Data Security Policy
Dr. Nolyn Johnson LLC · Effective Date: May 20, 2026 · www.drnolyn.com
Dr. Nolyn Johnson LLC takes data security seriously. As a cybersecurity consulting firm, we hold ourselves to a high standard in protecting the personal, organizational, and confidential information entrusted to us by clients, website visitors, Academy participants, and partners.
1. Scope
This Policy applies to all data collected, processed, or stored in connection with:
- Website operations at www.drnolyn.com
- Client engagement and vCISO service delivery
- Cybersecurity awareness training programs
- Book sales and digital product delivery
- DNJ Cyber Academy program administration
- Internal business operations
2. Data Classification
Tier 1
Confidential
Client security assessments, risk registers, incident response plans, contractual data. Highest protection controls.
Tier 2
Internal
Business operational data, staff information, financial records. Standard access controls and encryption.
Tier 3
Public
Marketing content, published books, publicly available website content. Minimal restrictions.
3. Technical Security Controls
Encryption
- All data transmitted to and from our website is encrypted using TLS 1.2 or higher (HTTPS)
- Confidential client documents are encrypted at rest using AES-256 encryption
- Email communications containing sensitive information use encrypted channels
- Digital products are delivered via secured, tokenized download links
Access Controls
- Role-based access control (RBAC) limits data access to authorized personnel only
- Multi-factor authentication (MFA) required for all systems containing client or personal data
- Principle of least privilege — personnel access only data required for their role
- Access credentials are unique per individual; shared passwords are prohibited
- Access is reviewed and revoked promptly upon personnel separation
Endpoint Security
- All business devices run current, licensed endpoint protection software
- Operating systems and software are kept current with security patches
- Device encryption enabled on all laptops and mobile devices
- Remote wipe capability maintained for lost or stolen devices
4. Incident Response
Step 1
Detection
Affected systems isolated. Escalated to principal within 1 hour.
Step 2
Assessment
Scope and impact assessed within 24 hours.
Step 3
Notification
Affected individuals notified within 72 hours per TN law and GDPR Art. 33.
Step 4
Remediation
Root cause analysis and corrective actions within 30 days.
5. Client Data (vCISO Engagements)
- Client data is segregated and never commingled with other client data
- Confidentiality terms are governed by the signed engagement agreement
- Client security documents stored in encrypted, access-controlled repositories
- Client data returned or securely destroyed within 30 days of engagement termination
- No client data is used for marketing, research, or any purpose outside the engagement scope
6. Payment Security
We do not store credit card numbers, bank account information, or payment credentials on our systems. All payment processing is handled by PCI-DSS compliant third-party processors (Stripe and/or PayPal). The Company never has access to full payment card numbers.
7. Compliance Framework Alignment
NIST CSF
NIST SP 800-53
ISO/IEC 27001
TN Identity Theft Act
CCPA
GDPR
8. Policy Review
This Policy is reviewed annually and updated as needed. The current version is always available at www.drnolyn.com/data-security. Last reviewed: May 20, 2026.
9. Report a Security Concern
Security Contact — Dr. Nolyn Johnson LLC
5865 Ridgeway Center Parkway, Suite 300, Memphis, TN 38120
1-844-DRNOLYN (1-844-376-6596)
njohnson@drnolyn.com
For responsible disclosure of security vulnerabilities, email with subject line "Security Disclosure" and allow 30 days for investigation before public disclosure.