: Assessment reports containing vulnerability data are delivered through our secure Lemon platform or via PGP-encrypted email. We do not send unencrypted vulnerability data over email.
  • Credential Storage: All passwords and authentication tokens are hashed using bcrypt or Argon2 with appropriate work factors. Plaintext credentials are never stored.

5. Access Control

Access to client data and internal systems is governed by the principle of least privilege:

  • Role-Based Access Control (RBAC): Team members are granted access only to systems and data necessary for their specific role and current engagement. Access is granted per-engagement and revoked upon conclusion.
  • Multi-Factor Authentication (MFA): MFA is mandatory for all internal systems, the Lemon platform, cloud infrastructure consoles, source code repositories, and email accounts. We support hardware security keys (FIDO2/WebAuthn) for privileged access.
  • Privileged Access Management: Administrative and root-level access is restricted to a limited set of authorised personnel. Privileged sessions are logged and subject to periodic audit. Just-in-time privilege escalation is used where possible.
  • Access Reviews: Formal access reviews are conducted quarterly. Accounts inactive for more than 90 days are automatically disabled. Departing employees have access revoked within 24 hours of their last working day.
  • Client Portal Access: Client access to the Lemon platform is controlled per-engagement, with unique credentials, session timeouts, and IP-based access restrictions where requested.

6. Network and Infrastructure Security

Our infrastructure security posture includes the following measures:

  • Network Segmentation: Testing environments, client data repositories, and corporate networks are logically and physically segregated. Client engagement environments are isolated from one another to prevent cross-contamination.
  • Firewall and IDS/IPS: Perimeter and internal firewalls enforce strict ingress and egress rules. Intrusion detection and prevention systems monitor network traffic for anomalous activity.
  • Endpoint Protection: All workstations and servers run endpoint detection and response (EDR) agents with real-time threat monitoring. Portable storage devices are restricted on all corporate endpoints.
  • Patch Management: Operating systems and applications are patched in accordance with a defined SLA -- critical patches within 72 hours of release, high-severity patches within 7 days. Patch compliance is tracked and reported monthly.
  • Testing Our Own Systems: We conduct regular internal penetration testing and vulnerability assessments on our own infrastructure, including the Lemon platform, using the same rigour we apply to client engagements.

7. Secure Development Practices (Lemon Platform)

Our Lemon assessment platform is developed in accordance with a Secure Software Development Lifecycle (SSDLC):

  • Threat modelling during design phase for all new features.
  • Mandatory code review by at least one peer before merging, with security-focused review for authentication, authorisation, and data-handling code.
  • Automated static analysis (SAST) and dependency vulnerability scanning in the CI/CD pipeline.
  • Regular dynamic application security testing (DAST) against staging and production environments.
  • No production access for developers -- deployments are automated and require approval from the operations team.

8. Incident Response

Security Brigade maintains a formal Incident Response Plan (IRP) that is tested and updated at least annually. Our incident response process follows NIST SP 800-61 guidelines:

  • Detection and Analysis: Centralised log aggregation and SIEM-based monitoring with 24/7 alerting. Anomaly detection rules are tuned quarterly based on the evolving threat landscape.
  • Containment: Predefined containment playbooks for common incident types, including compromised credentials, malware, data exfiltration, and unauthorised access. Automated containment actions are triggered for high-confidence alerts.
  • Eradication and Recovery: Root cause analysis, system remediation, and validated restoration from clean backups.
  • Post-Incident Review: All incidents are followed by a blameless post-mortem. Lessons learned are documented and fed back into policy, training, and detection improvements.
  • Client Notification: In the event of an incident affecting client data, we notify affected clients within 72 hours in accordance with GDPR requirements and CERT-In mandatory reporting timelines (6 hours for incidents reportable to CERT-In under the April 2022 directive). Notification includes the nature of the incident, data affected, containment measures taken, and recommended protective actions.

9. Business Continuity and Disaster Recovery

We maintain Business Continuity and Disaster Recovery (BCDR) plans to ensure service availability and data integrity:

  • Automated daily backups of all critical systems with geographically distributed storage.
  • Recovery Point Objective (RPO) of 24 hours and Recovery Time Objective (RTO) of 4 hours for the Lemon platform.
  • Annual BCDR exercises including tabletop simulations and technical failover tests.
  • Redundant infrastructure across multiple availability zones.

10. Employee Security

All Security Brigade personnel undergo:

  • Background verification checks prior to onboarding, including criminal record checks and employment history validation.
  • Mandatory security awareness training during onboarding and refresher training annually, covering phishing, social engineering, data handling, and incident reporting.
  • Execution of confidentiality and non-disclosure agreements as a condition of employment.
  • Specialised training on secure handling of client vulnerability data for all assessment team members.
  • Annual phishing simulations to validate security awareness effectiveness.

11. Third-Party and Vendor Security

All third-party service providers that may access or process client data undergo a formal security assessment before onboarding. Vendors are required to maintain security standards consistent with our own and are bound by data processing agreements. Vendor security posture is reviewed annually.

12. Certifications and Compliance

Security Brigade's security programme aligns with the following standards and frameworks:

  • CERT-In Empanelled Information Security Auditing Organisation (continuously since 2008)
  • ISO 27001 aligned Information Security Management System
  • OWASP Testing Guide and OWASP ASVS for application security assessments
  • NIST Cybersecurity Framework for internal security operations
  • PTES (Penetration Testing Execution Standard) for engagement methodology
  • Team certifications include OSCP, OSCE, CRTP, CEH, ECPT, PEH, and CISEH

13. Data Destruction

Upon expiry of the contractual retention period or upon client request, all client data -- including vulnerability findings, assessment artifacts, credentials, and report drafts -- is securely destroyed. Digital data is overwritten using standards consistent with NIST SP 800-88 (Guidelines for Media Sanitization). Destruction is certified and a confirmation is provided to the client upon request.

14. Reporting Security Concerns

If you believe you have discovered a vulnerability in our systems or have concerns about the security of your data in our custody, please contact us immediately:

Security Team
Email: privacy@securitybrigade.com
We take all security reports seriously and will acknowledge receipt within one business day.