Information Security Policy

Home Information Security Policy

NEED SUPPORT?

Information Security Policy
Updated: January 1, 2026
Approved By: Jennifer Lyssy, CEO

## 1. Purpose
The purpose of this Information Security Policy is to establish a comprehensive framework for protecting the confidentiality, integrity, and availability of organizational information, including cardholder data. This policy defines the expectations, responsibilities, and security standards required to protect sensitive data and comply with PCI DSS requirements.

## 2. Scope
This policy applies to all employees, contractors, consultants, temporary staff, and any other personnel with access to organizational systems, networks, or data. It applies to all systems and processes that store, process, or transmit cardholder data.

## 3. Policy Statement
[Company Name] is committed to maintaining a strong security posture and protecting all sensitive information, including cardholder data. All personnel are required to understand the sensitivity of this data and adhere to security policies and procedures designed to prevent unauthorized access, disclosure, alteration, or destruction.

## 4. Information Classification
All information must be classified according to sensitivity:

– **Confidential:** Cardholder data and sensitive authentication data
– **Internal Use:** Non-public business information
– **Public:** Information approved for public release

Confidential data must be protected with the highest level of security controls.

## 5. Roles and Responsibilities

### Management
– Establish and enforce security policies and procedures
– Allocate appropriate resources for security initiatives
– Ensure compliance with PCI DSS requirements

### Security Officer / IT Lead
– Maintain and enforce this policy
– Oversee security controls and risk management
– Coordinate incident response and remediation

### Personnel
– Protect sensitive data at all times
– Follow all security policies and procedures
– Report suspected or actual security incidents immediately
– Complete required security awareness training

## 6. Access Control
– Access to systems and data must be based on least privilege and business need-to-know
– Unique user IDs must be assigned to all users
– Strong authentication controls must be enforced
– Access rights must be reviewed periodically and revoked when no longer required

## 7. Data Protection
– Cardholder data must be protected during transmission and storage using appropriate encryption methods
– Sensitive authentication data must never be stored after authorization
– Physical and logical safeguards must be implemented to prevent unauthorized access

## 8. Security Awareness Training
All personnel must complete security awareness training upon hire and at least annually thereafter. Training must include:

– Understanding the sensitivity of cardholder data
– Recognizing threats such as phishing, malware, and social engineering
– Proper handling and protection of sensitive data
– Incident reporting procedures

Ongoing awareness efforts will reinforce secure behaviors and promote a culture of security.

## 9. Incident Response
All personnel must report suspected or confirmed security incidents immediately. The organization will:

– Investigate and contain incidents promptly
– Remediate vulnerabilities and prevent recurrence
– Document incidents and lessons learned

## 10. System and Network Security
– Firewalls and security controls must be implemented and maintained
– Systems must be regularly updated and patched
– Anti-malware protections must be implemented
– Logging and monitoring must be enabled to detect suspicious activity

## 11. Third-Party Service Providers
– All third-party service providers with access to cardholder data must be evaluated for security compliance
– Written agreements must define security responsibilities
– Providers must maintain PCI DSS compliance where applicable

## 12. Risk Management
– Security risks must be identified, assessed, and managed on an ongoing basis
– Controls must be implemented to reduce identified risks
– Risk assessments must be performed periodically and after significant changes

## 13. Policy Review
This policy will be reviewed at least annually and updated as needed to reflect changes in business operations, technology, or regulatory requirements.

## 14. Compliance and Enforcement
Failure to comply with this policy may result in disciplinary action, up to and including termination, and potential legal consequences.

## 15. Acknowledgment
All personnel must acknowledge that they have read, understood, and agree to comply with this policy.

## 16. Related Policies
– Security Testing & Monitoring Policy (PCI DSS Requirement 11)
– Acceptable Use Policy
– Incident Response Plan

© 2025-2026 Botanic, LLC

Physical: 22507 Felicia Drive, Spicewood, TX 78669

Mailing: 15511 Hwy 71 West, Suite 110, #420, Bee Cave, TX 78738

(833) 722-8339 | Information: info@shopbotanic.co | Support: support@shopbotanic.co

Terms and Conditions | Privacy Policy | Data Protection Policy | Anti-Money Laundering (AML) Policy

Subscription Policy | Refund and Return Policy | Shipping Policy

Secure Online Identity and Age Verification Policy | Disclaimers | Certificates of Analysis

Information Security Policy | Security Testing and Monitoring Policy

Policies and Procedures | Compensation Plan | Income Disclosure Statement | Web Hosting Provider Notice

You must be 21+ to visit this website.

This website uses Secure Online Age Verification for all hemp products. We provide an easy checkout experience while following the latest age regulations. We match customer information from your checkout form against our identity networks to verify that you meet minimum age requirements. Our hemp-derived products are compliant with the 2018 Federal Farm Bill, containing less than 0.3% delta-9 THC by weight. All products are lab-tested for quality and compliance with legal standards. These statements have not been evaluated by the Food and Drug Administration. This product is not intended to diagnose, treat, cure, or prevent any disease. Always consult your physician before starting any wellness regimen. This content is for informational purposes only. It is not intended to take the place of medical advice or treatment from a personal physician. All readers of this content should consult their physician or qualified healthcare professional regarding specific health questions, especially those taking prescription or over-the-counter medications. We do not take responsibility for possible health consequences of any person reading and/or following this informational content. Income is not guaranteed. Earnings depend on individual effort and sales performance. Success stories are unique, and results vary depending on individual effort. All prices are in USD. Secured with TLS encryption. Botanic is a USA company that provides plant-based wellness products.

Select a location to get started!

Log in with your credentials

Forgot your details?