INFORMATION SECURITY AND CYBERSECURITY POLICY
SCOPE
This policy applies to the entire Organization, its employees, contractors and third parties of AS-NET.
DEFINITIONS
- Information asset: Anything that has value to the organization. It is also understood by any information or system related to the treatment of the same that has value for the organization. It is any asset that stores, processes or transmits information, which has a value and is necessary to carry out AS-NET’s mission and operational processes.
- Cybersecurity. AS-NET capabilities to defend against and anticipate cyber threats in order to protect and secure data, systems and applications in cyberspace that are essential to the entity’s operation.
- Cyberspace. Complex environment resulting from the interaction of people, software and services on the Internet through technological devices connected to this network, which does not exist in any physical form.
- Cyberattack. Organized or premeditated criminal action by one or more agents using or targeting cyberspace services or applications or where cyberspace is a source or tool for the commission of a crime.
- Confidentiality. Ownership of information that makes it unavailable or disclosed to unauthorized individuals, entities or processes.
- Availability: Property of being accessible and usable on demand by an authorized entity.
- Integrity. Property of accuracy and completeness.
- Social Engineering. Social engineering involves manipulation to obtain sensitive information, such as personal or financial data. Therefore, social engineering can also be defined as a type of cybercrime.
- Critical Information. Critical information is information that is indispensable for the proper functioning of the organization and its operations. Critical information is the information that establishes the organization’s medium and long term benefits, as it will facilitate sales and service.
- to the customer.
- Valuable Information. It is the information the organization needs to move forward. It has a highly subjective component and what is valuable information for one organization may not be so for another, as it depends on the activity and the sector.
- Sensitive Information. Sensitive information in the sense that it is private information of the organization’s customers and, therefore, should only be accessible to the same authorized persons. Information security systems must ensure the protection of customer data.
- Risk. Effect of uncertainty on objectives. ISMS. Information Security Management System
- – SIEM. Information system that provides real-time analysis of security alerts generated by applications, security devices and network elements. They are usually log centralization systems.
POLICIES
The address of AMERICAN SMART SYSTEMS & NETWOKS (hereinafter referred to as AS-NET), understanding the importance of proper information management, is committed to the implementation of an Information Security Management System – ISMS based on NTC-ISO-IEC 27001:2013 and the PCI DSS standard, seeking to establish a framework of trust in the exercise of their duties with stakeholders, all framed in strict compliance with the laws and regulations, in accordance with the mission and vision of the Organization.
The management of AS-NET also considers crucial the implementation of procedures for the protection of devices that are interconnected for the processing of digital information stored in cyberspace, so that cybersecurity will help the human and technical resources available for the processing of digital information stored in cyberspace. AS-NET to mitigate cyber attacks that may alter the organization’s mission and vision.
For AS-NETThe protection of information and the devices that contain it, aims to reduce the impact generated on its information assets by the risks identified systematically in order to maintain the integrity, confidentiality and availability of the same, in accordance with the needs of the different stakeholders identified. In accordance with the above, this policy applies to the entire organization, which includes its employees, third parties, trainees, interns, suppliers and interested parties in general, taking into account that the principles on which the development of the actions or decision making is based around the ISMS will be determined by the following premises:
- Minimize risk in the Organization’s mission processes.
- Comply with the principles of information security and cybersecurity. – Maintain the trust of its customers, partners and collaborators.
- Support technological innovation.
- Protect information assets.
- Establish information security and cybersecurity policies, procedures, configuration standards and instructions.
- Strengthen the information security culture among AS-NET‘s employees, third parties, trainees, interns and customers.
- Ensure business continuity in the event of incidents.
- Maintain an updated inventory of information assets, including the programs managed by the company.
- Classify the different threats in the environment according to the technological platforms managed in AS-NET .
AS-NET has decided to define, implement, operate and continuously improve an Information Security Management System, supported by clear guidelines aligned to business needs and regulatory requirements.
The following are 12 security principles that support AS-NET‘s ISMS :
- The responsibilities regarding information security shall be known, understood, accepted and fulfilled by each of the collaborators, suppliers, strategic allies or third parties.
- AS-NET shall protect the information generated, processed or safeguarded by the business processes, its technological infrastructure and information assets from the risk generated by access granted to third parties (e.g., suppliers or customers), or as a result of an internal outsourcing service.
- AS-NET shall protect the information created, processed, transmitted or safeguarded by its business processes, in order to minimize financial, operational or legal impacts due to its incorrect use. To this end, it is essential to apply controls according to the classification of the information owned or in custody.
- AS-NET will protect your information from threats originating from personnel.
- AS-NET will control the operation of your business processes guaranteeing the security of your information assets.
- AS-NET will implement access controls to information assets.
- AS-NET will strive to make security an integral part of the information systems life cycle.
- AS-NET will ensure through proper management of security events and weaknesses associated with information systems, an effective improvement of the ISMS.
- AS-NET will ensure the availability of your business processes and the continuity of your operation based on the impact that incidents can generate.
- AS-NET will comply with its legal, regulatory and contractual obligations.
3.1 INFORMATION SECURITY AND CYBERSECURITY OBJECTIVES
- Ensure compliance with the requirements that make up the information security management system.
- Maintain the integrity and reserve the confidentiality of the information, ensuring its accuracy and completeness, and avoiding its deterioration.
- Ensure the availability of information on all storage media and backup media for when it is required.
- Identify risks and establish controls, limiting and preventing the consequences of different incidents, to ensure the immediate recovery of operations and minimize damage to the organization.
- Continuously train and raise awareness among personnel on information security issues.
- To guarantee the protection and security of the information provided to us by our clients for the development of projects.
- Manage information security incidents, using the guidelines established by AS-NET.
- Ensure business continuity, minimizing possible impacts to the services provided.
- Protect information assets and manage vulnerabilities.
- Continuously improve the ISMS, reviewing its performance and effectiveness.
- Implement a monitoring system(SIEM) to obtain a follow-up alert in case of cyber-attacks.
3.2 LEVEL OF COMPLIANCE
All employees, suppliers, strategic allies and third parties must comply with the policies described in this document and in all manuals, procedures and other documents that make up the ISMS.
Failure to comply with this policy will result in the corresponding sanctions and in accordance with the provisions of document P-Disciplinary Procedure_GHP-04, internal work regulations or Colombian labor legislation in force.
3.3 POLICY REVIEW
This policy is available to interested parties on the intranet of the company. AS-NET and on the WEB page, it will also be updated at least once a year or when significant changes occur in the internal or external context of the company. AS-NET or upon the occurrence of Information Security incidents that merit updating.
4. REFERENCE DOCUMENTS
Procedure:
- P-Disciplinary Proceedings_GHP-04
Standards:
- PCI DSS 3.2.1 Data Security Standard. Safety assessment requirements and procedures.
- ISO-IEC 27000:2014 Information Security Management Systems – Vocabulary
- NTC-ISO-IEC 27001:2013 Information Technology. Security Techniques. Information Security Management Systems. Requirements
- GTC-ISO-IEC 27002:2015. Information Technology. Security Techniques, Code of Practice for Information Security Controls.
- ISO/IEC 27032:2012: Information technology – Security techniques – Guidelines for cybersecurity.
- External Circular 007 of 2018. Financial Superintendency of Colombia. Imparts instructions related to the minimum requirements for cybersecurity risk management.