Objective

This policy aims to establish guidelines for the protection and secure management of sensitive information handled by the company, including third-party data, personally identifiable information, and intellectual property rights. Information security is essential to protect the rights of our clients, partners, and employees, ensuring compliance with applicable legislation and current security standards.

Principles

  1. Confidentiality: Ensure that sensitive information is securely stored and accessible only to authorized individuals.
  2. Integrity: Protect the accuracy and consistency of information throughout the entire data lifecycle.
  3. Availability: Ensure that information is securely accessible when needed for authorized processes.
  4. Compliance: Ensure that all operations comply with applicable regulations, such as the GDPR (General Data Protection Regulation) and other relevant sector standards.

Scope of Application

This policy applies to all employees, service providers, suppliers, and partners who handle information under the company’s responsibility. It covers all systems, devices, networks, and processes used for information processing.

Implementation Guidelines

  1. Risk Management: Conduct periodic analyses to identify and assess risks associated with handling sensitive information.
    Implement appropriate controls to mitigate identified risks.
  2. Access Management: Control access to sensitive information based on the principle of least privilege.
    Conduct regular reviews of granted accesses and permissions.

Third-Party Data Protection:

Ensure the security of personally identifiable information and the protection of intellectual property rights in compliance with applicable laws.
Implement confidentiality agreements (NDAs) with third parties.

Awareness and Training:

Promote regular training sessions for all employees on data and information security.
Raise awareness among all employees about the importance of data protection and adherence to internal information security policies.

Incident Management:

Establish an incident response plan to identify, report, contain, and correct security breaches.
Keep incident records and conduct analyses to prevent recurrence.

Audit and Monitoring:

Conduct regular audits to assess compliance with this policy and detect unauthorized access to information.
Continuously monitor systems to identify vulnerabilities and unauthorized access.

Business Continuity Management:

Develop, implement, and periodically test business continuity plans to ensure information availability in case of disruptions or disasters.

 

Expected Results

  • Maintenance of an effective information security management system.
  • Assurance of system compliance with applicable legislation, notably ISO 27001.
  • Effective protection of sensitive information.

 

Responsibilities

  • IT Management: Responsible for implementing and monitoring technical controls.
  • Security Manager: Responsible for maintaining the Information Security Policy and providing support and guidance during its implementation and enforcement.
  • Quality Management: Responsible for the information security management system and for conducting annual control audits under ISO 27001..
  • Employees: Comply with the guidelines of this policy and report any identified incidents or vulnerabilities.
  • Administration: Commits to supporting the implementation of this policy, ensuring the resources necessary for information security, guaranteeing continuous improvement, and fulfilling all applicable legal, regulatory, and contractual requirements.

This policy will be communicated to all employees and relevant stakeholders and made available through the organization’s internal channels. It will be reviewed whenever significant changes occur in the organizational context.