Skip to content

Information Security Governance

1. Purpose

Establish the information security governance framework for Kudo to ensure the confidentiality, integrity, and availability of information, aligned with business objectives and applicable regulations.

2. Scope

Applies to all employees, contractors, third parties, and information systems that process Kudo's data, both internal and customer-related.

3. Governance Structure

Kudo defines a governance model based on clear roles and responsibilities:

  • Chief Information Security Officer (CISO): Responsible for leading security strategy, policies, and compliance.
  • Security Steering Committee: Monthly instance with representatives from key areas (Tech, Legal, Product, People) to assess risks, approve controls, and review incidents.
  • SecOps Team: Implements and operates security controls, performs monitoring, and incident response.
  • GRC Team: Manages risks, regulatory compliance, and audits.
  • Business Units: Responsible for integrating security practices into their processes.

4. Principles

Security governance is guided by the following principles:

  • Risk-based approach: Decisions are made based on the impact and likelihood of identified risks.
  • Security by design: Security is incorporated from the conception of products and services.
  • Continuous compliance: We comply with frameworks such as ISO/IEC 27001:2022, SOC 2, and applicable data protection regulations.
  • Transparency: Effective communication and traceability of decisions, findings, and actions.

5. Policies & Standards

The following policies comprise the governance framework:

  • Information Security Policy
  • Risk Management Policy
  • Access and Identity Management Policy
  • Business Continuity Policy
  • Secure Development and DevSecOps Policy
  • Data Protection and Privacy Policy
  • Associated technical standards and procedures

6. Risk Management

A living inventory of technological and business risks is maintained. Risks are prioritized by impact and managed through:

  • Risk matrices
  • Treatment plans
  • Documented acceptance when applicable
  • Periodic review by the Security Steering Committee

7. Control & Assurance

The effectiveness of the security program is ensured through:

  • Internal assessments and external audits
  • Incident simulations and continuity tests
  • Key performance indicators (KPIs) and executive reports

8. Awareness & Culture

A security culture is promoted through:

  • Regular training for all roles
  • Awareness campaigns and phishing simulations
  • Reinforcement of security principles during onboarding and leadership development

9. Review

This document will be reviewed annually or upon significant changes in the business or technological environment.

Last updated: April 2025
Responsible: Kudo's CISO
Approved by: Kudo's Security Steering Committee
Version: 0.1.0