To implement an ISMS in practice it is necessary to:

1. Determine the scope of the ISMS in terms of business, the company, its location, its assets and its technology.
2. Set a Security Policy.
3. Identify, analyze, and evaluate risks.
4. Risk treatment alternatives (PTR) to apply the appropriate controls.

THE INFORMATION SECURITY POLICY SHOULD CONTAIN THESE STATEMENTS:

• Definition of information security.

Information security is understood as the set of preventive and reactive measures that make it possible to safeguard and protect information. In other words, they are all those use policies and measures that affect the treatment of the data used in an organization.

• Information security objectives or the framework for establishing information security objectives.
  
  

The information security objectives are the needs that the organization intends to satisfy, to ensure the integrity, confidentiality, availability and secure accessibility of the information and its own data and that of third parties.

• Principles to guide all activities related to information security.

The fundamental principles of security in the handling of information are:

• Availability: Property or characteristic of assets consisting of authorized entities or processes having access to them when required.
• Integrity: Property or characteristic that the information asset has not been altered in an unauthorized manner
• Confidentiality: Property or characteristic that information is neither made available nor disclosed to unauthorized individuals, entities or processes
• Authenticity: Property or characteristic that an entity is who it claims to be or that the source from which the data comes is guaranteed
• Traceability: Property or characteristic consisting in that the actions of an entity can be attributed exclusively to said entity.
  
  

• Commitment to satisfy the applicable requirements related to information security.

Top management must establish an information security policy that:

• Is appropriate to the purpose of the organization.
• Include information security objectives or provide the framework for establishing information security objectives
• Includes the commitment to comply with the applicable requirements that are related to information security
• Include the commitment to continuous improvement of the Information Security Management System

The information security policy must:

1. Be available as documented information
2. Communicate within the company
3. Be available to interested parties

• Commitment to continuous improvement of the information security management system.

The top management of the organization must lead the implementation of the ISMS demonstrating its commitment to the ISMS: Making sure that the policies and objectives of the ISMS are established and integrated with the processes of the organization.

• Assignment of responsibilities for information security management to defined roles.

Their responsibilities in terms of information security will be the following: Prepare, promote and maintain the information security policy. Prepare the risk plan and possible solutions to mitigate the threats. Propose new objectives in terms of information security.

• Procedures for the use of exemptions and exceptions.

INFORMATION SECURITY MANAGEMENT GUIDELINES

The goal is to provide guidance and support for information security management in accordance with business requirements, relevant laws and regulations.

These policies manage the security of the company’s information from the highest management level of the organization, establishing a framework to control the implementation of the ISMS, the approval of the security policy, its distribution to employees, suppliers, customers, and ultimately for all interested parties, whether internal or external to the organization.

The information security policy is defined and approved by Management and must take into account the characteristics of the business, the contractual requirements signed with clients, as well as the most relevant legislation that affects the Information Security Management System.

• INFORMATION SECURITY POLICIES

A set of information security policies must be defined, approved by Management, published and communicated to employees and relevant external parties.

All information security policies that are implemented have been previously approved by the organization’s Management.

The information security policies are communicated to the personnel through the intranet while, for the interested parties, the communication of the policies is carried out through the corporate website and, in some cases by email or by means of a release.

Corporate Information Security Policy

Information is a fundamental asset for the provision of its services and efficient decision-making, which is why there is an express commitment to protect its most significant properties as part of a strategy aimed at business continuity, risk management and the consolidation of a safety culture.

Aware of your current needs, we have implemented an Information Security Management System as the tool that allows you to identify and minimize the risks to which the information is exposed, establishes a security culture and guarantees compliance with current legal and contractual requirements. and other requirements of our clients and interested parties.

As a fundamental point of the policy is the implementation, operation and maintenance of an ISMS based on ISO 27001.

Basic aspects of the information security policy:

• Ensure confidentiality, integrity. availability, authenticity and traceability of information.
• Comply with all applicable legal requirements.
• Have a continuity plan that allows you to recover from a disaster in the shortest possible time.
• Train and educate all employees on information security.
• Properly manage all incidents that occur.
• All employees are informed of their security roles and obligations and are responsible for complying with them.
• Communicate to all internal personnel and everyone who works on their behalf the mandatory compliance with this Policy, including contractors and visitors to our facilities.
• There is a security officer in charge of the organization’s information security management system (ISMS) .
• Continuously improve the ISMS and, therefore, the security of the organization’s information.
  
