Carey Consultants | Pre Employment Background Checks and Verification

Information Security Policy

Effective Date: June 11, 2025

Statement of Policy.

Carey Consultants Inc. ("Employer") is committed to the highest standard of information security In doing so, the Employer implements this Information Security Policy ("Policy") to effectively communicate to its employee base the proper way to properly identify, categorize, and handle different levels of secured information.

This Policy applies to all employees and contractors of Carey Consultants Inc. This Policy also applies to all individuals and others who use the Employees resources, including but not limited to contractors, temporary employees and volunteers. This Policy is not intended to restrict communications or actions protected or required by applicable law.

As such, everyone listed above is expected to:

(a) Read, understand, and follow the Policy. You must seek guidance from your manager or other designated Employer resources before taking any actions that create information security risks or otherwise deviate from the Policy's requirements. The Employer may treat any failure to seek and follow such guidance as a violation of . (b) Keep this Policy confidential.

Do not share this Policy with any person or entity within or outside of Carey Consultants Inc. unless authorized by the information security coordinator. The information security coordinator maintains a set list of approved persons and entities to whom . Policy can be shown. It is the information security coordinators responsibility to oversee, evaluate, and assess person and entity risks before granting permission for the Policy to be shared.

Strong information security requires diligence by all workforce members, including employees, contractors, volunteers, authorized partners, and any others accessing or using our information assets.

Definitions.

For the purpose of this Policy,

Publicly Available:

Information the Employer has made available to the general public. Information received from another party, including customers that are covered under a currently signed Non-Disclosure Agreement must not be classified or treated as public information.

Confidential Information:

Information that may cause harm to the Employer, its customers, employees, or other individuals if improperly disclosed or that is not otherwise publicly available.

Restricted Information:

Information that may cause serious and potentially irreparable harm to the Employer, its customers, employees, or other entities or individuals if disclosed or us. in an unauthorized manner.

Scope.

This Policy provides detailed information security guidance that you must follow in addition to any other relevant documentation, including an Employee Code of Conduct and Employee Handbook. This Policy covers all written, verbal, and digital information held, used, or transmitted by or on behalf of the Employer, irrespective of media. This includes, but is not limit. to:

(a) Pay records;

(b) Hand-held devices;

(d) Information stored on computer systems

(e) Information passed on verbally.

The information covered in this Policy may include:

(a) Personal data relating to, but not limited to, staff customers, clients or suppliers;

(b) Other business information; a.

Guiding Principles.

The Employer follows these guiding principles when developing a. implementing information security controls:

(a) Carey Consultants Inc. strives to protect the confidentiality, integrity, and availability of its information assets and those of client/customers.

(b) We will comply with applicable information security, privacy, and data protection laws.

(c) We will balance the need for business efficiency with the need to protect sensitive, proprietary, other confidential information from undue risk.

(d) We will graph access to sensitive, proprietary, or other confidential information only to those with a need to know and at the least level of privilege necessary to perform their assigned sanctions.

Responsibilities.

The Employer and its leadership recognize the need for a strong information security program.

The following will be implemented to ensure the goal is met:

(a) Understand the information classification levels defined in the Information Security Policy.

(b) As appropriate, classify the information for watch one is responsible accordingly.

(d) Not divulge, copy, release, sell, loan, alter, or destroy all information without a valid business purpose and/or authorization.

Classification Levels.

Maintenance of this Policy is the responsibility of the Employer's information security coordinator. The use of this Policy has been approved by I Carey Consultants Inc. 's executives/board members. It is the responsibility of the information security coordinator to ensure that the Policy is reviewed at least annually and remains consistent. This Policy is enforced by the information security coordinator and the appropriate team within

Carey Consultants Inc.

The Employer has established a classification scheme to protect information according to risk levels. The information classification scheme allows the Employer to select appropriate security controls and balance protection needs with costs and business efficiencies.

