Text approved on November 25, 2017 by the Quality and Safety Committee. This Security Policy is effective from the date above until it is replaced by a new one.
This text cancels the previous one, which was approved on November 23, 2015 by the Management Committee.
DESIMPLEX depends on IT systems (Information Technology) to achieve its objectives. These systems must be diligently administered, taking the appropriate measures to protect them against accidental or deliberate damages that may affect the availability, integrity, or confidentiality of the information processed or the services provided.
The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, supervising the daily activity, and reacting promptly to incidents.
IT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure continued service delivery. This implies that the departments within the scope must apply the minimum security measures required in this document, as well as continuously monitor the levels of service delivery, follow and analyze the reported vulnerabilities, and prepare an effective response to incidents to guarantee the continuity of the services provided.
Departments within range must be prepared to prevent, detect, react to, and recover from incidents.
All DESIMPLEX departments must avoid, or at least prevent as much as possible, that the information or services are damaged by security incidents. For this, the departments must implement the minimum-security measures determined in this document, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented.
To ensure compliance with the policy, departments within scope must:
Since services can degrade rapidly due to incidents, ranging from a simple deceleration to their stop, the services must continuously monitor the operation to detect anomalies in the levels of service provision and act accordingly as established and in the controls on Operations Security.
Monitoring is especially relevant when establishing lines, to achieve this, detection, analysis, and reporting mechanisms will be established that reach those responsible regularly and when there is a significant deviation from the parameters that have been preset as normal.
Departments within scope must:
To ensure the availability of critical services, within-scope departments should develop IT systems continuity plans as part of their overall business continuity plan and recovery activities.
For information systems residing in:
according to the current applicability statement.
DESIMPLEX's mission is to solve the automation of information as an asset of organizations, understood in a broad sense.
DESIMPLEX strives to comply with all the legislation applicable to its activity, whether it is of a general nature (Commercial Code, Civil Code, etc.) or specific and the laws of the countries where it operates, concerning to:
The Quality and Safety Committee will be made up of the Financial Director and the Regional Director, who may be permanently or sporadically assisted by external consultants.
The Secretary of the Quality and Safety Committee will be the Manager of each office (or person to whom he delegates) and will have as functions the preparation of the meetings, the dissemination of their results, and the monitoring of the agreements reached.
The Quality and Safety Committee will report to the Management Committee.
The Quality and Safety Committee will have the following functions:
The Chief Financial Officer of DESIMPLEX assumes the role of Head of the Security System.
The functions of the Head of Information Security are as follows:
The Head of Information Security will be appointed by the Management Committee at the proposal of the Quality and Security Committee. The appointment will be reviewed every 2 years or when the position becomes vacant.
The mission of the Quality and Security Committee will be the annual review of this Information Security Policy and the proposal for its revision or maintenance. The Policy will be approved by the Management Committee and disseminated so that all affected parties know it.
DESIMPLEX processes personal data. The security document, to which only authorized persons will have access, contains the affected files and the corresponding managers. All DESIMPLEX information systems will comply with the security levels required by regulations for the nature and purpose of the personal data collected in the aforementioned Security Document.
All systems subject to this Policy must carry out a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be reviewed:
The risk analyzes will be carried out always following the same methodology, which will be procedural.
This Information Security Policy complements DESIMPLEX's policies on Quality and the Environment.
The Security Policy will be developed through security regulations that address specific aspects. The security regulations will be available to all members of the organization who need to know it, in particular for those who use, operate, or administer the information systems.
The security regulations will be available on the DESIMPLEX website.
All DESIMPLEX workers must know this Information Security Policy, which is mandatory within the identified scope, being the responsibility of the Quality and Security Committee to arrange the necessary means so that the information reaches those affected.
A continuous awareness program will be established to serve all DESIMPLEX members, in particular newcomers.
Persons with responsibility for the use, operation, or administration of IT systems within range will receive training in the safe handling of systems as needed to do their job. Training will be compulsory before assuming responsibility, whether it is your first assignment or if it is a change of job or responsibilities in it.
Third parties related to DESIMPLEX, within the scope, sign an agreement with the company that protects the information exchanged.
When DESIMPLEX uses third party services or transfers information to third parties, they will participate in this Security Policy. Said third party shall be subject to the obligations established in said Policy, and may develop its own operating procedures to satisfy it.
When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Manager will be required, specifying the risks incurred and the way to treat them. Approval of this report will be required by those responsible for the information and services affected before proceeding.