🛡️ Chaizing Fireflies Internal Website Security Policy

 Effective Date: 11/07/2025 Owner: Dawn M. Mitchell Revision: 1.0 

 This policy outlines the security measures and protocols necessary to protect Chaizing Fireflies’ digital assets, customer data, and website infrastructure (e-commerce platform, hosting environment, and customer accounts) from unauthorized access, disclosure, modification, or destruction. This policy applies to all employees, contractors, and third-party vendors with access to the Chaizing Fireflies website and related systems. 

• Collection: Only necessary PII (Name, Address, Email, Phone Number) shall be collected for order fulfillment, communication, and account management.
• Storage: PII must be stored securely within encrypted databases provided by the e-commerce platform ([e.g., Shopify, WooCommerce]). Sensitive data access logs must be maintained.
• Retention: PII shall be retained only as long as necessary for business and legal requirements (e.g., tax records, warranty periods). Old or inactive data shall be securely purged periodically.

• Compliance: Chaizing Fireflies shall never store customer credit card numbers or sensitive payment data directly on its servers. All payment processing must utilize PCI DSS Compliant third-party gateways (e.g., Stripe, PayPal, Shop Pay) that handle encryption and authorization.
• Validation: Payment gateway compliance must be verified annually.

• Updates: The e-commerce platform, themes, and all installed plugins/extensions must be monitored and updated immediately upon release of security patches.
• Monitoring: Implement continuous monitoring for malware, suspicious login activity, and file integrity changes.
• Backups: Complete website and database backups shall be performed [State Frequency, e.g., Daily] and stored securely off-site.

• Requirement: The entire Chaizing Fireflies website must operate over HTTPS using a valid, up-to-date SSL/TLS certificate (e.g., TLS 1.2 or higher). Unencrypted HTTP traffic must be permanently redirected (301) to HTTPS.

• Implement and regularly update security software (e.g., firewall applications, WAF) within the hosting environment to prevent common web attacks (e.g., XSS, SQL injection).

 3.1 Hosting & Platform Security

• Updates: The e-commerce platform, themes, and all installed plugins/extensions must be monitored and updated immediately upon release of security patches.
• Monitoring: Implement continuous monitoring for malware, suspicious login activity, and file integrity changes.
• Backups: Complete website and database backups shall be performed [State Frequency, e.g., Daily] and stored securely off-site.

• Requirement: The entire Chaizing Fireflies website must operate over HTTPS using a valid, up-to-date SSL/TLS certificate (e.g., TLS 1.2 or higher). Unencrypted HTTP traffic must be permanently redirected (301) to HTTPS.

• Implement and regularly update security software (e.g., firewall applications, WAF) within the hosting environment to prevent common web attacks (e.g., XSS, SQL injection).

• Any employee or contractor who suspects a security breach, unauthorized access, or vulnerability must immediately report it to the [Owner/Manager Contact Info].

1. Containment: Immediately isolate the compromised area (e.g., take the site offline, disable the compromised account).
2. Assessment: Determine the scope of the breach, the source, and the specific data that may have been accessed.
3. Remediation: Patch the vulnerability, eliminate the threat, restore the system from a clean backup.
4. Notification: If PII was compromised, affected customers must be notified promptly and clearly, as required by law.
5. Review: Document the incident, analyze the root cause, and update policies/controls to prevent recurrence.

  All employees with access to the website backend or customer data must complete mandatory security awareness training [State Frequency, e.g., Annually], covering topics like phishing, safe password practices, and identifying security threats.