  

The objectives of this Policy will be:

• Ensure that information assets receive an appropriate level of protection.
• Classify the information to indicate its sensitivity and criticality.
• Define levels of protection and special treatment measures according to their classification.
  
  

This Policy applies to all information managed in the Company, whatever the medium it is on.

The owners of the information are in charge of classifying it according to its degree of sensitivity and criticality, documenting and keeping the classification carried out updated, and defining the functions that must have access permissions to the information.

The Information Security Manager is in charge of ensuring that the security requirements established according to the criticality of the information they process are contemplated for the use of information technology resources.

Each Information Owner will supervise that the information classification and labeling process of their department is completed in accordance with the provisions of this Policy.

Staff Security Policy

The objectives of controlling the safety of personnel are:

• Reduce the risks of human error, commission of illegal acts, inappropriate use of facilities and resources, and unauthorized handling of information.
• Explain the responsibilities in terms of security in the personnel recruitment stage and include them in the agreements to be signed and verify their compliance during the performance of the employee’s tasks.
• Ensure that users are aware of information security threats and concerns, and are trained to support the
• Company’s Information Security Policy in the course of their normal duties.
• Establish confidentiality commitments with all personnel and users external to the information processing facilities.
• Establish the necessary tools and mechanisms to promote the communication of existing weaknesses in terms of security, as well as incidents that have occurred, in order to minimize their effects and prevent their recurrence.
  
  

This Policy applies to all Company personnel and external personnel performing tasks within the scope of the Company.

The Human Resources Department will include functions related to information security in employee job descriptions, will raise awareness, inform, and train all incoming personnel of their obligations regarding compliance with the Information Security Policy, will manage the Confidentiality Commitments with the staff and will coordinate the user training tasks regarding this Policy.

The Information Security Manager is in charge of monitoring, documenting and analyzing reported security incidents, as well as their communication to the Information Security Committee and the owners of the information.

The Information Security Committee will be responsible for implementing the means and channels necessary for the Information Security Manager to handle reports of incidents and system anomalies. Likewise, said Committee will be aware of, will monitor the investigation, will control the evolution and will promote the resolution of incidents related to information security.

The Information Security Manager will participate in the preparation of the Confidentiality Commitment to be signed by employees and third parties who carry out functions in the Company, in advising on the sanctions to be applied for non-compliance with this Policy and in the treatment of incidents. information security.

All Company personnel are responsible for reporting weaknesses and information security incidents that are detected in a timely manner.

Physical and Environmental Security Policy

Physical and Environmental Security is developed through the Management Systems implemented:

• Information Security Management System in accordance with ISO 27001
  
  

The objectives of said Management Systems are:

1. Prevent and impede unauthorized access, damage and interference to the headquarters, facilities and information of the Company.
2. the Company’s critical information processing equipment , locating it in protected areas and guarded by a defined security perimeter, with appropriate security measures and access controls. Likewise, contemplate the protection of the same in its transfer and permanence outside the protected areas, for reasons of maintenance or others.
3. Control environmental factors that could harm the proper functioning of the computer equipment that houses the Company’s information.
4. Implement measures to protect the information handled by the staff in the offices, in the normal framework of their usual tasks.
5. Provide protection proportional to the identified risks.
   
   

This Policy applies to all physical resources related to the Company’s information systems: facilities, equipment, cabling, files, storage media, etc.

The Head of Information Security will define, together with the Head of the Technical Department and the Information Owners, as appropriate, the physical and environmental security measures for the protection of critical assets, based on a risk analysis, and will control their implementation. Likewise, it will verify compliance with the provisions on physical and environmental security indicated in the Security Management Systems for the Supply and Environmental Chain.

The Head of the Technical Department will assist the Head of Information Security in defining the security measures to be implemented in protected areas, and will coordinate their implementation. Likewise, it will control the maintenance of computer equipment according to the indications of suppliers both inside and outside the Company’s facilities.

