CyberAI Logo
AutoCyber AI
Back to Home
Legal · Information Security

Information Security Policy

Effective date: 1 January 2026 · Last reviewed: 1 January 2026 · Version: 3.0

This Information Security Policy describes the security controls that AutoCyber AI Pty Ltd (ABN 22 697 087 166) applies to protect the confidentiality, integrity, and availability of information entrusted to us. It is aligned with ISO/IEC 27001:2022, ISO/IEC 27002:2022, NIST Cybersecurity Framework 2.0, the OWASP Top 10 (2025), and the OWASP ASVS / SAMM programmes.

1. Purpose & Scope

This policy sets the minimum security baseline for all systems, software, and data operated by AutoCyber AI, including our public website, internal corporate systems, customer-facing AI products (WASA AI, NAD AI, Spark AI, SecureEasy AI), and the CRP™ reference implementation. It applies to all directors, employees, contractors, and authorised third parties.

2. Governance & Roles

  • Accountable owner: Director, AutoCyber AI Pty Ltd.
  • Responsible: Security Officer (delegated by the Director).
  • Consulted: Privacy Officer, AI Governance Officer, Legal.
  • Informed: All personnel, customers under MSA/DPA, regulators where required.

We operate a documented information-security management system (ISMS) aligned with ISO/IEC 27001:2022 Clauses 4–10, including risk-based decision-making, management review, internal audit, and continual improvement.

3. Security Principles

  • Secure by design and by default.
  • Defence in depth across people, process, and technology.
  • Least privilege and need to know.
  • Zero trust for network and identity boundaries.
  • Privacy by design (GDPR Art. 25).
  • Local-first AI — minimise cloud dependency and data egress.
  • Transparency and auditability — tamper-evident logs.

4. OWASP Top 10 (2025) Control Mapping

The following table maps each OWASP Top 10 (2025) category to the primary controls we operate. Detailed control implementations are maintained in our internal Statement of Applicability (SoA).

OWASP (2025)Primary controls
A01 Broken Access ControlRBAC, attribute-based access for sensitive data, deny-by-default, server-side authorisation enforcement, periodic access reviews, MFA on all admin systems.
A02 Cryptographic FailuresTLS 1.3, HSTS, AES-256 at rest, modern AEAD ciphers, key rotation, HSM/KMS-backed signing, no SHA-1/MD5.
A03 InjectionParameterised queries, prepared statements, input validation at boundaries, output encoding, prompt-injection mitigations for AI features (see CRP Safety Policy).
A04 Insecure DesignThreat modelling for every new feature (STRIDE / LINDDUN), security requirements in design, secure design patterns from OWASP ASVS L2/L3.
A05 Security MisconfigurationHardened baselines, infrastructure as code, immutable images, secret scanning, configuration drift detection.
A06 Vulnerable & Outdated ComponentsSBOM for every release, automated dependency scanning, vulnerability triage SLAs (Critical < 72h, High < 7d), supply-chain attestations (SLSA).
A07 Identification & Authentication FailuresPhishing-resistant MFA (FIDO2/WebAuthn) for admins, modern password hashing (Argon2id), session rotation, rate limiting, lockout policies.
A08 Software & Data Integrity FailuresSigned artefacts, SLSA build provenance, code signing, verified deployments, integrity monitoring of critical files and audit trails.
A09 Security Logging & Monitoring FailuresCentralised logging, immutable storage, alerting on suspicious events, retention aligned with regulatory needs, tamper-evident audit chain.
A10 Server-Side Request Forgery (SSRF)Egress allow-listing, metadata-endpoint blocking, URL validation, no raw URL passthrough, defence-in-depth network segmentation.

5. OWASP for LLM Applications (2025)

Because we ship AI products, we also implement controls from the OWASP Top 10 for LLM Applications (2025) — including LLM01 Prompt Injection, LLM02 Insecure Output Handling, LLM03 Training Data Poisoning, LLM04 Model Denial-of-Service, LLM05 Supply Chain, LLM06 Sensitive Information Disclosure, LLM07 Insecure Plugin Design, LLM08 Excessive Agency, LLM09 Overreliance, and LLM10 Model Theft. See our AI Policy for AI-specific governance and the CRP™ Safety Case for technical mitigations.

