Information Security & Database Policy
INFORMATION SECURITY AND DATABASE POLICY MANUAL OF MULTISERVICIOS Y ABOGADOS REYKÚT SAS
INTRODUCTION
MULTISERVICIOS REYKÚT SAS recognizes the importance of the information it manages, as it is one of its most significant assets for its operation. This information can be legal, strategic, financial, operational, and in some cases, may include personal data of clients, suppliers, contractors, and other third parties. Likewise, the company is aware of the threats to information and the consequences the company faces when it lacks adequate security and protection measures. Therefore, the company must have a comprehensive understanding of the digital security risks that can affect the security and privacy of information. This understanding will allow for the establishment of effective, viable, and cross-cutting controls and measures to ensure the availability, integrity, and confidentiality of both business information and the data of clients, suppliers, contractors, and other stakeholders. It is essential that MULTISERVICIOS REYKÚT SAS properly identify, classify, assess, manage, and treat digital security risks that may affect the entity's information, in order to implement effective measures and controls that allow it to be prepared for situations in which the physical and logical security of its facilities, people, resources, and systems, as well as the security of its information, are compromised.
The purpose of this Manual is to establish the guiding principles for security that aim to guarantee the availability, integrity, confidentiality, privacy, continuity, authenticity, and non-repudiation of information belonging to MULTISERVICIOS REYKÚT SAS , as well as to provide guidelines for the application of mechanisms that prevent breaches of information security and privacy, geared towards continuous improvement and high performance of the Information Security Management System. Information security is a priority for the company, and everyone is encouraged to ensure compliance with the policies established in this document.
1. AIM
To establish the necessary guidelines in order to strengthen the Information Security and Privacy Management of MULTISERVICIOS REYKÚT SAS , framed within the implementation of an Information Security Management System, based on the identification and assessment of the risks associated with it, promoting the protection of its confidentiality, integrity, availability, privacy, continuity, authenticity and non-repudiation.
2. SCOPE
The guidelines contained in this manual are applicable to all administrative and control aspects that must be complied with by employees, contractors, visitors and third parties who provide their services or have any type of relationship with the company MULTISERVICIOS REYKÚT SAS , through the collection, processing, storage, retrieval, exchange and consultation of information, with internal or external personnel, in the development of the institutional mission and the fulfillment of its strategic objectives.
3. DEFINITIONS
Asset : Refers to any information or element related to its processing (systems, media, buildings, people) that has value for the entity.
Critical asset : Facilities, systems and equipment which, if destroyed, or if their operation is degraded or for any other reason they are unavailable, will affect the achievement of the company's strategic objectives.
Risk Management : Risk management is understood as the process of identifying, controlling, minimizing, or eliminating, at an acceptable cost, security risks that could affect information or significantly impact operations. This process is cyclical and must be carried out periodically.
Threat: A potential cause of an unwanted incident that may cause damage to a system or entity.
Business Impact Analysis (BIA): This methodology allows the identification of critical processes that support key products and services, interdependencies between processes, the resources required to operate at a minimum acceptable level, and the effect that a business interruption could have on them.
Authenticity: This aims to ensure the validity of information in terms of time, format, and distribution. It also guarantees the origin of the information by validating the sender to prevent identity theft.
Senior Management: Person or group of people who direct and control an entity at the highest level (minister, deputy ministers, general secretary and directorates).
Wiring center: The wiring center is the place where information technology communication resources are located, such as (Switch, patch panel, UPS, Router, voice and data cabling).
Encryption: A method that increases the security of a message or file by encoding the content, so that only the person with the appropriate encryption key can read it.
Control: These are all the policies, procedures, practices, and organizational structures designed to keep information security risks below the assumed risk level.
Information Reliability: That is, that the information generated is adequate to support decision-making and the execution of missions and functions.
Confidentiality: It is guaranteed that the information is accessible only to those persons authorized to have access to it.
Malicious code: It is computer code that creates security vulnerabilities to damage a computer system.
Custodian: This is a designated part of the entity, a position or working group responsible for managing and enforcing the security controls that the information owner has defined, such as backups, assignment of access privileges, modification and deletion.
Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons. Therefore, “personal data” should be understood as information related to a natural person (an individual).
