THE DESIMPLEX MANAGEMENT RECOGNIZES THE IMPORTANCE OF IDENTIFYING AND PROTECTING YOUR INFORMATION AND THAT OF YOUR CLIENTS, AVOIDING THE UNAUTHORIZED DESTRUCTION, DISCLOSURE, MODIFICATION AND USE OF INFORMATION RELATED TO CUSTOMERS, EMPLOYEES, PRICES, MANUALS, CASE STUDIES, SOURCE CODES, STRATEGY, MANAGEMENT AND OTHER CONCEPTS; WE ARE COMMITTED TO DEVELOP, IMPLEMENT, MAINTAIN AND CONTINUOUSLY IMPROVE THE DESIMPLEX SECURITY SYSTEM (SSD).


1. APPROVAL AND IMPLEMENTATION

Text approved on November 25, 2017 by the Quality and Safety Committee. This Security Policy is effective from the date above until it is replaced by a new one.

This text cancels the previous one, which was approved on November 23, 2015 by the Management Committee.

2. INTRODUCTION

DESIMPLEX depends on IT systems (Information Technology) to achieve its objectives. These systems must be diligently administered, taking the appropriate measures to protect them against accidental or deliberate damages that may affect the availability, integrity, or confidentiality of the information processed or the services provided.

The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, supervising the daily activity, and reacting promptly to incidents.

IT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure continued service delivery. This implies that the departments within the scope must apply the minimum security measures required in this document, as well as continuously monitor the levels of service delivery, follow and analyze the reported vulnerabilities, and prepare an effective response to incidents to guarantee the continuity of the services provided.

Departments within range must be prepared to prevent, detect, react to, and recover from incidents.

  • 2.1. PREVENTION

    All DESIMPLEX departments must avoid, or at least prevent as much as possible, that the information or services are damaged by security incidents. For this, the departments must implement the minimum-security measures determined in this document, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented.

    To ensure compliance with the policy, departments within scope must:

    • Authorize the assets before going into operation.
    • Regularly assess security, including evaluations of routinely made configuration changes.
    • Request a periodic review by third parties in order to obtain an independent evaluation.

    2.2. DETECTION

    Since services can degrade rapidly due to incidents, ranging from a simple deceleration to their stop, the services must continuously monitor the operation to detect anomalies in the levels of service provision and act accordingly as established and in the controls on Operations Security.

    Monitoring is especially relevant when establishing lines, to achieve this, detection, analysis, and reporting mechanisms will be established that reach those responsible regularly and when there is a significant deviation from the parameters that have been preset as normal.

    2.3. ANSWER

    Departments within scope must:

    • Establish mechanisms to respond effectively to security incidents.
    • Designate contact points for communications regarding incidents detected in other departments.
    • Establish protocols for the exchange of information related to the incident.

    2.4. RECOVERY

    To ensure the availability of critical services, within-scope departments should develop IT systems continuity plans as part of their overall business continuity plan and recovery activities.

3. SCOPE

For information systems residing in:

  • 1. Physical hosting of third-party servers
  • 2. Back up management

according to the current applicability statement.

4. MISSION

DESIMPLEX's mission is to solve the automation of information as an asset of organizations, understood in a broad sense.

5. REGULATORY FRAMEWORK

DESIMPLEX strives to comply with all the legislation applicable to its activity, whether it is of a general nature (Commercial Code, Civil Code, etc.) or specific and the laws of the countries where it operates, concerning to:

  • Data Protection Act.
  • Information Society and Electronic Commerce Services.

6. SAFETY ORGANIZATION

  • 6.1. COMMITTEES: DUTIES AND RESPONSIBILITIES

    The Quality and Safety Committee will be made up of the Financial Director and the Regional Director, who may be permanently or sporadically assisted by external consultants.

    The Secretary of the Quality and Safety Committee will be the Manager of each office (or person to whom he delegates) and will have as functions the preparation of the meetings, the dissemination of their results, and the monitoring of the agreements reached.

