OBJECTIVE

To establish the general security and cybersecurity policies to protect the information managed by AS·NET, ensuring that regardless of its origin or use, the necessary controls are applied to guarantee its integrity, confidentiality and availability in all the organization’s information systems.

SCOPE

This policy applies to the entire organization, its employees, contractors and third parties of AS- NET.

DEFINITIONS

• Information asset: Anything that has value to the organization. It is also understood as any information or system related to the treatment of the same that has value for the organization. It is any asset that stores, processes or transmits information, which has a value and is necessary to carry out AS·NET‘s missionary and operative processes.

• Cybersecurity: AS·NET‘s capabilities to defend against and anticipate cyber threats inorder to protect and secure data, systems and applications in cyberspace that are essential to the entity’s operation.

• Cyberspace: Complex environment resulting from the interaction of people, software and services on the Internet through technological devices connected to said network, which does not exist in any physical form.

• Cyberattack: Organized or premeditated criminal action by one or more agents using or targeting cyberspace services or applications or where cyberspace is a source or tool for the commission of a crime.

• Confidentiality: Property of the information that makes it unavailable or not disclosed to unauthorized individuals, entities or processes.
• Availability: Property of being accessible and usable on demand by an authorized entity.

• Integrity: Property of accuracy and completeness.

• Social engineering: Social engineering involves manipulation to obtain sensitive information, such as personal or financial data. Therefore, social engineering can also be defined as a type of cybercrime.

• Critical Information: Critical information is information that is indispensable for the proper functioning of the organization and its operations. Critical information is that which establishes the organization’s profits in the medium and long term, as it will facilitate sales and customer service.

• Valuable Information: It is the information that the organization will move forward. It has a high subjective component and what for one organization is valuable information, for another it may not be, since it depends on the activity and the sector.

• Sensitive Information: The information is sensitive in the sense that it is private information of the organization’s clients and, therefore, only authorized persons should have access to it. Information security systems must ensure the protection of customer data.

• Risk: Effect of uncertainty on objectives.

• ISMS: Information Security Management System

• SIEM: Information system that provides real-time analysis of security alerts generated by applications, security devices and network elements. They are usually log centralization systems.

POLICIES

The management of AMERICAN SMART SYSTEMS & NETWOKS (hereinafter AS·NET), understanding the importance of proper information management, is committed to the implementation of an Information Security Management System – ISMS based on NTC-ISO-IEC 27001:2022 and the PCI DSS standard, seeking to establish a framework of trust in the exercise of their duties with stakeholders, all framed in strict compliance with the laws and regulations, in accordance with the mission and vision of the Organization.

AS·NET‘s management also considers crucial the implementation of procedures for the protection of the devices that are interconnected for the processing of digital information stored in cyberspace, so cybersecurity will help AS·NET‘s human and technical resources to mitigate cyber attacks that may alter the mission and vision of the organization.

For AS·NET, the protection of information and the devices that contain it, aims to reduce the impact generated on its information assets, by the risks identified systematically in order to maintain the integrity, confidentiality and availability of the same, in accordance with the needs of the different stakeholders identified. In accordance with the above, this policy applies to the entire organization, which includes its employees, third parties, trainees, interns, suppliers and stakeholders in general, taking into account that the principles on which the development of actions or decision making around the ISMS is based will be determined by the following premises:

• Minimize risk in the Organization’s mission processes.

• Comply with the principles of information security and cybersecurity.

• Maintain the trust of its customers, partners and collaborators.

• Support technological innovation.

• Protect information assets.

• Establish information security and cybersecurity policies, procedures, configuration standards and instructions.

• Strengthen the information security culture among AS·NET‘s employees, third parties, trainees, interns and customers.

• Ensure business continuity in the event of incidents.

• Maintain an updated inventory of information assets, including the programs managed by the company.

• Classify the different threats in the environment according to the technological platforms managed in AS·NET.

AS·NET has decided to define, implement, operate and continuously improve an Information Security Management System, supported by clear guidelines aligned to business needs and regulatory requirements.

The following are 10 security principles that support AS·NET‘s ISMS:

• The responsibilities regarding information security shall be known, understood, accepted and fulfilled by each of the collaborators, suppliers, strategic allies or third parties.

• AS·NET shall protect the information generated, processed or safeguarded by the business processes, its technological infrastructure and information assets from the risk generated by access granted to third parties (e.g., suppliers or customers), or as a result of an internal outsourcing service.

• AS·NET shall protect the information created, processed, transmitted or safeguarded by its business processes, in order to minimize financial, operative or legal impacts due to its incorrect use. For this purpose, it is essential to apply controls according to the classification of the information owned or in custody.

• AS·NET will protect your information from threats originating from personnel.

• AS·NET will control the operation of your business processes guaranteeing the security of your information assets.

• AS·NET will implement access controls to information assets.

• AS·NET will strive to make security an integral part of the information systems life cycle.

• AS·NET will ensure through proper management of security events and weaknesses associated with information systems, an effective improvement of the ISMS.

• AS·NET will ensure the availability of your business processes and the continuity of your operation based on the impact that incidents can generate.

• AS·NET will comply with its legal, regulatory and contractual obligations.

INFORMATION SECURITY AND CYBERSECURITY OBJECTIVES

1. Ensure compliance with the requirements that make up the information security management system.

2. Maintain the integrity and preserve the confidentiality of the information ensuring its accuracy, completeness and avoiding its deterioration.

3. Ensure the availability of information on all storage media and backup media for when it is required.

4. Identify risks and establish controls, limiting and preventing the consequences of different incidents, to ensure the immediate recovery of operations and minimize damage to the organization.

5. Continuously train and raise awareness among personnel on information security issues.

6. To guarantee the protection and security of the information provided to us by our clients for the development of projects.

7. Manage information security incidents, using the guidelines established by AS·NET.

8. Ensure business continuity, minimizing possible impacts to the services provided.

9. Protect information assets and manage their vulnerabilities.

10. Continuously improve the ISMS, reviewing its performance and effectiveness.

11. Implement a monitoring system (SIEM) to track infrastructure events and alert in case of cyber-attacks.

LEVEL OF COMPLIANCE

All employees, suppliers, strategic allies and third parties must comply with the policies described in this document and in all manuals, procedures and other documents that make up the ISMS.
Failure to comply with this policy will result in the corresponding sanctions and in accordance with

the provisions of the document P-Disciplinary Procedure AS/NET_GHP-04, internal work regulations or Colombian labor legislation in force.

POLICY REVIEW

This policy is available to interested parties on AS·NET‘s intranet and on the website, and shall be updated at least once a year or when significant changes occur in AS·NET‘s internal or external context or in the event of Information Security incidents that warrant updating.

REFERENCE DOCUMENTS

Procedure
P-Disciplinary Procedures AS/NET_GHP-04

Standards
• PCI DSS 4.0: Data Security Standard. Security assessment requirements and procedures.
• ISO-IEC 27000:2017: Information technology. Security techniques. Information security management systems (ISMS). – Overview and vocabulary.
• NTC-ISO-IEC 27001:2022: Information security, cybersecurity and protection of privacy. Information security management systems. – Requirements
• GTC-ISO-IEC 27002:2022: Information security, cybersecurity and privacy protection. Information security management systems. – Controls
• GTC-ISO-IEC 27032:2020: Information technology – Security techniques – Guidelines for cybersecurity.
• External Circular 007 of 2018. Superintendence of Finance of Colombia. Imparts instructions related to the minimum requirements for cybersecurity risk management.
• External Circular 005 of 2019. Superintendence of Finance of Colombia. Rules regarding the use of cloud computing services.