Public personal data: All personal information that is freely and openly known to the general public.
Private personal data: All personal information that is restricted to the public and, in principle, private.
Semi-private data: Semi-private data is data that is neither intimate, reserved, nor public in nature and whose knowledge or disclosure may be of interest not only to its owner but to a certain sector or group of people or to society in general.
Sensitive data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse may generate discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.
Data Center: Also known as a Data Processing Center (DPC), this is the location or space where the necessary IT resources for processing an organization's information are concentrated. Availability: It is guaranteed that authorized users have access to information and related resources whenever they need them.
Mobile devices: Smartphones, laptops, tablets, or any device whose main concept is mobility, which allows limited storage, internet access, and has processing capacity.
Event: It is the occurrence identified in a system, service or network state that indicates a possible breach in information security policy or failure of safeguards, or an unknown prior situation that could be relevant to security.
Information security event: An identified presence of a condition in a system, service, or network that indicates a possible violation of information security policy or failure of safeguards, or a previously unknown situation that may be relevant to security.
Home Office: Working from home or working from home
Security Incident: An unwanted or unexpected information security event or series of events that have a significant probability of compromising business operations and threatening information security.
Information: This refers to any communication or representation of knowledge as data, in any form, including textual, numerical, graphic, cartographic, narrative or audiovisual forms, and in any medium, whether magnetic, on paper, on computer screens, audiovisual or other.
Integrity: The accuracy and completeness of information and processing methods are safeguarded.
Impact: Result of an information security incident.
Legality: Referring to compliance with the laws, rules, regulations or provisions to which the entity is subject
Service Desk: This is the single point of contact for end users to register, communicate, handle, and analyze all calls, reported incidents, service requests, and information requests. It is through the proactive management of the Service Desk that the Information Technology and Systems Office gathers the technological resource needs of its various departments.
Non-repudiation: The sender cannot deny having sent the item because the recipient has proof of delivery. The recipient receives irrefutable proof of the item's origin, preventing the sender from denying its delivery.
Interested parties: Person or organization that can affect or be affected or perceive itself as affected by a decision or activity.
Business Continuity Plan : Documented activities that guide the Entity in responding to, recovering from, resuming, and restoring operations to predefined levels after an incident that affects the continuity of operations.
Information privacy: The right that all data subjects have in relation to information involving personal data and classified information that they have provided or that is in the possession of the entity within the framework of the functions that it is responsible for carrying out and that generate in the entities receiving the Digital Government Manual the corresponding obligation to protect said information in compliance with the current legal framework.
Information owner (holder): This is the organizational unit or process where information assets are created.
Risk: The possibility that a specific threat may exploit a vulnerability to cause loss or damage to an information asset.
Information System: This refers to an independent set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information according to specific procedures, both automated and manual. It is a set of applications that interact with each other to support a specific area or process within a company.
Third parties: Natural or legal persons who have an outsourced contract and provide a service to the entity and make use of the information and technological means provided by the entity.
Penetration testing: It is a targeted and controlled attack on technological infrastructure components to reveal misconfigurations and exploitable vulnerabilities.
VIP: Very important person. VPN: Virtual Private Network.
Vulnerability: A weakness in an asset or control that can be exploited by one or more threats.
4. LEGAL FRAMEWORK
Political Constitution of Colombia. Article 15.
Law 527 of 1999. By which the access and use of data messages, electronic commerce and digital signatures are defined and regulated and the certification entities are established and other provisions are issued.
Law 594 of 2000. By means of which the General Archives Law is issued.
Law 1266 of 2008. By which the general provisions of Habeas data are dictated and the handling of information contained in personal databases is regulated, especially financial, credit, commercial, services and that coming from third countries and other provisions are dictated.
Law 1273 of 2009. By means of which the Penal Code is modified, a new protected legal good is created - called "the protection of information and data" - and the systems that use information and communication technologies are preserved in a comprehensive manner, among other provisions.
Law 1581 of 2012. By which general provisions are issued for the protection of personal data.
Decree 886 of 2014. By which the National Database Registry is regulated.