The Heads of the different Departments will define the levels of physical access of the Company’s personnel to the restricted areas under their responsibility. The Owners of the Information will formally authorize the work outside the facilities with information of their concern to the employees of the Company when they deem it convenient.

All Company personnel are responsible for compliance with the clean screens and desks policy, for the protection of information related to daily work in the offices.

Communications and Systems Management Policy

The objectives of communications and systems management are:

• Guarantee the correct and safe operation of the computer and communications facilities and systems.
• Establish responsibilities and procedures for its management, including operating instructions, incident response procedures and separation of duties.
  
  

Each Information Owner, together with the Information Security Manager and the Technical Department Manager, will determine the requirements to protect the information for which they are responsible. Likewise, it will approve the courier services authorized to transport the information when required, according to its level of criticality.

Information Systems Access Control Policy

Controlling access to information systems has the following objectives:

1. Prevent unauthorized access to information systems, databases and information services.
2. Implement security in user access through authentication and authorization techniques.
3. Control security in the connection between the Company’s network and other public or private networks.
4. Record and review events and critical activities carried out by users in the systems.
5. Make users aware of their responsibility regarding the use of passwords and equipment.
6. Ensure information security when using laptops and personal computers for remote work.

Systems Development and Maintenance Policy

The objectives of security in the development and maintenance of systems are:

• Ensure the inclusion of security controls and data validation in the development of computer systems.
• Define and document the rules and procedures that will be applied during the life cycle of the applications and in the basic infrastructure on which they are supported.
• Define the methods of protection of critical or sensitive information.
  
  

This Policy applies to all computer systems, both self-developed or those of third parties, and to all Operating Systems and/or Software that make up any of the environments managed by the Company.

The Information Security Manager together with the Information Owner will define the controls to be implemented in the systems developed internally or by third parties, based on a prior risk assessment.

The Information Security Manager, together with the Information Owner, will define the protection requirements through cryptographic methods based on the criticality of the information. Then, the Head of Information Security will define, together with the Head of the Technical Department, the encryption methods to be used.

Policy of Administration of the continuity of the activities of the company

The security in the administration of the continuity of the activities of the company has as objectives:

• Minimize the effects of possible interruptions to the normal activities of the Company (whether these are the result of natural disasters, accidents, equipment failures, deliberate actions or other events) and protect critical processes through a combination of preventive controls and recovery actions .
• Analyze the consequences of service interruption and take the corresponding measures to prevent similar events in the future.
• Maximize the effectiveness of the Company’s contingency operations by establishing plans that include at least the following stages:
  • Notification / Activation: Consisting of the detection and determination of the damage and the activation of the plan.
  • Resumption: Consisting of the temporary restoration of operations and recovery of the damage produced to the original system.
  • Recovery: Consisting of restoring the system’s process capabilities to normal operating conditions.
• Ensure coordination with Company personnel and external contacts that will participate in contingency planning strategies. Assign functions for each defined activity.
  
  

The Information Security Manager will actively participate in the definition, documentation, testing and updating of contingency plans. The Information Owners and the Information Security Manager will fulfill the following functions:

• Identify threats that may cause interruptions to Company processes or activities.
• Assess risks to determine the impact of such interruptions.
  Identify preventive controls.
• Develop a strategic plan to determine the global approach with which the continuity of the Company’s activities will be addressed.
• Prepare the necessary contingency plans to guarantee the continuity of the Company’s activities.

• REVIEW OF POLICIES FOR INFORMATION SECURITY

Information security policies should be reviewed at planned intervals or whenever significant changes occur to ensure that their adequacy is maintained.
Department manager will ensure the correct implementation and compliance with the established information security standards and procedures, within their area of responsibility.

The Information Security Manager will carry out periodic reviews of all areas of the Company in order to guarantee compliance with information security policies, standards and procedures. Areas to review include:

1. Information systems.
2. System providers.
3. Owners of information.
4. Users.

The Information Owners will support the periodic review of compliance with applicable information security policies, standards, procedures and other requirements.

Signed: Direction

Last review: 19/07/2023