Information Security Policy

INFORMATION SECURITY POLICY

JJJ Solution LLC / Lertia

12/13/25

Contents

  • Introduction

  • Information Security Policy

    1. Network Security

    2. Acceptable Use Policy

    3. Protect Stored Data

    4. Information Classification

    5. Access to the Sensitive Cardholder Data

    6. Physical Security

    7. Protect Data in Transit

    8. Disposal of Stored Data

    9. Security Awareness and Procedures

    10. Credit Card (PCI) Security Incident Response Plan

    11. Transfer of Sensitive Information Policy

    12. User Access Management

    13. Access Control Policy

Introduction

This Policy document encompasses all aspects of security surrounding confidential information belonging to JJJ Solution LLC / Lertia and must be distributed to all employees and contractors. All personnel must read this document in its entirety and acknowledge that they understand and comply with this policy.

This document will be reviewed and updated by management on an annual basis or when relevant security standards change.

Information Security Policy

JJJ Solution LLC / Lertia handles sensitive information daily. Sensitive information must have adequate safeguards in place to protect account data, including cardholder data and customer privacy, and to ensure compliance with applicable regulations.

Management is committed to maintaining a secure environment in which to operate and process transactions.

Employees handling sensitive information must:

  • Handle information according to its classification

  • Limit personal use of company systems

  • Protect sensitive account and cardholder data

  • Keep passwords and accounts secure

  • Obtain approval before installing software, hardware, or third-party connections

  • Lock screens and keep desks clear of sensitive data

  • Report information security incidents immediately

  • Attend annual security awareness training

1. Network Security

A high-level overview of the network environment is maintained appropriate to the business model of JJJ Solution LLC / Lertia.

Payment processing is performed exclusively through PCI DSS Level 1 compliant third-party providers. Vulnerability scanning and infrastructure security are handled by the ecommerce platform and payment processors where applicable.

2. Acceptable Use Policy

Company systems must be used responsibly and securely. Employees are responsible for preventing unauthorized access to confidential data.

  • Passwords must not be shared

  • Devices must be protected against tampering

  • Portable devices must be handled with care

  • Suspicious activity must be reported immediately

3. Protect Stored Data

JJJ Solution LLC / Lertia does not store cardholder data such as PANs, CVV, track data, or PINs in electronic format.

Any sensitive information handled in hard copy must be securely protected and destroyed when no longer required.

4. Information Classification

  • Confidential: Cardholder data and regulated information

  • Internal Use: Business information restricted internally

  • Public: Information approved for public release

5. Access to the Sensitive Cardholder Data

Access to cardholder data is restricted to authorized personnel with a legitimate business need.

Any third-party service providers with access to cardholder data must:

  • Maintain PCI DSS compliance

  • Acknowledge responsibility for protecting cardholder data

  • Be subject to ongoing compliance monitoring

6. Physical Security

Physical access to sensitive data is restricted.

  • Devices are monitored for tampering

  • Visitors must be escorted

  • Secure storage is maintained for sensitive materials

7. Protect Data in Transit

Sensitive data must never be transmitted via unsecured channels such as email or chat.

If transmission is required for business reasons, strong encryption must be used and management authorization obtained.

8. Disposal of Stored Data

All data must be securely destroyed when no longer required.

  • Paper records are cross-cut shredded

  • Electronic media is securely wiped or destroyed

  • Disposal processes are reviewed regularly

9. Security Awareness and Procedures

Security awareness training is provided regularly.

Policies are reviewed annually and updated as needed to maintain PCI DSS compliance.

10. Credit Card (PCI) Security Incident Response Plan

JJJ Solution LLC / Lertia maintains an incident response process to identify, contain, investigate, and report any suspected security incidents involving payment data.

Payment processors and card brands will be notified as required by PCI DSS.

11. Transfer of Sensitive Information Policy

All third-party providers must:

  • Comply with PCI DSS requirements

  • Use cardholder data only for authorized purposes

  • Cooperate fully during any security investigation

12. User Access Management

Access to systems is granted based on job role and revoked immediately upon termination or role change.

Each user is assigned a unique user ID.

13. Access Control Policy

Access follows the principles of least privilege and need-to-know.

Authentication controls are enforced, and access rights are reviewed periodically.