6. Asset & Data Classification

  • Public — website content, published docs.
  • Internal — corporate process documents, internal source code.
  • Confidential — customer data, design documents, security logs.
  • Restricted — secrets, signing keys, personal data subject to GDPR Art. 9 / customer PII at scale.

7. Secure Software Development Lifecycle (SSDLC)

  • Security requirements captured per OWASP ASVS L2 (L3 for highest-risk components).
  • Threat modelling for every new feature with security impact.
  • Mandatory code review for all changes; no self-approval on security-sensitive code.
  • SAST, DAST, secret-scanning, and software-composition analysis in CI.
  • Branch protection, signed commits where feasible, reproducible builds.
  • Penetration testing by qualified third parties at least annually for production systems.

8. Vulnerability Management & Patching

  • Continuous vulnerability scanning of infrastructure, dependencies, and container images.
  • Triage SLAs: Critical within 72 hours, High within 7 days, Medium within 30 days, Low at next release.
  • Coordinated disclosure programme — see §13 Responsible Disclosure.

9. Identity & Access Management

  • Phishing-resistant MFA (FIDO2/WebAuthn) for all administrative access.
  • Just-in-time elevation for sensitive operations; no standing privileged access where avoidable.
  • Quarterly access reviews; same-day revocation on role change or off-boarding.
  • Service-to-service auth via short-lived tokens; no long-lived credentials in code or images.

10. Network & Endpoint Security

  • Zero-trust network access; segmentation by environment and data class.
  • Endpoint protection with EDR on all corporate devices.
  • Disk encryption (FileVault/BitLocker/LUKS) mandatory.
  • Egress filtering and DNS-layer threat blocking.

11. Cryptography & Key Management

  • TLS 1.3 (minimum 1.2 with hardened cipher suites) for all in-transit data.
  • AES-256-GCM or equivalent AEAD for data at rest.
  • HSM- or KMS-backed key custody with documented rotation schedules.
  • No use of deprecated algorithms (MD5, SHA-1, RC4, DES, 3DES, RSA < 2048, ECDSA < P-256).

12. Logging, Monitoring & Incident Response

  • Centralised, tamper-evident logging of security events with append-only storage.
  • 24/7 alerting on prioritised security signals.
  • Documented incident response playbook; tabletop exercises at least annually.
  • Breach notification within statutory deadlines — 72 hours under GDPR Art. 33, the Australian Notifiable Data Breaches scheme, and applicable customer DPAs.

13. Responsible Disclosure

We welcome reports of suspected security vulnerabilities. Please email security@autocyberai.com with a clear description, reproduction steps, and proposed CVSS score where possible. We will acknowledge within 2 business days and provide a remediation plan within 10 business days for confirmed reports. Please act in good faith, do not exfiltrate data, and respect user privacy. We will not pursue legal action against good-faith researchers.

14. Third-Party & Supply-Chain Risk

  • Vendor risk assessment before onboarding; periodic re-assessment.
  • DPAs and security addenda with all sub-processors handling personal or confidential data.
  • Critical-vendor concentration risk reviewed in management review.
  • Supply-chain integrity controls aligned with SLSA Level 3 targets.

15. Business Continuity & Resilience

  • Documented backup and restore procedures, tested quarterly.
  • Recovery objectives appropriate to data classification.
  • Geographic redundancy for production services where feasible.

16. People Security & Training

  • Background checks where lawful and proportionate.
  • Confidentiality and acceptable-use obligations in every employment / contractor agreement.
  • Annual security awareness and phishing-resistance training.
  • Role-specific training (secure coding, AI governance, privacy) for relevant personnel.

17. Compliance & Mappings

This policy maps to and supports compliance with ISO/IEC 27001:2022, ISO/IEC 27002:2022, ISO/IEC 27701:2019 (Privacy Information Management), NIST CSF 2.0, NIST SP 800-53 Rev. 5, SOC 2 Trust Services Criteria, and the security obligations of the GDPR Art. 32, the Australian Privacy Act, and the EU AI Act for high-risk AI systems (Articles 9, 12, 15).

18. Review

This policy is reviewed at least annually and upon material change to risk, technology, or regulation.

19. Contact

Document control

Owner: Security Officer · Approver: Director · Review cadence: annually or upon material change · Next review: January 2027.