Backup, Recovery & Resilience
- Critical systems and data are backed up with cross-region replication and immutable, encrypted storage.
- Recovery procedures are documented and tested, including periodic recovery testing.
- A disaster recovery plan defines priority applications and recovery objectives (RTO/RPO) and is independently reviewed.
Framework Alignment: NIST CSF RC.RP, PR.IR; CIS Control 11; GDPR Art. 32(1)(c); ISO 27001:2022 A.8.13, A.8.14
Business Continuity
- A business continuity plan aligned to business operations sustains critical functions during disruption, with emphasis on customer awareness and communication.
- Continuity scenarios are exercised through tabletop simulations that evaluate and refine plan and policy material.
- Continuity provisions include alternate work arrangements for affected personnel.
Framework Alignment: NIST CSF RC.RP, PR.IR; CIS Control 11; GDPR Art. 32(1)(b)(c); ISO 27001:2022 A.5.29, A.5.30
Data Classification & Handling
- A data classification policy defines how information is categorized, handled, and shared by value, sensitivity, criticality, and regulatory requirement.
- Access to sensitive data is limited to authorized users through role-based, least-privilege controls.
- Public-facing systems are architected to prevent disclosure of nonpublic information, with review and approval before public release.
Framework Alignment: NIST CSF PR.DS, ID.AM; CIS Control 3; CMMC Level 1 (AC); GDPR Art. 5, 25; ISO 27001:2022 A.5.12, A.5.13
Data Loss Prevention & Email Protection
- A data loss prevention (DLP) capability identifies and helps prevent unauthorized handling of sensitive content, with classification and auto-labeling continuing to roll out.
- Collaboration and file-sharing permissions are managed toward least privilege with external-sharing controls.
- Email is hardened against spoofing and impersonation with authentication controls (DMARC, DKIM, SPF) and automated quarantine.
Framework Alignment: NIST CSF PR.DS; CIS Control 3, 9; GDPR Art. 32; ISO 27001:2022 A.8.12
Encryption at Rest & in Transit
- Data at rest is encrypted with strong, industry-standard algorithms in the central cloud data platform and object storage.
- Data in transit is protected with strong encryption and secure key exchange.
- Encryption keys and certificates are managed securely.
Framework Alignment: NIST CSF PR.DS; CIS Control 3; GDPR Art. 32(1)(a); ISO 27001:2022 A.8.24
Privacy Program & Notification
- Privacy accountability sits at the executive level, with the CIO and CDO serving as the organization's privacy leadership.
- Privacy-incident escalation and notification procedures are defined within the incident response and disaster recovery plans, covering escalation paths and notification obligations.
- A privacy notice is published describing how personal information is collected, used, and protected.
Framework Alignment: NIST CSF GV.OC, GV.RR; GDPR Art. 37-39, 33/34, 12-14; ISO 27001:2022 A.5.34, A.5.31
Secure Disposal & Records Governance
- Media is sanitized or destroyed before disposal or reuse, following NIST SP 800-88 guidance.
- Data retention and deletion are governed by policy, and legal-hold and eDiscovery capabilities support litigation readiness.
- Audit logs are retained in line with regulatory requirements.
Framework Alignment: NIST CSF PR.DS; CIS Control 3; CMMC Level 1 (MP); GDPR Art. 5(1)(e), 17; ISO 27001:2022 A.8.10, A.7.14, A.5.33
For additional information and documentation, please submit a request.
The controls described in this portal are part of Odyssey Logistics’ security program and are in place across the organization. Across a large environment of modern and legacy systems, implementation may vary by application, and some legacy systems may not yet include every component described. These controls are our organizational standard and continue to be extended across the environment.
