Company Name: 3CS Asia (Private) Limited
Effective Date: January 2026
Scope: All employees, sub contractors, contractors, digital infrastructure, and client-facing projects.
Purpose and Objective
The purpose of this policy is to protect the Confidentiality, Integrity, and Availability (CIA) of information assets owned by or entrusted to 3CS Asia (Private) Limited. We are committed to maintaining a secure digital environment that protects our clients’ brand reputation and complies with the Sri Lanka Personal Data Protection Act No. 9 of 2022.
Data Governance and Classification
3CS categorizes all information to ensure appropriate levels of protection:
- Public: Information intended for public consumption (e.g., website content).
- Internal: Business-related data (e.g., internal memos, non-sensitive project files).
- Confidential/Sensitive: Client source code, databases, personal identifiable information (PII), and login credentials. This data requires the highest level of encryption and access control.
Infrastructure and Network Security
Our digital infrastructure is designed to be resilient against modern cyber threats:
- Firewalls and Perimeter Defense: All server environments are protected by enterprise-grade firewalls and Web Application Firewalls (WAF) to mitigate SQL injection, Cross-Site Scripting (XSS), and other OWASP Top 10 vulnerabilities.
- DDoS Mitigation: We utilize high-capacity Content Delivery Networks (CDNs) and DDoS protection layers to ensure website availability during malicious traffic spikes.
- Encryption: All data in transit is protected via TLS 1.3 encryption. Sensitive data at rest is stored using AES-256 encryption standards.
Secure Software Development Life Cycle (S-SDLC)
As a premier web development agency, security is integrated into every stage of our build process:
- Security by Design: We follow OWASP (Open Web Application Security Project) best practices during the coding phase.
- Environment Segregation: We maintain strictly separate environments for Development, Staging, and Production to ensure that untested code never reaches the live environment.
- Security Audits: Regular vulnerability scans and automated code reviews are conducted to identify and remediate potential security flaws before deployment.
Access Control and Identity Management
We follow the Principle of Least Privilege (PoLP)—giving users only the access they need to perform their jobs.
- Multi-Factor Authentication (MFA): Mandatory MFA is enforced for all administrative access to servers, CMS platforms, and internal business tools.
- Credential Management: 3CS utilizes encrypted password management systems. The use of default or weak passwords is prohibited.
- Offboarding: Access for employees, sub contractors or contractors is revoked immediately upon termination of their contract or project engagement.
Physical Security
While we are a digital-first company, our physical office security is maintained to prevent unauthorized access to hardware:
- Restricted Access: Our premises utilize 24/7 camera surveillance of physical access to our office, and strict access control.
- Clean Desk Policy: Sensitive documents and removable storage media must be secured when not in use.
- Device Encryption: All company laptops and mobile devices are encrypted and equipped with remote-wipe capabilities in case of theft or loss.
Incident Response and Business Continuity
3CS maintains a proactive stance on disaster recovery:
- Automated Backups: We maintain a robust daily backup mechanism. Backups are tested monthly for restoration integrity.
- Incident Response Plan (IRP): In the event of a security breach, our dedicated response team follows a documented protocol to contain the threat, assess the damage, and notify affected clients in accordance with PDPA requirements.
Employee Training and Awareness
Human error remains the leading cause of security breaches.
- All 3CS staff undergo mandatory security awareness training upon hiring and annually thereafter.
- Training covers Phishing identification, Social Engineering defense, and Secure Password hygiene.
Compliance and Audits
3CS conducts periodic internal security audits to ensure adherence to this policy. We also cooperate with third-party security audits requested by our clients as part of their compliance requirements.
