Odyssey Logistics Assurance & Trust Portal is designed to provide customers, partners, and stakeholders with clear visibility into the strength and maturity of our cybersecurity and compliance program. Our security framework is aligned to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), ensuring a structured, risk-based approach across the core functions of Identify, Protect, Detect, Respond, and Recover. Within the portal, visitors can review how these critical security program functions are operationalized through governance policies, technical safeguards, continuous monitoring, incident response planning, and third-party risk management. By organizing our controls and practices in alignment with NIST CSF, we provide transparency into how we manage cyber risk, protect sensitive data, and support resilient logistics operations for our global customers.
- Endpoint & Device Security
Use of personally owned devices for work is governed by a Personal Device Use Policy and the acceptable-use policy, with company-provided devices preferred and personal use limited to an as-needed basis. Personal devices must meet defined security requirements before access — encryption, screen-lock, current anti-malware/EDR, maintained operating systems, and no …
Framework Alignment: NIST CSF PR.AA, PR.PS, DE.CM; CIS Control 4, 10; CMMC Level 1; GDPR Art. 32; ISO 27001:2022 A.8.1, A.7.10
- Governance, Risk & Compliance
A formal risk register and risk-exception workflow document, own, and track risks, reviewed in recurring leadership reporting. Risk is assessed against the NIST Cybersecurity Framework, with a documented baseline and a prioritized remediation roadmap. The risk-management program defines roles, responsibilities, and risk strategy, and incorporates third-party risk management.
Framework Alignment: NIST CSF GV.RM, ID.RA; GDPR Art. 35, 24; ISO 27001:2022 Cl. 6.1
- Governance, Risk & Compliance
A SOC 1 Type II examination is performed with an external audit firm; a SOC 2 Type II examination is planned. Compliance obligations are mapped across applicable frameworks, including NIST, CMMC, GDPR, and customs/trade requirements. A dedicated governance, risk, and compliance (GRC) function owns frameworks, audits, policy management, and customer …
Framework Alignment: NIST CSF GV.OV; SOC 1 Type II; CMMC Level 1; GDPR Art. 30, 24; ISO 27001:2022 A.5.31, A.5.35, A.5.36
- Governance, Risk & Compliance
A dedicated cybersecurity function led by an accountable CISO operates under a documented program charter aligned to the NIST Cybersecurity Framework. Cybersecurity risk is governed through a recurring executive reporting cadence covering objectives, projects, threats, training, and incidents. A formal IT portfolio-governance process provides regular project status reporting to executive …
Framework Alignment: NIST CSF GV.OC, GV.RM, GV.OV; SOC 1 Type II; GDPR Art. 24, 5(2); ISO 27001:2022 A.5.1, A.5.2
- Governance, Risk & Compliance
A complete cybersecurity policy suite (information security, access management, vulnerability and patch management, data classification, and more) is maintained and reviewed at least annually. Policy exceptions follow a formal request, approval, and tracking workflow with a documented audit trail. Standards of conduct are enforced through a formal disciplinary process.
NIST CSF GV.PO; GDPR Art. 24, 5(2); ISO 27001:2022 A.5.1, A.5.37
- Governance, Risk & Compliance
The cybersecurity program undergoes a formal annual review of governance, control effectiveness, maturity, and compliance. Security objectives are established, tracked, and formally reviewed on an annual cycle. An independent third-party program review periodically assesses effectiveness and improvement opportunities.
Featured Alignment: NIST CSF GV.OV, ID.IM; GDPR Art. 32(1)(d), 24; ISO 27001:2022 A.5.35 (Cl. 9-10)
- Governance, Risk & Compliance
All employees participate in an ongoing security awareness program, including short-form monthly training and quarterly instructor-led sessions, supplemented by a dedicated new-hire onboarding track. Training content is risk-aligned, with targeted material for higher-risk audiences such as executives and finance. Recurring phishing simulations are conducted, with engagement reinforced by linking simulation …
Featured Alignment: NIST CSF PR.AT; CIS Control 14; GDPR Art. 32, 39; ISO 27001:2022 A.6.3
- Governance, Risk & Compliance
Use of artificial intelligence is governed by an AI governance and acceptable-use policy, with organizational guidance covering acceptable use and the handling of sensitive data. Generative-AI access is provided through a managed enterprise account, and any new AI tool or product is evaluated and approved by a dedicated committee before …
Featured Alignment: NIST CSF GV.PO; NIST AI RMF (Govern, Manage); GDPR Art. 5, 32; ISO 27001:2022 A.5.10
- Identity & Access Management
System access is governed by access-management and least-privilege policies enforcing least privilege and role-based access control. Administrative privileges require documented justification with manager and security approval. Access rights are reviewed and recertified periodically, including annual access reviews for in-scope systems.
Framework Alignment: NIST CSF PR.AA; CIS Control 5, 6; CMMC Level 1 (AC); SOC 1 Type II; GDPR Art. 32; ISO 27001:2022 A.5.15, A.5.18, A.8.3
- Identity & Access Management
Multi-factor authentication (MFA) is enforced enterprise-wide, including all remote and privileged access. Highly privileged roles use just-in-time privileged access with phishing-resistant hardware security keys. MFA exceptions are governed and tracked through conditional-access policies.
Featured Alignment: NIST CSF PR.AA; CIS Control 6; CMMC Level 1 (IA); GDPR Art. 32; ISO 27001:2022 A.8.5, A.5.17
The controls described in this portal are part of Odyssey Logistics’ security program and are in place across the organization. Across a large environment of modern and legacy systems, implementation may vary by application, and some legacy systems may not yet include every component described. These controls are our organizational standard and continue to be extended across the environment.