    The Quality and Safety Committee will report to the Management Committee.

    The Quality and Safety Committee will have the following functions:

    • a) Coordinate and approve the actions regarding information security.
    • b) Promote the culture of information security.
    • c) Participate in the categorization of systems and risk analysis.
    • d) Review and approve documentation related to system security.
    • e) Resolve discrepancies and problems that may arise in security management.
  • 6.2. ROLES: FUNCTIONS AND RESPONSIBILITIES

    The Chief Financial Officer of DESIMPLEX assumes the role of Head of the Security System.

    The functions of the Head of Information Security are as follows:

    • Maintain the appropriate level of security of the information handled and the services provided by the systems.
    • Carry out or promote periodic audits to verify compliance with the agreements.
    • Manage or promote training and awareness in IT security.
    • Check that the existing security measures are adequate for the needs of the entity, with the collaboration of the Regional Director.
    • Review, complete and approve all documentation related to system security, with the help of the rest of the Quality and Safety Committee.
    • Monitor the security status of the system provided by the security event management tools and auditing mechanisms implemented in the system.
    • Support and supervise the investigation of security incidents from notification to resolution, issuing periodic reports on the most relevant to the Committee.
    • Coordinate the Technical Security Committee.
  • 6.3. DESIGNATION PROCEDURES

    The Head of Information Security will be appointed by the Management Committee at the proposal of the Quality and Security Committee. The appointment will be reviewed every 2 years or when the position becomes vacant.

  • 6.4. INFORMATION SECURITY POLICY

    The mission of the Quality and Security Committee will be the annual review of this Information Security Policy and the proposal for its revision or maintenance. The Policy will be approved by the Management Committee and disseminated so that all affected parties know it.

7. PERSONAL DATA

DESIMPLEX processes personal data. The security document, to which only authorized persons will have access, contains the affected files and the corresponding managers. All DESIMPLEX information systems will comply with the security levels required by regulations for the nature and purpose of the personal data collected in the aforementioned Security Document.

8. RISK MANAGEMENT

All systems subject to this Policy must carry out a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be reviewed:

  • regularly, at least once a year.
  • when the information handled changes substantially.
  • when the services provided within the scope change.
  • when a very serious security incident occurs.
  • when very serious vulnerabilities are reported.

The risk analyzes will be carried out always following the same methodology, which will be procedural.

9. DEVELOPMENT OF THE INFORMATION SECURITY POLICY

This Information Security Policy complements DESIMPLEX's policies on Quality and the Environment.

The Security Policy will be developed through security regulations that address specific aspects. The security regulations will be available to all members of the organization who need to know it, in particular for those who use, operate, or administer the information systems.

The security regulations will be available on the DESIMPLEX website.

10. OBLIGATIONS OF PERSONNEL

All DESIMPLEX workers must know this Information Security Policy, which is mandatory within the identified scope, being the responsibility of the Quality and Security Committee to arrange the necessary means so that the information reaches those affected.

A continuous awareness program will be established to serve all DESIMPLEX members, in particular newcomers.

Persons with responsibility for the use, operation, or administration of IT systems within range will receive training in the safe handling of systems as needed to do their job. Training will be compulsory before assuming responsibility, whether it is your first assignment or if it is a change of job or responsibilities in it.

11. THIRD PARTIES

Third parties related to DESIMPLEX, within the scope, sign an agreement with the company that protects the information exchanged.

When DESIMPLEX uses third party services or transfers information to third parties, they will participate in this Security Policy. Said third party shall be subject to the obligations established in said Policy, and may develop its own operating procedures to satisfy it.

When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Manager will be required, specifying the risks incurred and the way to treat them. Approval of this report will be required by those responsible for the information and services affected before proceeding.


© 2019 Desimplex, S.A.
PH Ocean Business Plaza, piso 13 oficina 1304-05
Ave. Aquilino de La Guardia con calle 47 Marbella, Ciudad de Panamá, Panamá
Email: visualizador@desimplex.com
Tel. +507 368 00 37