5. GENERAL POLICY ON INFORMATION SECURITY AND PRIVACY AND DIGITAL SECURITY
MULTISERVICIOS REYKÚT SAS , in compliance with its functions and understanding the importance of proper information management, has committed to protecting, preserving and managing the confidentiality, integrity, availability and non-repudiation of the Entity's information, through comprehensive risk management, implementation of physical and digital controls, preventing incidents and complying with legal and regulatory requirements, aimed at continuous improvement.
To ensure strategic direction, the compatibility of the information security policy and information security objectives is established as follows:
v Implement, operate and continuously improve the Information Security Management System, supported by clear guidelines aligned with business needs and regulatory requirements.
v Minimize the risk of vulnerability in information security during the execution of the entity's mission processes.
v Comply with the principles (Availability, Integrity and Confidentiality) of information security.
v Maintaining the trust of employees, collaborators, and third parties.
v Protect information assets.
v Establish policies, procedures, and instructions regarding information security.
v Periodically verify compliance with information security policies.
v To ensure that all employees, contractors, and third parties comply with the information security policies, guidelines, and best practices established in this Information Security Policy Manual.
6. SPECIFIC POLICIES FOR INFORMATION SECURITY AND PRIVACY
6.1 INFORMATION SECURITY ORGANIZATION POLICY
6.1.1 INTERNAL ORGANIZATION
Guidelines:
1. Information assets must be under the responsibility of the asset owner to avoid conflict and reduce opportunities for unauthorized modification (intentional or not) or misuse of the company's information assets.
2. The Information Technology and Systems area must maintain and document contacts with authorities (police, firefighters, etc.) or other specialists, in order to contact them in case of an information security incident and require external advice.
3. The company, through its Information Technology and Systems department and other designated personnel, must maintain contact with stakeholder groups specializing in information security and privacy, in order to share and exchange knowledge, enabling the continuous improvement of the Information Security Management System.
6.1.2 Teleworking – Working from Home
Guidelines:
1. The Information Technology and Systems area must establish the requirements to authorize remote connections to the technological infrastructure necessary for the execution of the functions of the company's employees and contractors, guaranteeing the tools and controls to protect the confidentiality, integrity and availability of the remote connections.
2. All information managed by MULTISERVICIOS REYKÚT SAS , and accessed remotely, must be used only for the fulfillment of job functions or contractual obligations.
6.2 HUMAN RESOURCES SECURITY POLICY
6.2.1 BEFORE STARTING THE JOB:
Guidelines:
1. The Human Talent Management Department must have procedures for hiring personnel, in accordance with the regulations established for this purpose.
2. Contract Management must define a checklist that contains the necessary aspects for reviewing the background of personnel to be hired for the provision of services in accordance with current regulations.
3. The Human Talent and Contract Management Department must establish the necessary mechanisms or controls to protect the confidentiality and privacy of the information contained in employment histories and contract files.
4. Every employee and contractor must sign a document or clauses establishing a confidentiality agreement and non-disclosure of the company's confidential information; these must be kept in the employment history or contractual file as the case may be.
6.2.2 DURING THE EXECUTION OF EMPLOYMENT:
Guidelines:
1. Employees and contractors must sign the authorization for the processing of personal data in accordance with the company's Personal Data Processing Policy and in accordance with the provisions of Law 1581 of 2012 and its regulatory decrees.
2. Once the linking process is formalized, the immediate supervisor or the area delegate for this purpose must request through the service desk the opening of the inventory and other services required by the employee, contractor or third party, for the execution of their functions or contractual obligations.
3. The Information Technology and Systems area and the required support staff must design and implement, on an ongoing basis, an information security awareness program in order to support the proper protection of information.
4. The Information Technology and Systems department must design and implement a plan for the use and appropriation of communications within the framework of the Information Security Management System (ISMS).
5. It is the responsibility of employees, contractors, or personnel provided by third parties to report information security incidents through the means provided by the information technology and systems area.
6. Regarding non-compliance with information security policies, the procedures established for this purpose, framed within current regulations, will be applied.
6.2.3 TERMINATION AND CHANGE OF EMPLOYMENT
Guidelines:
1. It is the employee's responsibility to hand over company information that is under their management when there is a change in retirement, investigation, disqualification, or change of duties.
2. The contract supervisor or whoever he/she delegates for this activity must collect and safeguard the company's information under the responsibility of the contractor in case of early, definitive, temporary termination or assignment of the contract.