The classification levels are:

(a) Restricted Information

(b) Confidential Information

Restricted Information

The following classified information is classified as restricted: - Social Security number - Bank account number - Driver's license number - State identity card number - Credit card number - Protected health information (as defined by HIPAA)

Sharing restricted information within the Employer may be permissible if necessary to meet the Employer's legitimate business needs. Except as otherwise required by law (or for purposes of sharing between law enforcement officers), no restricted information may be disclosed to parties outside the Employer, including contractors, without the proposed recipient's prior written agreement to take appropriate measures to safeguard the confidentiality of the restricted information; (ii) not to disclose the restricted information to another party for any purpose absent the Employees prior written consent or a valid court order or subpoena; a. (iii) to notify the Employer in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibits such notification. In addition, the prospect recipient must abide by the requirements of this Policy.

Confidential Information

The Employer information is classify. as confidential if it falls outside the restricted classification but is not intended to be shared freely within or outside the comps, due to sensitive nature and/or contractual or legal obligations. Examples of confidential information include all non-restricted information contained in personnel files, misconduct and law enforce meth investigation records, internal financial data, donor records, a. education records (as define. by FERPA).

Sharing of confidential information may be permissible if necessary to meet the Employer's legitimate business needs. Unless disclosure is required by law (or for purposes of sharing between .w enforcement entities) when disclosing confidential information to parties outside the Employer, the proposed recipient must agree (i) to take appropriate measures to safeguard the confidentiality of the information; (ii) not to disclose the information to another party for any purpose absent the Employees prior written consent or a valid court order or subpoena; and to notify the Employer in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibit such notification_ In addition, the proposed recipient must abide by the requirements of . Policy.

Publicly Available

The Employer information is classified as publicly playable if it is intend to be made payable to anyone inside and outside of Carey Consultants Inc. .

Acceptable Use Policy.

The Employer provides employees and others with network resources and systems to support business requirements and sanctions. This section limits how you may use the Employer's information assets and explains the steps you must take to protect them.

If you have a, questions regarding the acceptably use of resources, please discuss them with your manager or contact the information security coordinator for additional guidance.

General Use of Information Technology Resources.

The Employer provides network resources and systems for business purposes. Any incidental non-business use of the Employer's resources must be for personal purposes only. Do not use the Employer's resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with Carey Consultants Inc.

Do not use the Employer's resources in a manner that negatively impacts your job performance or impairs others' abilities to do their jobs. The Employees network and systems are subject to monitoring.

Do not use the Employer's network or systems for activities that may be deemed illegal under applicable law, like if Employer suspects illegal activities, it may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.

Prohibited Activities.

The Employer prohibits using resources to engage in activities such as (but not limited to) the following:

(a) Hacking, spoofing, or launching denial of service attacks;

(b) Gaining or attempting to gain unauthorized access to others' networks or systems;

(c)Sending fraudulent email messages;

(d)Distributing or attempting to distribute malicious

(e) Distributing or attempting to distribute malicious software (malware);

(f) Spying or attempting to spyware or other unauthorized monitoring or surveillance tools;

(g) Committing criminal acts such as terrorism, fraud, identity theft;

(h) Downloading, storing, or distributing materials in violation of another copyright;

(i) Uploading, downloading, or disseminating defamatory, discriminatory, vilifying, sexist, racist abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate or offensive messages or media;

(j) Distributing jokes, chain letters, commercial solicitations, hoax emails, or other messages (spamming);

(k) Using encryption or other technologies in an attempt to hide illegal, unethical, or otherwise inappropriate activities; and taking or distributing unlicensed or pirate software.

The Employer may block or limit access to particular services, websites, or other internet-based functions according to risks and business value. Recognize that inappropriate or offensive websites may still be reachable and do not access them using the Employer resources.

General Internet Use.

Limit your web browsing a. access to streaming media (such as videos, audio streams or recordings, a. webcasts) to business purposes or as otherwise permitted by . Policy. Internet use must comply with . Never use internet peer-to-peer file-sharing services, given the risks to the Employees information assets they create.

Website and Server security

Measures to protect careyconsultants.com website from cyber attacks, data breaches, and other online threats, ensures the safety of website visitors, protects sensitive data, and maintains the reputation of the website.

Includes:

Using strong passwords and multi-factor authentication.

Implementing a Web Application Firewall (WAF).

Using SSL/TLS encryption to secure web traffic.

Regularly monitoring and updating software and security patches.

