AI Governance & Acceptable Use
- Use of artificial intelligence is governed by an AI governance and acceptable-use policy, with organizational guidance covering acceptable use and the handling of sensitive data.
- Generative-AI access is provided through a managed enterprise account, and any new AI tool or product is evaluated and approved by a dedicated committee before adoption.
- A structured AI enablement program provides user awareness, training, use-case evaluation, and formal instruction on appropriate and effective use of generative-AI tools.
Featured Alignment: NIST CSF GV.PO; NIST AI RMF (Govern, Manage); GDPR Art. 5, 32; ISO 27001:2022 A.5.10
Approved
Annual Program Review & Continuous Improvement
- The cybersecurity program undergoes a formal annual review of governance, control effectiveness, maturity, and compliance.
- Security objectives are established, tracked, and formally reviewed on an annual cycle.
- An independent third-party program review periodically assesses effectiveness and improvement opportunities.
Featured Alignment: NIST CSF GV.OV, ID.IM; GDPR Art. 32(1)(d), 24; ISO 27001:2022 A.5.35 (Cl. 9-10)
Approved
Established Security Program & Executive Governance
- A dedicated cybersecurity function led by an accountable CISO operates under a documented program charter aligned to the NIST Cybersecurity Framework.
- Cybersecurity risk is governed through a recurring executive reporting cadence covering objectives, projects, threats, training, and incidents.
- A formal IT portfolio-governance process provides regular project status reporting to executive leadership.
Framework Alignment: NIST CSF GV.OC, GV.RM, GV.OV; SOC 1 Type II; GDPR Art. 24, 5(2); ISO 27001:2022 A.5.1, A.5.2
Approved
Independent Audits & Regulatory Mapping
- A formal risk register and risk-exception workflow document, own, and track risks, reviewed in recurring leadership reporting.
- Risk is assessed against the NIST Cybersecurity Framework, with a documented baseline and a prioritized remediation roadmap.
- The risk-management program defines roles, responsibilities, and risk strategy, and incorporates third-party risk management.
Framework Alignment: NIST CSF GV.RM, ID.RA; GDPR Art. 35, 24; ISO 27001:2022 Cl. 6.1
Approved
Security Awareness & Training
- All employees participate in an ongoing security awareness program, including short-form monthly training and quarterly instructor-led sessions, supplemented by a dedicated new-hire onboarding track.
- Training content is risk-aligned, with targeted material for higher-risk audiences such as executives and finance.
- Recurring phishing simulations are conducted, with engagement reinforced by linking simulation performance to performance incentives.
Featured Alignment: NIST CSF PR.AT; CIS Control 14; GDPR Art. 32, 39; ISO 27001:2022 A.6.3
Approved
Security Policy Framework & Exception Management
- A complete cybersecurity policy suite (information security, access management, vulnerability and patch management, data classification, and more) is maintained and reviewed at least annually.
- Policy exceptions follow a formal request, approval, and tracking workflow with a documented audit trail.
- Standards of conduct are enforced through a formal disciplinary process.
NIST CSF GV.PO; GDPR Art. 24, 5(2); ISO 27001:2022 A.5.1, A.5.37
Approved
For additional information and documentation, please submit a request.
The controls described in this portal are part of Odyssey Logistics’ security program and are in place across the organization. Across a large environment of modern and legacy systems, implementation may vary by application, and some legacy systems may not yet include every component described. These controls are our organizational standard and continue to be extended across the environment.