3. The Information Technology and Systems area must configure the active directory to automatically deactivate contractors based on the contract termination date; the deactivation of information system users who do not authenticate with the active directory must be done manually.
4. The head of human resources, or their designee, must inform the Information Technology and Systems area, through the channels established for this purpose, of any administrative, employment, or contractual termination of employees, contractors, or third parties. Once the information has been reported, the Information Technology and Systems area must proceed to deactivate the network access and services of the employees, contractors, or third parties.
5. A backup copy of the email mailbox will be created once the relationship with the company is terminated.
6. Under no circumstances will access to email accounts be restored; only mailboxes for consultation purposes can be restored, and emails or notifications cannot be sent from these mailboxes.
7. All access to information systems must be deactivated.
8. You must request the return of the ID card, proximity card or any authentication badge that accredits you as an employee, contractor or third party of the company.
9. The immediate supervisor is obligated to inform the Information Systems area of the employee's departure, termination of the contract within a period of no more than fifteen (15) calendar days, after this time the services are automatically deactivated.
6.3 ASSET MANAGEMENT POLICY
6.3.1 LIABILITY FOR ASSETS
Guidelines:
1. All processes must have an inventory of their information assets and this must be evidenced through the instruments provided.
2. All information assets held in inventory must have an owner
3. The Information Technology and Systems area must establish an appropriate configuration for technological resources in order to preserve the confidentiality, integrity, and availability of information.
4. Public servants, contractors, or third parties must not use unauthorized or proprietary software on company assets.
5. Employees, contractors, or third parties must hand over the assets under their responsibility in accordance with the Asset Handover form and documents for personnel withdrawal from the plant.
6.3.2 CLASSIFICATION OF INFORMATION
Guidelines
1. MULTISERVICIOS REYKÚT SAS defines the most appropriate levels to classify your information, according to its sensitivity.
2. The head of Human Resources must design guidelines for the management of files in accordance with the regulations.
3. The Document Retention Schedules (DRS) must indicate the type of classification of the series, subseries and documents contained therein.
4. Employees, contractors, or third parties must apply the information classification, the TRD, the information asset inventory, and guidelines for file management.
6.3.3 MEDIA MANAGEMENT
Guidelines:
1. The use of removable storage media (USB drives, portable hard drives, memory cards, CDs, cell phones, etc.) is restricted. Removable media are not authorized as a data backup option. Their use will be authorized for those employees and contractors who, for the fulfillment of their duties, require them to back up information.
2. functions or activities so require and must be requested by the immediate supervisor or contract supervisor, informing of the justification
3. All removable media must be scanned using the security solutions provided by the Information Technology and Systems area each time it is connected to a company computer .
4. It is the responsibility of each employee, contractor, or third party to take measures to protect the information contained on removable media, to prevent unauthorized physical and logical access, damage, loss of information, or misplacement thereof.
5. The use of removable media containing confidential or classified information is prohibited.
6. The Information Technology and Systems area must provide users with methods for encrypting information, as well as manage the software or tool used for this purpose.
7. The Human Talent Management Department, in conjunction with the Technology and Information Systems area, must create or update, if necessary, the procedure or document that establishes the final disposal of waste electrical and electronic equipment (WEEE).
8. The Information Technology and Systems area must generate and apply guidelines for the secure disposal of devices that store information of the entity, whether they are decommissioned or assigned to a new user.
9. The Information Technology and Systems area must authorize the use of peripherals or external storage media, according to the needs required for the fulfillment of the functions and the job profile of the employees or Contractors.
10. Employees, contractors, or personnel provided by third parties must comply with the conditions of use of peripherals and storage media established by the Information Technology and Systems area.
11. At the end of the employment or contractual relationship, the employee or contractor must define the final disposition of the removable media in which the institutional information was managed.
12. Secure erasure tools and other relevant security mechanisms must be used on company-owned media that are reused or decommissioned, in order to ensure that the information contained on these media cannot be recovered.
13. When transferring a storage medium, the content record of the media, the protection applied, as well as the transfer times to those responsible during transport and receipt, must be taken into account.
14. The transport for the storage media must have the appropriate conditions to safeguard the integrity, confidentiality and availability of the company's information.
