Information security policy

Process: Information Security

Document approved by

  Revised Approved
Name    
Position Risks and Information Security Manager President & CEO
Date 31/03/2023 31/03/2023
 

Index

1. History of Versions 2. Introduction 3. Information Security Management System Objectives 4. System Scope 5. Information Security Management System Policy Statement 6. Information Security Management System Roles and Responsibilities 6.1. System Owner 6.2. Senior Management 6.3. Information Security Committee 6.4. Vice Presidents, Managers and Project or Area Leaders 6.5. Information Security Area 6.6. Human Talent Management 6.7. Infrastructure Area 6.8. Internal Audit 6.9. Collaborators 7. Information Security Policy Updates
Date Version Author Description
11/03/2021 09 Risk & Information Security Administrator
  • The scope of the Information Security Management System is updated
  • The section on handling exceptions is updated as they are now handled by flow2l
02/09/2021 10 Risk & Information Security Administrator
  • Work at home policy
  • Change Control Policy
  • Acceptable Use of Information Assets Policy
  • Log Management Policy
  • Associated regulations are added
30/03/2022 11 Risk & Information Security Administrator
  • The Strategic Policy becomes independent from Security Policies.
  • Security Policy is updated.
  • System objectives are updated.
  • Roles and Responsibilities are updated.
31/03/2023 12 Risk & Information Security Administrator
  • New corporate template updated.
  • The number of regulations is removed considering that it is moved to the F-LGL-04 Compliance Matrix
  • The Introduction is adjusted.
  • System objectives are updated.
  • System roles and responsibilities are updated and adjusted.

 

Information Security Policy of Sophos Solutions is the result of the commitment of the senior management to provide a guideline aimed at exercising a safe and adequate management to the company’s strategy on the Information Security Management System, which, through the establishment of mechanisms and strategies looks to protect the information assets of itself and its customers, ensuring the implementation of appropriate controls for the treatment of threats, risks and vulnerabilities that affect them, minimizing to a greater extent their materialization and impact.

 

It is important to mention that this Information Security Management System integrates with the management of Risk, Cybersecurity, Infrastructure and Business Continuity to comply with the regulatory frameworks established in Colombia and within the organization, in addition to the policies, procedures and controls established for this purpose.
  1. Promote awareness and training of the Information Security Management System through the different communication mechanisms to prevent the materialization of risks that may affect the confidentiality, integrity, and availability of the information of our customers, collaborators and company information in general.
  2. Manage potential or materialized information security events and incidents using different sources or control tools, mitigating, and controlling the likelihood of occurrence of risks that threaten the company’s information assets or the impact generated.
  3. Identify the threats and vulnerabilities to which the company is exposed through own and third-party analyzes to take actions to close the security breaches presented by the organization and that may jeopardize the confidentiality, integrity and availability of the information.
  4. Establish the mechanics of prevention of events or security incidents in projects of Customers by means of the established accompaniments and the plan of communications to Projects.

By implementing the ISO/IEC 27001:2013 standard, Sophos Solutions S.A.S. adopts, establishes, operates, verifies, and improves the Information Security System for Software Development Factory processes “including Project Planning and Management, Requirements identification, Analysis and Design, Construction, Testing, Implementation, Support and Consulting.”

 

Sophos Solutions S.A.S is a Colombian multinational, with offices in the city of Bogotá D.C. and Medellín, which provides consulting services, implementation of banking core, software factory for all types of organizations, especially companies in the financial and stock market sector.

The Sophos Solutions SAS company, understanding the importance of protecting the confidentiality, integrity and availability of information for each of the information assets and IT services it offers to the financial and stock market industry, as well as the Fintech industry as a digital innovation leader, has committed to Establish, Implement, Adopt, Operate and Improve the Information Security Management System as a cross-cutting tool to identify, analyze, contain and remedy the identified security risks in order to sustain the continuous improvement of the system, aligned to the regulatory and strategic requirements of the company.

 

Therefore, the Information Security Policy applies to internal stakeholders of Sophos Solutions S.A.S. in accordance with the scope determined for the Management System.

 

Other policies that result from the implementation of the ISMS and its continuous improvement process will be adopted and enforced by all identified stakeholders.

At Sophos Solutions, those responsible for the implementation, management, dissemination, training, and implementation of the activities related to the Information Security Management System – ISMS, will be the Senior Management, the Information Security Committee, the Information Security Area and some processes involved with the scope of the system. The roles and responsibilities will therefore be determined considering these responsibilities:

Risk & Information Security Manager is designated as the person responsible for the Information Security


Management System of the company, who will be responsible for:

 

  • Determine the scope of the ISMS.
  • Establish, implement, maintain, and continuously improve the ISMS.
  • Establish policies and guidelines that provide guidance and support for information security in accordance with business requirements, relevant laws, and standards.
  • Promote the implementation of the Security Policy within the Organization.
  • Continuously improve the suitability, adequacy, and effectiveness of the ISMS.
  • Evaluate and review the performance of the ISMS and the effectiveness of the ISMS.
  • Include business continuity in management systems of the organization.

