Information Security & Cybersecurity Policy
Last Updated: December 7, 2025
1. Introduction
UnderWave (“the Company,” “we,” or “us”) is a premier Open-Source Intelligence (OSINT) and digital investigations firm. We specialize in the collection, analysis, and delivery of actionable insights derived from publicly available data. Given the sensitive nature of our work—which includes risk assessments and intelligence support for global corporations and private entities—information security is the cornerstone of our operations.
We recognize the unique threat landscape facing the intelligence community, including targeted attacks on investigators, data breaches, and supply chain disruptions. This policy, aligned with international standards such as ISO/IEC 27001:2022, NIST Cybersecurity Framework (CSF) 2.0, and CIS Controls v8, outlines our commitment to safeguarding data assets, ensuring client confidentiality, and maintaining global regulatory compliance (GDPR, CCPA, and international privacy laws).
This policy applies to all employees, contractors, and partners (“the Team”), covering all systems and processes related to our OSINT operations.
2. Scope and Application
Scope
Information Assets: Personal data, OSINT datasets, investigative reports, proprietary source code, and internal databases.
Systems: Cloud infrastructure (AWS/GCP), specialized OSINT tools (e.g., Maltego, Shodan), and communication networks.
Processes: Data harvesting, multi-layered analysis, secure storage, and intelligence dissemination.
Locations: Global cloud nodes, remote operations, and corporate offices.
Application
This policy governs all lawful and ethical OSINT activities. It is reviewed annually or following significant security events to ensure alignment with the evolving technological and regulatory landscape.
3. Roles and Responsibilities
| Role | Primary Responsibility |
| Executive Leadership | Approval of policies, resource allocation, and fostering a “Security-First” culture. |
| CISO / DPO | Policy development, risk management, and regulatory oversight. |
| Investigators & Analysts | Adherence to OPSEC protocols and reporting suspicious activities. |
| IT Operations | Technical system management, patch deployment, and infrastructure hardening. |
| Third-Party Vendors | Compliance with Security Level Agreements (SLA) and data protection standards. |
4. Risk Management & Asset Protection
Risk Assessment
We conduct annual risk assessments based on NIST SP 800-30, specifically addressing OSINT-specific threats: Counter-OSINT (Adversary OSINT), source exposure, and spear-phishing.
Classification: Assets are classified as Public, Internal, Confidential, or Restricted based on sensitivity.
Asset Management
Inventory: A centralized registry of all hardware and OSINT software tools.
Data Retention: Temporary OSINT data is purged after 30 days unless contractually or legally required otherwise. Physical media destruction follows industry-standard “shred-and-delete” protocols.
5. Access Control & Cryptography
Principle of Least Privilege (PoLP): Access is granted via Role-Based Access Control (RBAC).
Authentication: Mandatory Multi-Factor Authentication (MFA) and robust password policies (12+ characters).
OSINT OPSEC: Analysts utilize managed attribution (VPN/Proxy) to ensure anonymity; use of personal accounts for investigations is strictly prohibited.
Encryption: Data at rest is secured via AES-256, while data in transit utilizes TLS 1.3. Sensitive communications are protected through PGP or S/MIME.
6. Operational & Communication Security
Backup Strategy: We follow the 3-2-1 Rule (3 copies, 2 different media, 1 offsite/cloud-based).
Vulnerability Management: Automated patch management and daily vulnerability scans.
Network Security: Deployment of Next-Gen Firewalls, IDS/IPS, and strict network segmentation (VLANs).
Digital Hygiene: Mandatory use of sandboxed environments for malware analysis and source verification.
7. Secure Development & Vendor Relations
Acquisition: All third-party tools undergo a Vendor Risk Assessment. We prioritize secure, vetted open-source tools following NSA best practices.
Development: Our internal tools follow a Secure SDLC (OWASP standards).
Audits: Annual third-party Penetration Testing and SOC 2 Type II alignment reviews.
8. Incident Response & Business Continuity
Detection: Centralized SIEM monitoring for real-time threat detection.
Response: Incident Response (IR) protocols follow NIST SP 800-61 (Containment, Eradication, Recovery).
Reporting: Data breaches are reported to relevant authorities (e.g., GDPR 72-hour window) and affected clients without undue delay.
Continuity: Our Business Continuity Plan (BCP) targets an RTO of <4 hours and an RPO of <1 hour.
9. Training and Awareness
Security is a collective effort. All team members undergo:
Annual Security Training: Including SANS OSINT courses and advanced OPSEC maneuvers.
Phishing Simulations: Monthly drills to maintain high alertness.
Ethics Training: Ensuring all intelligence gathering complies with international legal frameworks.
10. Contact Information
This policy is subject to periodic updates. For inquiries or to report a security concern:
UnderWave Information Security Officer
Email: info@under-wave.com
Phone: +972-51-2051216
Thank you for your commitment to maintaining the integrity and security of the UnderWave intelligence ecosystem.