6.4 ACCESS CONTROL POLICY
6.4.1 ENTITY REQUIREMENTS FOR ACCESS CONTROL
Guidelines:
1. The Information Technology and Systems area must supply and guarantee the password change, to users the credentials for access to the network services and information systems to which they have been authorized, according to their profile and role; the access credentials are for personal use and are non-transferable.
2. Remote connection to the local area network must be established through a VPN connection, which must be approved, registered and monitored by the Information Technology and Systems area.
3. The Information Technology and Systems area must ensure that the Entity's wireless networks have authentication methods that prevent unauthorized access.
4. The Office of Information Technology and Systems must change the wireless network password at least three (3) times a year.
6.4.2 USER ACCESS MANAGEMENT
Guidelines:
1. The Information Technology and Systems area must define a procedure that includes the creation, updating, activation and deactivation of user accounts.
2. The email user must be the same as the network user, and have single on (same user, same password in both (2) services).
3. The Information Technology and Systems area will only grant users access requested and authorized by the immediate supervisor, contract supervisor, or a higher-ranking manager.
4. The username and password assigned for access to the various technological services are personal and non-transferable. Any activity performed using the username and password will be the responsibility of the employee or contractor to whom it was assigned.
5. Once the management of services provided by third parties for the Entity has been completed, the contract supervisor must ensure that access is closed at the end of the process or contract.
6.4.3 EQUIPMENT
Guidelines
1. The Information Technology and Systems area will ensure that computer equipment, scanners, and printers are located and protected in areas to reduce the risk against environmental threats and unauthorized access.
2. The Information Technology and Systems area must ensure that portable computer equipment is protected by mechanisms that prevent its loss.
3. The Technology and Information Systems area must define support and maintenance mechanisms for computer equipment, servers and active network equipment and must keep records of these.
4. When a piece of equipment or removable media is reassigned or removed from service, the Information Technology and Systems area must ensure the elimination of all information through secure erasure mechanisms, taking into account that a backup copy of this information must be made prior to this activity.
5. Employees, contractors, or third parties assigned company-owned laptops must secure them with a security cable. The security code must be returned upon termination of their employment with the company.
6. It is the responsibility of the users to register the entry or exit of portable equipment, whether it belongs to them or to the entity.
7. Employees, contractors, or third parties must lock the computer screen under their responsibility when they are absent from their workstation to prevent unauthorized third parties from accessing the information stored on the computer equipment.
8. Employees, contractors, or third parties who print classified documents (Classified – Restricted) must remove them from the printer immediately and should not be left unattended on the desk.
9. Printed documents with a classification (Classified – Restricted) should not be reused; these must be destroyed and should not be treated as recyclable paper.
6.4.4 PROTECTION AGAINST MALICIOUS CODE
Guidelines
1. The Information Technology and Systems department must define and document controls for the detection, prevention, and recovery from malicious code. Furthermore, it will provide mechanisms to foster a security culture among employees, contractors, and third parties regarding malware attacks.
2. The Information Technology and Systems area must have tools such as antivirus, antimalware, antispam and antispyware that reduce the risk of malicious software infection.
3. The Information Technology and Systems area must ensure that the antivirus, antimalware, antispyware and antispam software has the required usage licenses, certifying its authenticity and the possibility of periodic updates of the latest signature databases of the service provider.
4. The Information Technology and Systems area must ensure that the information stored on the technological platform is scanned by antivirus software, including the information contained and transmitted by the email service.
5. The Information Technology and Systems area must ensure that no changes can be made to the configuration of the antivirus, antispyware, antispam and antimalware software.
6. The Information Technology and Systems area must ensure that antivirus, antispyware, antispam and antimalware software has the latest updates and security patches, in order to mitigate vulnerabilities in the technological platform.
7. Employees, contractors, or third parties should refrain from opening or running files and/or documents from unknown sources, especially those found on external storage media or originating from unknown emails.
8. Employees, contractors, or third parties should not download files from unknown sources on the internet; if necessary, they must submit a request to the Information Technology and Systems area.
9. Employees, contractors, or third parties who suspect or detect any malware infection should immediately notify the Information Technology and Systems area in order to implement the appropriate controls.