 

It is also designated as Special Authority on the Information Security Management System, by the Chief Technology Innovation Officer – CTIO according to the information made on March 16, 2023, and socialized in the Information Security Committee on March 31, 2023:

  • Approve and establish security policies and guidelines related to Information Security and Cybersecurity, monitoring their effectiveness and relevance.
  • Manage and dispose of the budget assigned to the System in accordance with the annual planning approved by the CTIO.
  • Contract services or technology providers to ensure information security, which are not initially covered in the annual budget approved by the CTIO in exceptional cases, such as cyber-attacks or the materialization of threats that impact the company at the technological, reputational, or economic level.
  • Activate the Cybersecurity policy in exceptional cases, such as cyber-attacks or the materialization of threats that impact the company at the technological, reputational and / or economic level.
  • Authorize the contracting of human resources necessary to carry out functions within the system in case of absence of the CTIO provided that this recruitment is included within the budget of the area and meets the amounts approved by Human Management.
  • Directing and ordering activities to the Cybersecurity and Infrastructure team to provide treatment on the technological architecture or information systems of Sophos in case of a state of emergency in the event of a Cyberattack or security incident that seriously compromises the company’s information.
  • Revoke access permissions to information systems or technological resources at the corporate level on any collaborator that violates the guidelines, policies and directives issued by Sophos Solutions that seriously compromise the information of the company or its customers.
  • Stop and force unscheduled backups of the company’s own information systems that are highly compromised by a cyber-attack.

 

It is the Risk & Information Security Manager’s obligation to demonstrate through logs and time traces each of the decisions, changes or adjustments made and executed before the execution of the granted authority, as well as to communicate it directly and immediately to the CTIO. This evidence must be validated and verified by the Internal Audit Office and other control bodies that exist in Sophos Solutions.

 

The powers granted here must be reviewed annually in the Review session by the management (Sophos Pitch), or sooner if the CTIO – Chief Technology Innovation Officer or the Security Committee deems it necessary.

The Senior Management is the highest organ of the company; therefore, it is their responsibility to ensure the implementation and continuous improvement of the Information Security Management System – ISMS through the fulfillment of the following activities:

  • Demonstrate leadership and commitment to the Information Security Management System.
  • Approve and ensure the definition of policies, directives and guidelines related to information security management and that are compatible with the strategic direction of the company.
  • Socialize and highlight the importance of adopting and promoting a culture of information security in the company’s processes and projects.
  • Approve actions, good practices, tools, and measures related to the implementation and continuous improvement of the Information Security Management System.
  • Provide the necessary resources for the Information Security Management System and ensure that they are always available.
  • Assign roles, responsibilities, and levels of authority to implement and maintain information security management.
  • Ensure and guarantee that the Senior Management Review (Sophos Pitch) session reviews and reports on the fulfillment of system objectives aligned with the organization’s strategy.
  • Ensure that, through the session: Review by the Senior Management (Sophos Pitch) is verified that the Information Security Management System meets the convenience, adequacy, and continuous effectiveness.
  • Guarantee that the Senior Management Review (Sophos Pitch) session is held at least once a year.

The Information Security Committee consists of:

  • Senior Management
  • Vice Presidents
  • Chief Officers
  • Account Managers
  • Leaders and Collaborators of interested processes.

 

The Information Security Committee shall be responsible for:

  • Guarantee that there is a management direction that supports the administration and development of information security initiatives in the company.
  • Analyze the performance of the Information Security Management System.
  • Analyze the results and progress on the Information Security Management System.
  • Accompany and promote the development of security projects.
  • Analyze and recommend the implementation of controls that support the mitigation of information security risks.
  • Coordinate and direct specific actions that help provide a safe environment and establish information resources that are consistent with the company’s goals and objectives.
  • Recommend the allocation of specific roles and responsibilities on the Information Security Management System.
  • Approve the use of specific methodologies and processes for information security.
  • Promote programs that promote the culture of information security in the company.
  • Perform periodic reviews of the Information Security Management System.
  • Recommend and/or authorize the imposition of disciplinary measures for cases that the Information Security Area reports as serious or critical breach of the security policies established within the company.
  • Bring to the attention of the company, the documents generated or socialized within the committee that impact the company in a cross-cutting manner.
  • Analyze external and internal issues in the light of information security.
  • Analyze the results of internal/external security audits received from external vendors/customers.
  • Analyze opportunities for improvement for the Information Security Management System.
  • Review the relevance together with the CTIO if the authority granted to Risk & Information Security Manager is adequate if necessary.
  • Other functions inherent in the nature of the Committee.

