Cybersecurity Policy
Goodwood Consulting, LLC "Goodwood"
Last Updated: April 2026 · v1.2
This Cybersecurity Policy addresses the guidelines of Goodwood Consulting for preserving the security of our data and technology infrastructure. The more we rely on technology to collect, store, and manage information, the more vulnerable we become to security breaches. Human errors, attacks, and system malfunctions could cause damage to the company and our clients and may jeopardize our reputation.
For this reason, we have implemented a number of security measures and prepared instructions that help mitigate security risks. This policy applies to all employees and anyone who has permanent or temporary access to our systems and hardware.
Key Definitions
- Client Information
- Non-public information about Goodwood clients or their customers that we collect, receive, store, process, transmit, or access in connection with our services.
- Security Incident
- Unauthorized access, acquisition, use, disclosure, modification, or destruction of Client Information or systems — or any event reasonably likely to compromise confidentiality, integrity, or availability.
- Vendor / Third Party
- External entities or subcontractors that store, process, or transmit Client Information on Goodwood's behalf.
Governance & Accountability
Goodwood maintains an information-security governance framework. The Compliance Lead is the executive owner responsible for policy maintenance and regulatory coordination; IT and security staff hold operational responsibility.
Confidential Data
Confidential data is secret and valuable. Common examples include unpublished financial information, customers/partners/vendors data, undisclosed intellectual property, customer lists (existing and prospective), and client information. All employees are obliged to protect this data.
Access Control & Identity
- Least-privilege, role-based access controls with monitoring of privileged activity
- Multi-factor authentication (MFA) required for remote access, administrative consoles, and any system storing client data
- Single Sign-On (SAML via Google Workspace) enforced for HubSpot and enterprise cloud applications
- Unique strong credentials per user; company-approved password manager used for secure storage
- Secrets and API keys stored in approved managers with defined rotation schedules
- Access to confidential data is logged and reviewed for anomalous activity
Encryption & Data Protection
- Data in transit protected with TLS 1.2+ (or successor) across all endpoints
- Sensitive data at rest encrypted using strong cryptography
- Endpoint disk encryption required on every device used for Goodwood work
- Confidential data transfers only over company-managed networks — never public Wi-Fi
- Recipients verified to be authorized and maintain adequate security controls before data is shared
Endpoint Protection
- Endpoints managed via MDM/EPP, encrypted, and kept current with security patches
- Keep devices password-protected and never leave them exposed or unattended
- Install security updates monthly or immediately when critical patches are released
- Anti-malware and host-based detection maintained on every endpoint
- No access to internal systems from personal or unmanaged devices
Network & Cloud Security
- Cloud environments follow secure baseline configurations with IAM least-privilege
- Centralized logging and monitoring across all cloud services
- Network defenses and segmentation applied according to service risk and data sensitivity
- Secure VPN or Zero-Trust access methods required for remote work
Monitoring, Logging & Detection
- Centralized logging and detection capabilities maintained across production systems
- Security-relevant logs retained for at least 12 months, or longer where law requires
- Anomaly detection and alerting feed the incident management process
- Regular log review by security-responsible personnel
Vulnerability Management & Testing
- Periodic vulnerability scans, dependency management, and timely patching
- Independent penetration testing and third-party security assessments performed regularly and after material changes
- SOC reports or attestations obtained from vendors as part of due diligence
- Findings tracked to remediation with documented SLAs
Secure Development & Change Management
- Production changes subject to documented change management with security review, testing, and rollback capabilities
- Developers follow secure-coding practices and dependency scanning procedures
- Code review required for changes to production systems and client-facing applications
- Separation of duties between development, review, and deployment
Email & Phishing Defense
- Avoid opening attachments or clicking links when the content is not adequately explained
- Treat clickbait titles offering prizes or unsolicited advice as suspicious
- Verify sender email addresses and names for accuracy and legitimacy
- Watch for grammar mistakes, excessive punctuation, or mismatched domains
- Report any suspicious email to security@goodwood-consulting.com immediately
Additional Measures
To further reduce the likelihood of security breaches, employees are instructed to:
- Turn off screens and lock devices when leaving them unattended
- Report stolen or damaged equipment as soon as possible
- Change all account passwords at once when a device is stolen
- Report any perceived threat or possible security weakness in company systems
- Refrain from downloading suspicious, unauthorized, or illegal software
- Avoid accessing suspicious websites
We also:
- Install anti-malware software and access authentication systems
- Provide security training to all employees
- Regularly inform employees about new scam emails or viruses and ways to combat them
- Investigate security breaches thoroughly
Remote Employees
Employees that work remotely must follow this policy's instructions. Since they access our company's accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.
Incident Response & Client Notification
Goodwood maintains a formal Incident Response Plan covering detection, reporting, containment, investigation, remediation, evidence preservation, and post-incident review.
Notification commitments
If a Security Incident impacts Client Information, Goodwood will provide the affected client with:
- Preliminary notification within 24 hours of discovery — initial facts and a point of contact.
- Full incident report within 72 hours of discovery (or sooner as facts permit), with follow-up updates as the investigation proceeds.
- Nature and scope of the event (to the extent known), categories of affected data, containment and remediation steps, and ongoing incident contact.
Our 72-hour commitment is designed to support clients' obligations under SEC Regulation S-P (Privacy of Consumer Financial Information and Safeguarding Customer Information), which requires registered investment advisers to receive timely notice from service providers following a breach of a customer information system.
The 72-hour clock starts when Goodwood becomes aware of the incident. Where a client has a shorter contractually required notification window, the shorter window controls. Goodwood cooperates with clients and regulators, providing logs and investigation results as appropriate.
Third-Party Risk & Vendor Expectations
Goodwood performs security due diligence before engaging vendors that store or process client data. Contracts include data-protection and incident-notification requirements.
- Vendors must notify Goodwood promptly of any incident affecting Client Information and cooperate with investigations and remediation.
- Contractually, vendors are required to provide preliminary notification within 24 hours of discovery and a full incident report within 72 hours.
- Goodwood reserves the right to request audit reports (SOC 2, ISO 27001, or equivalent) and to require remediation or termination where controls are insufficient.
Employee Responsibilities & Training
All personnel must follow security policies and report suspected incidents immediately to security@goodwood-consulting.com.
- Security and privacy training required at hire and annually thereafter.
- Additional role-based training for privileged users and developers.
- Device and email safety practices, credential protection, and prohibitions on unauthorized or untrusted devices.
Disciplinary Action
We expect all employees to always follow this policy. Those who cause security breaches may face disciplinary action:
- First-time, unintentional, small-scale breaches may result in a verbal warning and additional security training
- Intentional, repeated, or large-scale breaches will invoke more severe disciplinary action up to and including termination
Continuous Improvement
Goodwood maintains a continuous evaluation and improvement program for our cybersecurity systems and processes. This policy is reviewed and updated at least annually, or sooner when operational or regulatory changes require it. Lessons learned from incidents, audits, and penetration tests are incorporated.
How to Report a Security Incident
Clients, vendors, researchers, and members of the public may report suspected security incidents to Goodwood at any time.