Conducting regular security audits.

Encryption

GnuPG is a encryption scheme that uses the “public key”. Messages and sensative data are encrypted using a “public key” however, they can only be decrypted by a “private key”, which is retained by the intended recipient of the message

Email and Social Media.

Do not disclose confidential or restricted information to unauthorized parties on blogs or social media or transmit it in unsecured. emails or instant messages.

Use good professional judgment when drafting and sending any communications. Remember that messages may be forwarded or distributed outside your control, and your professional reputation is at stake. Email signatures should be professional, appropriate for your business role, and not long or complex.

Never open an email attachment that you did not expect to receive, click on links, or otherwise interact with unexpected email content. Attackers frequently use these method. to transport viruses and other malware. Be cautious, even if messages appear to come from someone you know, because attackers can easily (spoof) email senders. The Employer may block some attachments or emits based on risk.

Do not respond to an email or other message that requests confidential or restricted information unless you have separately verified a. are certain of origin a. purpose. Even then, always protect confidential or restricted information as described in this Policy.

If you have any doubts regarding the authenticity or risks associated with an email or other message you receive, contact the information security coordinator immediately and before interacting with the message. Do not reply to suspicious messages, including clicking links or making unsubscribe requests. Taking those actions may simply validate your address a. lead to more unwanted or risky messages. Communications and Transfer of Information.

Staff must abide by the following when communicating about work-related matters and when transferring work-related data:

(a) When speaking in public places (e.g., when speaking on a mobile phone), staff must maintain confidentiality.

(b) Confidential information must be marked 'strictly private and confidential" and circulated only to those who need to know the information in the course of their work.

(c) Confidential information must not be removed from the Employer's offices (or systems) unless required for required for authorized business purposes, and then only in accordance with the subsequent paragraph.

(d) If the removal of confidential information from the Employees offices is permitted, all reasonable steps must be taken to maintain the confidentiality and integrity of the information. it includes, but is not limited to, staff ensuring that confidential information is: (i) Stored with thong password protection with devices and files kept lock. when not in use; (ii) Not transport. in see-through or other unsecured bags or cases when in paper copy; (iii) Not read in public places when working remotely (e.g., in waiting rooms or on trains); and not left unattended or in any place where it is at risk (e.g., in airports or conference centers).

(e) Care must be taken to verify all postal and email addresses before any information concerning work-related matters is sent. Particular care must be taken when checking and verifying email addresses where auto-complete features may have insert. incorrect email addresses. (f) Before sending an email, all sensitive or particularly confidential information should be encrypted.

Reporting Data and Security Breaches.

Applicable law may require the Employer to report cyber incidents that result in the exposure or loss of certain kin. of information or that affect certain services or infrastructure to various authorities or affected individuals or organizations, or both. The information security coordinator's incident response plan includes a step to review all made. for any rewired notifications. Coordinate all external notifications with legal and information security coordinators. Do not act on your own or make any external notifications without prior guidance a. authorization. All staff are under an obligation to report actual or potential data protection compliance breaches to appropriate personnel so that the Employer can:

(a) Investigate the breach and take any. necessary remedial actions;

(b) Maintain a register of compliance breaches; a.

Some examples of data security incidents

(a) Loss or suspected compromise of user credentials or physic. access devices (including passwords, tokens, keys, badges, smart car., or other means of identification a. authentication); (b) Suspected malware infections, including viruses, Trojans, spyware, worms, or any anomalous report or messages from anti-virus software or personal firewalls;

(c) Loss or theft of any device that contains the Employer or customer/client information (other than public information), including computers, laptops, tablet computers, smartphones, USB drives, disks, or other storage media;

(d) Suspected entry (hacking) into the Employees network or systems by unauthorized persons;

(e) Any breath or suspected breach of confidential or restricted information;

(f) Any attempt by any person to obtain passwords or other confide.. or predicted information in person or by phone, email, or other means (sometimes called social engineering, or in the case of email, phishing);

(g) Awareness of a compromise computer or other device; and

(h) Any other situation that appears to violate . Policy or otherwise create undue risks to the Employees information assets.

For all reporting and questions concerning the Employees reporting procedure,

please contact James Carey