.png)
Last Updated: Nov. 20, 2025
Purpose
This security policy framework establishes the requirements and procedures for protecting FutureView Systems (FVS) information assets in cloud environments. It provides guidance for secure operations, data protection, and compliance requirements.
Scope
This policy applies to all FVS Cloud Environments, including development, testing,pre-production and production. Specifically, this framework applies to:
· All AWS Cloud Infrastructure utilized by FVS
· All FVS employees, contractors, and temporary staff with access to FVS Cloud Environments
· Third-party vendors and service providers with access to FVS Cloud Environments
· Customer Data stored, processed, or transmitted through an FVS Cloud Environment
Definitions
Organization
· FVS: FutureView Systems
· FVS Cloud Environments: Systems hosting the FVS cloud applications, including servers, storage, networking and Customer Data.
AWS Infrastructure
· AWS: Amazon Web Services
· Region: A geographical area containing multiple AWS data centers
· AZ: Availability Zone – a physically separate data center within an AWS Region
· AWS Cloud Infrastructure: AWS infrastructure hosting FVS Cloud Environment
Access and Identity
· IAM: Identity and Access Management
· RBAC: Role Based Access Control
· MFA: Multi-Factor Authentication – authentication method requiring two or more verification factors
Environment Types
· Production Environment: Systems supporting live business operations
· Critical Systems: Systems essential for business operations
Artificial Intelligence Systems
· AI: Artificial Intelligence – computer systems that can perform tasks typically requiring human intelligence
· Generative AI: AI systems that can create new content such as text, images, or code based on trained models
· AWS Bedrock: AWS’ fully managed service for building and scaling generative AI applications using foundation models
· Foundation Models: Large language models that serve as the basis for generative AI applications
Data Classifications
· Customer Data: All data, material and information inputted by customer into the FVS Cloud Environment and all derivates of such data, material and information.
· Non-public Data: Any Customer Data not explicitly cleared for public release
Recovery Objectives
· RTO: Recovery Time Objective – the target duration of time in which a business process may be restored after a disruption
· RPO: Recovery Point Objective – the target duration of time in which data may be lost due to a disruption
1. Environment and Access Management
1.1 Cloud Environment
· Production workloads hosted in approved AWS Regions
· Critical services utilize multi-AZ deployment
· Development and production environments maintain isolation
· Regular infrastructure security assessments
· Network security controls include:
- Segmentation of environments
- Secure communication channels
- Perimeter protection
- Traffic monitoring
1.2 AccessControl
· Principle of least privilege through IAM roles and policies
· RBAC for all system access
· AWS Organizations for account-level controls
· Access limited based on job functions
· Regular access reviews conducted• Decentralized user management maintained
1.3 Authentication Standards
· MFA for all system access enforced
· Strong password policies implemented
· Credentials rotated on defined schedules
· Privileged access managed through separate controls
· Session timeout requirements enforced
2. Data Protection and Privacy
2.1 Data Protection and Handling
· All cloud-stored Customer Data is classified as non-public
· All Customer Data at rest and in transit is encrypted
· Customer Data access by FVS restricted to FVS authorized personnel
· Customer Data access monitored and logged
· Secure data disposal procedures maintained
· Controls maintained for data extraction
· Data recovery procedures established
2.2 Storage and Retention
· 1-year or other contractually agreed period maintained for Customer Data retention and destruction
· Automated archival procedures
· Regular backup testing conducted
3. Security Operations
3.1 Security Monitoring
· 24/7 security monitoring
· Alert thresholds and escalation procedures documented
· Monitoring systems regularly reviewed
3.2 Incident Response
· Incident response procedures documented
· Incident classification criteria defined
· Notification requirements established
· Incident response team contact information maintained
3.3 Vulnerability Management
· Regular vulnerability scanning performed
· Patch management procedures followed
· Risk assessments conducted
· Remediation activities tracked
3.4 Change Management
· Change control procedures followed
· Security review for significant changes required
· Change documentation maintained
· Changes tested before implementation
· Emergency change procedures defined
4. Compliance and Audit
4.1 Compliance Requirements
AWS provides compliance with multiple frameworks that FVS leverages as part of the FVS overall compliance strategy. FVS utilizes AWS's compliance program as a foundation while implementing additional controls specific to FVS business requirements.
· Regular compliance assessments conducted
· Cloud resource configurations tracked
· Activity logging
· Automated compliance scanning
- AWS compliance with ISO 27001, 27017, and 27018
- AWS SOC 1, SOC 2, and SOC 3 reports
- AWS alignment with NIST frameworks
· Refer to AWS links referenced below for AWS compliance resources and documentation links
4.2 Audit Controls
· Audit logging implemented
· Log retention periods followed
· Secure log backup
· Audit trails maintained
5. Business Continuity
5.1Disaster Recovery
· 24 hours for RPO and RTO
· Regular testing conducted
· Documentation maintained
· Communication procedures established
5.2 Business Continuity
· Critical systems identified
· Continuity requirements documented
· Plans regularly updated
· Testing per established schedule
· Procedures reviewed and updated regularly
6. Security Awareness and Training
6.1 Training Requirements for FVS personnel having FVS Cloud Environment access
· Ongoing security awareness training provided
· Regular security updates issued
· Social engineering awareness conducted
· Training completion documented
7. Artificial Intelligence Systems
7.1 AI Data Protection and Usage
· All data processed by AWS Bedrock is considered non-public bydefault
· FVS personnel access to AWS Bedrock subject to approved security configurations and integration patterns
· AWS or any AI service provider prohibited from training their foundation models using FVS’s Customer Data
· The same data retention policies for other Customer Data on the FVS Cloud Environment apply to Generative AI data
Contact
If you feel that we are not abiding by this security policy or have any questions, you should contact us immediately via email at info@futureviewsystems.com
Appendix A: AWS Compliance Resources Contact
FVS leverages the following AWS compliance resources:
AWS Compliance Center: https://aws.amazon.com/compliance
AWS Security Documentation: https://docs.aws.amazon.com/security
AWS ISO 27001 Documentation: https://aws.amazon.com/compliance/iso-27001-faqs
AWS NIST Documentation: https://aws.amazon.com/compliance/nist
AWS PCI DSS Documentation: https://aws.amazon.com/compliance/pci-dss-level-1-faqs
AWS SOC Documentation: https://aws.amazon.com/compliance/soc-faqs
.png){kind=small}
