Skip to Content

Data Protection Policy (RS-SEC-01)

Rosco’s Security, LLC

Effective Date: 11/05/2025

Version: RS-SEC-01

Approved By: Daniel Gainza 

PurposeScope Data Handling Principles Access Credentials & Authorization Control    Remote Access Security   Video Data Sensitivity     Device & Network Security   Incident Response Client Ownership of Data   Policy Violations  

Purpose

The purpose of this policy is to ensure that Rosco’s Security protects all customer data, system access credentials, video footage, and personally identifiable information (PII) with the highest level of confidentiality, integrity, and security.

This policy supports legal compliance and professional standards within the physical security and IT systems industry.

Scope

This policy applies to:

  • All Rosco’s Security employees and subcontractors

  • All customer-owned security systems under our service or installation

  • Data collected, transmitted, stored, or accessed by Rosco’s Security for:

    • Surveillance systems

    • Access control systems

    • Network security appliances

    • Remote support tools and portals  

Data Handling Principles

Rosco’s Security adheres to the following principles:

Protection Objective

Actions

Confidentiality

Only authorized personnel may access system data.

Integrity

Data must remain accurate and protected against unauthorized changes.

Availability

Access must be preserved for properly authorized clients.

Customer data must never be shared with third parties without written authorization.

Access Credentials & Authorization Control 

  • Administrative credentials must be secured and never emailed in plain text

  • Password changes performed by Rosco’s Security will be documented and delivered securely

  • Credentials will only be shared with client-designated authorized contacts

  • Any credential resets or privilege changes require:

    • Written request and

    • Identity verification of an authorized client representative


  Remote Access Security

  • When remote access is enabled:
    • VPN, encrypted cloud access, or secure remote tools must be used

    • Direct exposure of devices to public internet must be avoided or minimized

    • Multi-factor authentication (MFA) will be used whenever supported

  • Remote access may be disabled if security vulnerabilities are identified.

  Video Data Sensitivity  

    • Video surveillance data may contain sensitive operational information, or proprietary activities

    • Video exports are restricted to authorized client contacts

    • Chain-of-custody procedures apply when footage is provided for legal or investigative purposes

  • Retention limits are defined during installation and must be acknowledged by the client

  Device & Network Security

      • All devices delivered or configured must operate with latest stable firmware
      • Default passwords must be replaced with secure passphrases

      • Systems must be designed to prevent unauthorized network access (VLANs, firewalls, etc.)
    • System logs may be reviewed for diagnostics and cyber security responses

  Incident Response

      • Security incidents affecting customer data are escalated immediately to Operations Management and documented.
      • Clients will be notified promptly if:
        • Data breach is suspected or confirmed

        • Unauthorized access attempts are detected

        • A vulnerability is found that requires urgent mitigation

Client Ownership of Data  

      • Clients retain full ownership of:
        • Recorded video

        • Access logs

        • Credential databases

        • System configurations

      • Rosco’s Security accesses this information only as required for service or support.

Policy Violations  

      • Any employee or subcontractor who violates this policy may face disciplinary action and removal from projects.
      • If client data exposure results from negligence or unauthorized disclosure, additional legal measures may be pursued.