Information security policy

1. Policy summary : Information must always be protected, regardless of how it is

shared, communicated or stored.
2. Introduction :
1. Information can exist in various forms: printed or written on paper,
stored electronically, transmitted by mail or electronic means, displayed
in projections or orally in conversations.
2. Information security is the protection of information against a wide range
of threats in order to ensure business continuity, minimize business risks
and maximize return on investments and business opportunities.
3. Scope :
1. This policy supports the organization's overall Information Security
Management System policy.
2. This policy is for consideration by all members of the organization.
4. Information security objectives :
1. Understand and treat operational and strategic risks in information
security so that they remain at acceptable levels for the organization.
2. Protection of the confidentiality of information related to clients and
development plans.
3. Preservation of the integrity of accounting records.
4. Publicly accessible Web services and internal networks meet the required
availability specifications.
5. Understand and cover the needs of all interested parties.
5. Information security principles :
1. This organization embraces risk taking and tolerates those that, based on
the information available, are understandable, controlled and treated
when necessary. The details of the methodology adopted for risk
assessment and its treatment are described in the ISMS policy.
2. All personnel will be informed and responsible for the security of
information, as relevant to the performance of their work.
3. Financing will be available for the operational management of controls
related to information security and the management processes for their
implementation and maintenance.
4. Those possibilities of fraud related to the abusive use of information
systems will be taken into account within the overall management of
information systems.
 5. Regular reports with information on the security situation will be made
available.
6. Information security risks will be monitored and relevant measures will
be adopted when there are changes that imply an unacceptable level of
risk.
7. The criteria for risk classification and acceptance are referenced in the
ISMS policy.
8. Situations that may expose the organization to violation of laws and legal
regulations will not be tolerated.
6. Responsibilities :
1. The management team is responsible for ensuring that information
security is appropriately managed throughout the organization.
2. Each manager is responsible for ensuring that people working under his
or her control protect information in accordance with standards
established by the organization.
3. The security manager advises the management team, provides
specialized support to the organization's staff and ensures that
information security status reports are available.
4. Each staff member has the responsibility of maintaining information
security within their work-related activities.
7. Key indicators :
1. Information security incidents will not result in serious and unexpected
costs, or serious disruption of services and business activities.
2. Losses due to fraud will be detected and will remain within acceptable
levels.
3. Customer acceptance of products or services will not be adversely
affected by information security issues.
8. Related Policies : The following are policies that provide principles and
guidance on specific aspects of information security:
1. Information Security Management System (ISMS) Policy.
2. Physical access control policy.
3. Workplace cleaning policy.
4. Unauthorized software policy.
5. File download policy (external/internal network).
6. Backup policy.
7. Information exchange policy with other organizations.
8. Policy for the use of messaging services.
9. Records retention policy.
10. Policy on the use of network services.
11. Policy for the use of computing and communications in mobility.
12. Teleworking policy.
13. Policy on the use of cryptographic controls.
14. Legal provisions compliance policy.
15. Software license use policy.
16. Data protection and privacy policy.

At a lower level, the information security policy must be supported by other topic-
specific standards or procedures that further enforce the application of information
security controls and are typically structured to address the needs of particular groups
within the organization. an organization or to cover certain topics.
Examples of these policy issues include:

1. Access control.
2. Classification of information.
3. Physical and environmental security.

And more directly aimed at users:

1. The acceptable use of assets.

2. Clean desktop and clear screen.
3. The transfer of information.
4. Mobile devices and teleworking.
5. Restrictions on software installation and use.
6. Backup.
7. The transfer of information.
8. Protection against malware.
9. The management of technical vulnerabilities.
10. Cryptographic controls.
11. Security communications.
12. Privacy and protection of personally identifiable information.

These policies/rules/procedures must be communicated to employees and external

interested parties . The need for internal information security standards varies
depending on organizations.

When some information security standards or policies are distributed outside the
organization, care must be taken not to reveal confidential information . Some
organizations use other terms for these policy documents, such as: standards, guidelines,
or rules.

All these policies must serve as support for the identification of risks through the
provision of controls in relation to a reference point that can be used to identify
deficiencies in the design and implementation of the systems, and the treatment of risks
through the possible identification of appropriate treatments for localized vulnerabilities
and threats.

This identification and treatment of risks are part of the processes defined in the
Principles section within the security policy or, as referenced in the example, they are
usually part of the ISMS policy itself, as seen below .

ISMS Policy
In view of the importance for the correct development of business processes ,
information systems must be adequately protected.

Reliable protection allows the organization to better perceive its interests and
efficiently carry out its information security obligations . Inadequate protection
affects the general performance of a company and can negatively affect the image,
reputation and trust of clients, but also of the investors who place their trust, for the
strategic growth of our activities at an international level.

The goal of information security is to ensure business continuity in the

organization and minimize the risk of damage by preventing security incidents, as
well as reducing their potential impact when unavoidable.

To achieve this objective, the organization has developed a risk management

methodology that allows us to regularly analyze the degree of exposure of our
important assets to those threats that may take advantage of certain vulnerabilities and
introduce adverse impacts to the activities of our personnel or important processes. of
our organization.

The success in the use of this methodology is based on the own experience and
contribution of all employees in matters of safety , and through the communication of
any relevant consideration to their direct managers in the semi-annual meetings
established by management, with the aim to locate possible changes in protection levels
and evaluate the most cost-effective risk management options at all times, and
according to the case.

The principles presented in the security policy that accompanies this policy were
developed by the security information management group in order to ensure that
future decisions are based on preserving the confidentiality, integrity and
availability of relevant information of the organization . The organization relies on
the collaboration of all employees in the application of the proposed security policies
and directives.

The daily use of computers by staff determines compliance with the requirements
of these principles and an inspection process to confirm that they are respected and
complied with by the entire organization. In addition to this policy, and the
organization's security policy, there are specific policies for different activities.

All current security policies will remain available on the organization's intranet
and will be updated regularly . Access is direct from all workstations connected to the
organization's network and through a mouse click from the main Web page in the
Information Security section. The objective of the policy is to protect the
organization's information assets against all internal and external threats and
vulnerabilities , whether occurring deliberately or accidentally.

The company's executive management is responsible for approving an

information security policy that ensures that:

1. The information will be protected against any unauthorized access.

2. The confidentiality of information, especially that related to the personal data of
employees and clients.
3. The integrity of the information will be maintained in relation to the
classification of the information (especially “internal use”).
4. The availability of information meets the relevant times for the development of
critical business processes.
 5. The requirements of current legislation and regulations are met, especially with
the Data Protection and Electronic Signature Law.
6. Business continuity plans will be maintained, tested and updated at least
annually.
7. Safety training is sufficiently followed and updated for all employees.
8. All events related to information security, real or assumed, will be reported to
the security manager and investigated.

Additionally, there are support procedures that include the specific way in which the
general guidelines indicated in the policies must be undertaken and by the designated
responsible parties.

Compliance with this policy , as well as the information security policy and any
procedure or documentation included within the ISMS documentation repository, is
mandatory and concerns all personnel of the organization .

Visitors and external personnel who access our facilities are not exempt from
compliance with the obligations indicated in the ISMS documentation, and internal
personnel will observe compliance.

In any case of doubt, clarification or for more information about the use of this policy
and the application of its content, please consult by phone or email the person in charge
of the ISMS formally designated in the corporate organizational chart.

Signed Mr./Mrs. xxxxxxx, Executive Director.