Imperial Eminence Cyberguard Corporation · The Ivory Index

Information Security Program

Tier V — Security Program · Ref: IECC-T5-001 · Version 1.0 · Effective 14 June 2026

Document: IECC-T5-001 Version: 1.0 Effective: 14 June 2026 Governing Law: Cayman Islands Intended Jurisdiction: Cayman Islands (upon incorporation)

Article I — Program Purpose & Governance

This Information Security Program ("Program") establishes IECC's overarching framework for protecting the confidentiality, integrity, and availability of information assets — including Customer data, proprietary software, and operational systems. It is distinct from the Security Whitepaper (technical architecture) and the Security Addendum (contractual security commitments).

1.1 Governance Structure

Role	Responsibility
Security Owner	Overall accountability for the Program; approves policy changes; escalation point for P1 incidents
Technical Lead	Day-to-day implementation of security controls; vulnerability management; access reviews
All Personnel	Compliance with this Program; reporting of suspected incidents or policy violations

Until IECC reaches a headcount requiring a dedicated CISO, the Security Owner role is fulfilled by the founding technical lead. Security responsibilities will be formally delegated upon organisational scaling.

Article II — Asset Inventory

2.1 Information Asset Categories

Asset Category	Examples	Classification	Owner
Source code	Ivory Index application, build scripts	Confidential	Technical Lead
Customer data (cloud)	Support tickets, account data	Restricted	Security Owner
User local data	Profiles at ~/.theivorry/ (on User devices)	N/A — not held by IECC	User
AI model weights	llama3.2, Ollama models	Third-party — governed by model licences	Technical Lead
Infrastructure credentials	Cloud provider keys, signing certificates	Restricted	Security Owner
Legal and financial records	Contracts, invoices, correspondence	Confidential	Security Owner
Brand assets	Logos, marketing materials	Internal	Founding team

2.2 Asset Classification Definitions

Restricted: Highest sensitivity; limited to named individuals; breach requires immediate notification
Confidential: Internal use only; shared only under NDA or on need-to-know basis
Internal: Not for public distribution but lower sensitivity
Public: Approved for public release

Article III — Risk Management

3.1 Risk Assessment Cycle

IECC conducts an annual information security risk assessment covering: threat identification; vulnerability assessment; likelihood and impact scoring; risk treatment decisions (accept, mitigate, transfer, avoid); and residual risk acceptance.

3.2 Risk Register

Risk	Likelihood	Impact	Treatment
Local device compromise leaking User data	Medium	High	Mitigate: recommend FDE; User responsibility disclosure
Supply chain attack on npm dependencies	Low–Medium	High	Mitigate: dependency scanning; lock-file integrity
Credential theft (IECC internal systems)	Low	High	Mitigate: MFA; least privilege; regular rotation
AI model generating harmful output	Medium	Medium	Mitigate: AUP; AI disclaimer; User review obligation
Malicious Ollama model distribution	Low	High	Mitigate: official registry only; User model selection control
Electron XSS-to-RCE escalation	Low	Critical	Mitigate: context isolation; node integration disabled; CSP

Article IV — Access Management

Principle of least privilege: Access granted only to the minimum level required for the role
Access reviews: Quarterly review of all access rights; immediate revocation upon role change or departure
Multi-factor authentication: Required for all cloud infrastructure, code repositories, and administrative systems
Privileged access: Logged and audited; no shared privileged credentials
Third-party access: Governed by vendor agreements; time-limited where possible; reviewed quarterly

Article V — Vulnerability Management

Severity	CVSS Score	Patch Timeline
Critical	9.0–10.0	7 days
High	7.0–8.9	30 days
Medium	4.0–6.9	90 days
Low	0.1–3.9	Next scheduled release

Vulnerability sources include: automated dependency scanning (each release); external researcher reports via legal@imperialecc.com; CVE databases; and threat intelligence feeds.

Article VI — Change Management

All production code changes require peer review before merge
Security-sensitive changes (authentication, data handling, encryption) require Security Owner review
Release checklist includes: dependency scan; security regression test; changelog entry
Emergency changes (P1 security patches) may bypass standard review with retrospective documentation within 24 hours
Infrastructure changes are documented and reviewed prior to deployment

Article VII — Security Awareness

All IECC personnel with access to Restricted or Confidential assets receive security awareness training upon onboarding and annually thereafter. Training covers: phishing recognition; password security; incident reporting; data handling; and acceptable use of IECC systems.

Article VIII — Program Review

This Program is reviewed and updated annually, upon material organisational change, or following any P1 or P2 security incident. All updates are approved by the Security Owner and versioned. Contact: legal@imperialecc.com.

Drafted with the assistance of

Voidlex

Imperial Legal Intelligence · IECC Suite · v2.6

This document was prepared with the assistance of Voidlex, a legal document drafting tool developed by Imperial Eminence Cyberguard Corporation (IECC). Voidlex is a drafting aid only. It does not constitute legal advice, does not practice law, and does not guarantee the legal enforceability of this document in any jurisdiction. Users are strongly encouraged to seek independent legal counsel before relying on this document for commercial, regulatory, or enforcement purposes.

Governing Law — All Disputes Cayman Islands · Grand Court of the Cayman Islands

IECC Registered Operations Planned Cayman Islands registration · pre-incorporation stage

Drafting System Voidlex v2.6 · Imperial Eminence Cyberguard Corporation

TRIBUNEH · IECC Legal Division