8.1 Review and Update Schedule

a. Annual Review: The WISP will be reviewed at least annually by the Information Security Officer, in collaboration with relevant departments, to ensure that it aligns with current business objectives, technology infrastructure, and legal requirements, especially considering the cross-border nature of the services.

b. Following Significant Changes: Any significant changes to business operations, technology, laws, or regulations that may affect the security of information shall trigger an immediate review of the WISP. This includes changes to IRS requirements or regulations related to remote staffing in either South America or the United States.

c. Quarterly Security Assessments: Quarterly security assessments will be conducted to evaluate the effectiveness of current security measures. These assessments will include penetration testing, vulnerability scans, and a review of access controls, particularly focusing on remote access given the nature of the business.

d. Documentation and Reporting: All reviews, updates, and security assessments shall be fully documented. Any modifications to the WISP must be approved by the Information Security Officer and communicated to all relevant personnel.

e. Third-Party Review: Considering the cross-border operation and the potential legal complexity, an independent third-party review of the WISP may be conducted every two years or as required by regulations.

f. Employee Training Updates: Following any update or change to the WISP, all employees, including remote staff, will be retrained or briefed on the changes as they apply to their roles and responsibilities within the company.

g. Client Communication: Any significant changes to the WISP that affect client data or operations shall be communicated to the U.S. based Accounting Firms in a timely manner, following the established communication protocol.