 

Explanatory notes:

  • The information security committee may be attended by analysts or leaders from different areas, but they will have no say.
  • The Information Security Committee shall meet on a quarterly basis and shall deal with matters relating to the Information Security Management System.
  • The internal audit area will be permanently invited to the information security committee, will have a voice, but not a vote.
  • Extraordinary sessions may be cited when necessary, according to risk, security incident or continuity impact issues within the Information Security Management System.
  • Guarantee continuous improvement and compliance in each of its vice presidencies, COE’s, Projects, Areas and processes against the policies, guidelines, and procedures of the Information Security Management System.
  • Support and promote the implementation and accompaniment of the Information Security Management System in customer projects.
  • Identify and define the information security risks of process and project in support of the company’s Risk team.
    Monitor the implementation of information security procedures, objectives, indicators, and action plans.
  • Report to the information security committee on the progress, incidents, developments, and controls implemented over the company’s information assets.
  • Ensure the process of continuous improvement to the information security management system through the PDCA cycle.
  • Prevent and detect threats and vulnerabilities to company information assets.
  • Establish security and cybersecurity policies, procedures, and guidelines for the protection of information assets aligned with the confidentiality, integrity, and availability of these.
  • Align and correlate the strategic objectives of the Security Management system with the company’s Mission and its Macro-processes and processes.
  • Define security strategies to guide the system’s objectives in achieving the organization’s strategic objectives.
  • Create and promote awareness and safety culture among the company’s employees, suppliers, and customers.
  • Manage security incidents within the company along with support to related areas to determine the disciplinary or legal channel to which they occur.
  • Plan and manage response to security incidents to internal processes or customers.
  • Establish security guidelines and policies for the entire company.
  • Assess the appropriateness and coordinate the implementation of specific information security controls for new systems or services according to the prior analysis of identified risks.
  • Manage and administer profiles for each of the company’s positions, ensuring the inclusion of information security roles and responsibilities in each of them.
  • Include and manage the Security clauses corresponding to the position of the new employee, to ensure compliance with these clauses when initiating a contract or employment relationship with the company.
  • Request safety studies for personnel applying for positions established by the company to mitigate operational and security risks associated with unwanted profiles.
  • Inform interested areas about unlinking personnel, to guarantee that all activities associated with disabling, removing permissions, and roles are executed.
  • Include information security issues within induction programs, ensuring that collaborators know their duties and responsibilities towards the system and policies established by the company, as well as the implications for the misuse of information assets or other computer resources.
  • Guarantee proper management of physical and logical access to the company’s platforms and information systems (not applicable for applications hosted on third-party infrastructure).
  • Perform and ensure maintenance and updates of services, applications and tools managed by the infrastructure area to mitigate security breaches.
  • Assign, manage, and delete the active directory users, roles, and privileges, and information systems managed by the infrastructure area.
  • Perform and guarantee backups of critical company repositories, servers, and equipment, allowing business continuity and business recovery in case of contingency.
  • Segregate the networks of each company headquarters in order to limit access to confidential information of unauthorized or non-company persons.
  • Request, configure and assign the computer equipment required by each project for new collaborators entering the company.
  • Handle requests received from Information Security related to security exceptions.
  • Validate the implementation and compliance with the information security specifications and measures established by this Policy and by the standards, procedures and practices derived from it.
  • Conduct internal audits of the ISMS at least once a year.
  • Ensure regular assessments of controls, efficiency of systems and activities related to information asset management and the responsibility of the information asset management area to report the results of the audits carried out.
  • The collaborators of Sophos Solutions S.A.S are responsible for the proper management of information and information assets through compliance with established policies, processes, procedures, and controls.
  • All collaborators must respect and comply with established Information Security policies, standards, guidelines, and procedures, to guarantee the security of the company’s technological resources. In addition, they are responsible for informing the Information Security Area of any breach or security incident associated with the information of the company or its customers.
  • Collaborators that handle information classified as confidential or restricted within their functions must comply with the controls associated with each level of information security established by Sophos Solutions S.A.S.
  • Sophos collaborators must ensure the protection of the information assets delivered by the company.
  • Sophos collaborators should contribute to the continuous improvement of the information security management system.
  • The Sophos Collaborators are responsible for the quality, integrity and veracity of the data entered in the different information systems used within the company (either own or third parties).
  • Collaborators are required to comply with the guidelines and permissions granted by the owner on its information assets.
  • Sophos collaborators must comply with the Security Policy set forth in this document and all policies derived therefrom.
  • Sophos Collaborators must ensure compliance with Information Security policies within their immediate work environment (internally within the company and at the Customer).
  • It is the responsibility of collaborators, customers, and vendors to report immediately and through the channels established by Sophos Solutions S.A.S., the suspicion or occurrence of events and / or incidents of Information Security related to the company.
  • It is the duty of collaborators to use the company’s information systems and network access solely for the purposes that link it to it.
  • It is the duty of collaborators to use only the software and other technological resources authorized by Sophos and/or the Sophos Customer.
  • It is the duty of the Sophos Solutions SAS collaborators and Vendors to ensure the Confidentiality, Integrity and Availability of the information assets used for the execution of their activities.
  • It is the duty of the collaborators to use the different channels, tools and means of communication provided by the area of Information Security and Infrastructure to make specific requests for security, access, and services in front of their daily tasks.

In compliance with the continuous improvement of the Information Security Management System, it is established that the Information Security Policy should be reviewed every 6 months from the last change made or when there are modifications or new guidelines that warrant it.

The update of the Security Policy shall be socialized and validated by the Information Security Committee.

The update of the Security Policy should be approved by the Senior Management.

“Sophos Solutions S.A.S. reserves the right to modify this document according to changes that arise within the company.”

Read more