Security Policy
Penligent Security Policy – NIST CSF Alignment
Version 1.0 — 15.9.2025
1. Purpose
This Security Policy outlines how Future Share LLC, the company behind Penligent, aligns its security practices with the NIST Cybersecurity Framework (CSF). By integrating the five core CSF functions—Identify, Protect, Detect, Respond, and Recover — into our product design and operations, we aim to help customers proactively strengthen cybersecurity defenses while maintaining transparency and accountability.
2. Scope
This policy applies to all Penligent systems, services, and processes, including product development, deployment options (SaaS, self-hosted, cloud-isolated), and customer support.
3. Alignment Principles
- Proactive Security: We prioritize prevention over detection by integrating security controls into our product design and development.
- Comprehensive Coverage: Address all five CSF functions in product and operational security.
- Continuous Improvement: Adopt a Plan-Do-Check-Act (PDCA) cycle for ongoing security enhancements.
- Risk-Driven: Prioritize security measures based on risk assessment and customer needs.
- Transparent & Auditable: Provide customers and partners with confidence through evidence-based practices.
4. Alignment Overview
| CSF Function | Category | Current Status | Continuous Improvement Plan |
|---|---|---|---|
| Identify | Asset Management (ID.AM) | Implemented | Enhance automated asset discovery |
| Risk Assessment (ID.RA) | Partially Implemented | Integrate quantitative risk assessment tools | |
| Protect | Access Control (PR.AC) | Implemented | Conduct monthly role-based access review |
| Data Security (PR.DS) | Partially Implemented | Upgrade encryption libraries | |
| Detect | Anomalies & Events (DE.AE) | Implemented | Launch log correlation analytics platform |
| Continuous Monitoring (DE.CM) | Partially Implemented | Expand monitoring to development environments | |
| Respond | Response Planning (RS.RP) | Implemented | Increase tabletop exercises from biannual to quarterly |
| Communications (RS.CO) | Partially Implemented | Formalize stakeholder notification procedures | |
| Recover | Recovery Planning (RC.RP) | Implemented | Add off-site backup and restoration drills |
| Improvements (RC.IM) | Partially Implemented | Establish post-incident review closure process |
5. Maturity Assessment
- Current Tier: Tier 2 – Risk Informed. Processes are established but not fully institutionalized.
- Target Tier: Tier 3 – Repeatable within 12 months, with policies standardized and externally auditable.
6. Roadmap
- Technology Enhancements:Adopt advanced security monitoring and analytics solutions.
- Process Institutionalization:Formalize internal/external security policies, increase training, and adopt quarterly review cycles.
- Third-Party Validation: Engage independent security firms for external assessments and certifications (ISO 27001, SOC 2).
7. Conclusion
Penligent is designed to simulate advanced attacker techniques for authorized penetration testing while aligning with the NIST CSF. We remain committed to using NIST CSF as the foundation of our cybersecurityprogram, continually refining our controls and processes to deliver robust,transparent, and auditable security services.
For additional details or audit-related inquiries, please contact: [email protected].