6.4.5 BACKUP COPIES
Guidelines
1. The Information Technology and Systems area must define and document a plan or procedure for backup and restoration of information, establishing the scheme, what, how, who, with what frequency, type of backup and level of criticality.
2. The Information Technology and Systems department will ensure that the magnetic media containing the information are stored in a location separate from the facilities where the data is stored. The external site where the backup copies are kept must have appropriate physical and environmental security measures in place.
3. Employees, contractors, and third parties are responsible for making good use of the company's technological services and may not at any time use them for personal gain or to carry out illicit or malicious practices that harm other colleagues, contractors, and third parties.
4. Under no circumstances is it permitted to host information categorized as personal, music, videos, etc. on servers.
5. The Information Technologies and Systems area will guarantee the backup of files with the extension .pdf .doc, .docm, .docx, .dot, .dotm .xls, .xlsm, .xlsx, .xlt, .xltm, .xltx, .bmp, .gif, .jpg, .odp, .png, .pot, .potm, .potx, .pps, .ppt, pptm, .jpeg.
6. In the case of multimedia files containing institutional content, the information backup must be done through Google Drive.
6.5 OPERATIONAL SOFTWARE CONTROL
Guidelines
1. The Information Technology and Systems area will designate responsible parties and establish instructions and guides to control the installation of operating software, ensure that it has the support of the suppliers of said software and ensure the functionality of the information systems that operate on the technological platform when the operating software is updated.
2. The Information Technology and Systems area must manage a configuration control system to maintain control of all implemented software, as well as maintain system documentation.
6.6 INFORMATION TRANSFER
Guidelines
1. The Information Technology and Systems area of MULTISERVICIOS REYKÚT SAS must establish the procedure for exchanging information with the different third parties that are part of the company's operation, where the receipt or sending of information is contemplated, use of reliable transmission means and the adoption of controls, in order to protect the confidentiality and integrity of this.
2. The Information Technology and Systems area must offer secure information exchange services or tools, as well as adopt controls such as information encryption, that allow compliance with the procedure for information exchange (digital or magnetic media), in order to protect said information.
3. information against unauthorized disclosure or modification.
4. The Information Technology and Systems area must establish controls to protect information transmitted as email attachments.
5. The messages and information contained in the mailboxes are the property of the company and each responsible party, who must only keep the messages related to the development of their activities.
6. The company's controlled email service is assigned directly by the Information Technology and Systems area, which meets all technical and security requirements to prevent cyberattacks, viruses, spyware and other types of malicious software or code.
7. All messages sent must respect the format and corporate image standard defined by the company and must always retain the corporate legal message of confidentiality.
8. Email users are prohibited from sending chain messages of any kind, whether commercial, political, religious, audiovisual material, discriminatory content, pornography, or anything else that degrades the human condition.
9. Sending or exchanging messages with content that threatens the integrity of people or institutions is prohibited, such as: offensive, obscene, pornographic, jokes, terrorist information, chain letters of any kind, racist, or any content that threatens the integrity of people.
10. It is the user's responsibility to report any email they believe to be of dubious origin to the Information Technology and Systems area, so that the administrator can take the necessary measures to prevent its spread within the entity.
11. It is the responsibility of each user to ensure the recipients to whom a communication is directed; if these are distribution lists, they must also review them in order to avoid sharing information with unauthorized persons.
12. The email service must be used ethically, reasonably, efficiently, responsibly, non-abusively and without generating risks to the operation of equipment, information systems and the image of the Entity.
13. Sending or receiving files containing executable extensions is not permitted under any circumstances.
7. VALIDITY
This information security manual and procedures for the processing of personal data of MULTISERVICIOS REYKÚT SAS will come into effect upon its approval by the company and will remain in effect indefinitely until it is modified or updated in its entirety, which will be done as necessary to ensure compliance with applicable laws and regulations regarding the protection of personal data.
|
Prepared |
He reviewed |
approved |
|
Name Daniel Reyes Maldonado
Position: Administrator |
Name Carmen Elisa Maldonado Porras Position: Administrative Assistant |
Name Daniel Reyes Maldonado Position: Legal Representative |
This manual is effective from the fifteenth (15th) of the month of January of the year 2024