Shaker Foundation for American Service Heroes seal

Governance & Compliance / Security

SECURITY POLICY

Cybersecurity, Information Protection & Institutional Security Governance Framework

Security

Cybersecurity

Access

Continuity

Incident Response

Protection

Governance & Compliance / Security

SECURITY POLICY

Cybersecurity, Information Protection & Institutional Security Governance Framework

01 / Governance & Compliance / Security

Institutional Overview

Cybersecurity, Information Protection & Institutional Security Governance Framework

02 / Governance & Compliance / Security

1. Institutional Security Commitment

The Shaker Foundation for American Service Heroes is committed to maintaining the highest standards of institutional security, cybersecurity resilience, information protection, and operational safeguarding across all governance, administrative, digital, financial, and programmatic environments.

Security is recognized as a foundational governance function essential to protecting institutional integrity, operational continuity, public trust, and mission-critical assets.

This Security Policy establishes a comprehensive governance framework for preventing, detecting, responding to, and recovering from security threats, vulnerabilities, breaches, or malicious activities affecting the Foundation’s systems, infrastructure, personnel, or data assets.

The Foundation maintains a zero-tolerance policy toward unauthorized access, malicious intrusion, sabotage, security circumvention, or misuse of protected institutional resources.

03 / Governance & Compliance / Security

2. Scope of Security Governance

This Security Policy applies to all institutional assets and environments, including:

Digital systems and information infrastructure
Cloud platforms and storage environments
Governance and administrative systems
Financial and compliance systems
Communication platforms and collaboration tools
Personnel, contractors, vendors, and authorized third parties
Physical and virtual operational environments

All individuals and entities operating under or interacting with Foundation-controlled systems are required to comply with this policy.

04 / Governance & Compliance / Security

3. Core Security Governance Principles

The Foundation governs institutional security under the following binding principles:

3.1 Confidentiality Protection

Protected information shall only be accessible to authorized individuals for approved institutional purposes.

3.2 Integrity Assurance

Systems, records, and data must remain protected from unauthorized alteration, corruption, manipulation, or destruction.

3.3 Availability and Operational Continuity

Critical systems and institutional resources must remain available, resilient, and recoverable during adverse events.

3.4 Least Privilege Access

Access rights shall be restricted to the minimum level necessary for authorized responsibilities.

3.5 Defense-in-Depth

Security shall be implemented through layered administrative, technical, procedural, and governance controls.

05 / Governance & Compliance / Security

4. Security Control Architecture

The Foundation maintains a layered security control framework including:

4.1 Administrative Controls

Policies, governance procedures, role definitions, and compliance obligations.

4.2 Technical Controls

Authentication systems, encryption, monitoring systems, endpoint protection, and access restrictions.

4.3 Operational Controls

Incident response procedures, access reviews, backup procedures, and recovery mechanisms.

4.4 Physical Security Controls

Protection of devices, facilities, documentation, and restricted-access environments.

These controls collectively reduce exposure to security threats and institutional vulnerabilities.

06 / Governance & Compliance / Security

5. Access Management and Authentication

Access to institutional systems is governed by strict access control protocols.

Security requirements include:

Role-based access authorization
Identity verification and credential control
Multi-factor authentication for privileged access
Session and access logging
Periodic access entitlement review
Immediate revocation of unauthorized or inactive access

Unauthorized access attempts constitute a serious security violation.

07 / Governance & Compliance / Security

6. Threat Detection and Continuous Monitoring

The Foundation operates continuous security monitoring designed to identify:

Unauthorized access attempts
Credential misuse or compromise
Malware, ransomware, or malicious code activity
Abnormal system behavior or anomalies
Data exfiltration indicators
Infrastructure vulnerabilities

Security events are logged, reviewed, and risk-classified according to severity and institutional impact.

Continuous monitoring is essential for early threat detection and rapid response.

08 / Governance & Compliance / Security

7. Security Incident Response Framework

All suspected or confirmed security incidents trigger structured incident response procedures.

Phase 1 — Detection & Identification

Initial detection and incident classification.

Phase 2 — Containment

Immediate measures to limit exposure and prevent escalation.

Phase 3 — Investigation

Root-cause analysis and impact assessment.

Phase 4 — Remediation

Removal of threats, correction of vulnerabilities, and restoration of controls.

Phase 5 — Recovery

Safe restoration of systems and operational continuity.

Phase 6 — Post-Incident Review

Institutional review and security enhancement measures.

All incidents are documented for governance review and audit traceability.

09 / Governance & Compliance / Security

8. Vulnerability and Risk Management

The Foundation applies continuous risk-based security assessment to identify and remediate vulnerabilities.

Security risk categories include:

Infrastructure vulnerabilities
Application weaknesses
Credential compromise risk
Third-party exposure risk
Insider threat risk
Operational security deficiencies

Identified vulnerabilities are prioritized according to severity, exploitability, and potential institutional impact.

10 / Governance & Compliance / Security

9. Third-Party and Vendor Security Requirements

Any vendor, contractor, or external service provider with access to institutional systems or data must maintain security standards aligned with Foundation requirements.

Third-party security obligations may include:

Access restrictions
Confidentiality requirements
Data protection controls
Security incident notification obligations
Compliance verification procedures

Third-party access remains subject to governance oversight and periodic review.

11 / Governance & Compliance / Security

10. Security Awareness and Training

Human error remains one of the most significant security risks.

The Foundation therefore requires ongoing security awareness initiatives covering:

Credential protection and password hygiene
Phishing and social engineering awareness
Safe communication practices
Device and remote access security
Incident reporting obligations

Security awareness is treated as a continuous institutional responsibility.

12 / Governance & Compliance / Security

11. Audit and Compliance Oversight

Security governance is continuously reviewed through:

Internal compliance assessments
Security control validation
Audit & Accountability review
Risk management oversight
Incident trend analysis
Governance escalation for critical findings

Security controls must remain auditable, measurable, and continuously enforceable.

13 / Governance & Compliance / Security

12. Business Continuity and Resilience

The Foundation maintains security resilience and continuity safeguards designed to ensure operational survivability during adverse events.

This includes:

Backup and recovery systems
Disaster recovery procedures
Continuity planning
Recovery testing
Crisis escalation mechanisms

Operational resilience is treated as a critical security outcome.

14 / Governance & Compliance / Security

13. Continuous Security Improvement

This Security Policy is continuously reviewed and strengthened based on:

Threat intelligence and emerging attack patterns
Security assessments and audits
Incident investigations
Technology evolution
Global security governance best practices

The Foundation maintains a permanent commitment to strengthening institutional security maturity.

15 / Governance & Compliance / Security

Final Institutional Statement

The Shaker Foundation for American Service Heroes affirms that institutional security is fundamental to governance legitimacy, operational resilience, public trust, and long-term mission protection.

This Security Policy ensures that all institutional systems, assets, and information resources operate under rigorous security controls, continuous monitoring, and internationally aligned protection standards.