This Security Policy is part of the Information Security Management System (ISMS) and its main objective is to establish general guidelines that ensure the management of information security in an integral and coordinated manner with the business objectives and strategic lines, applicable regulations and internal security directives of the company.
Information is a critical and essential asset, so this document establishes the basic principles to ensure that the access, use, custody, and safeguarding of information assets are appropriately developed.
This Security Policy ensures the explicit commitment of IDESA and its top management to guarantee and supervise the proper management of information security, minimizing the risks derived from existing threats in terms of availability, integrity, confidentiality, traceability, and authenticity of information.
The Security Policy is a document approved by IDESA´s management and has mandatory character throughout the organization.
The scope of this Security Policy encompasses all business activities conducted within IDESA, including the assets that support these activities at any company location. This Security Policy applies to all personnel associated with IDESA who use its information and/or information systems. This includes internal staff of the company as well as external staff (customers, suppliers, auditors, etc.).
This Security Policy, in its purpose of protecting IDESA´s information assets in all their dimensions, has the following objectives:
In addition, it may also be necessary to manage other objectives related to information security, based on potential legal and/or business requirements. Specifically:
This section specifies the basic principles that should always be considered in any activity related to the handling of information, in order to achieve the objectives described in the previous section:
The management of IDESA, fully aware of the importance of information security for its business processes, commits to:
The definition of roles and the assignment of responsibilities within the information security scope at IDESA are specified in an internal document, publicly available to all employees.
All employees of IDESA have the obligation to be aware of and comply with this Information Security Policy and the security rules derived from it. It is the responsibility of IDESA´s management (or designated authority) to ensure that the Policy is known by all relevant parties.
Furthermore, all employees of IDESA have the obligation and responsibility to report to IDESA´s management (or designated authority) any identified incidents or offenses that could compromise the security of information assets.
All employees of IDESA with access to information systems will receive periodic awareness sessions or materials regarding information security. Similarly, employees with responsibilities in the use, operation, or administration of ICT systems will receive training for the secure handling of systems as necessary for their job tasks. Training will be mandatory before assuming a responsibility, whether it is their initial assignment or a change of position or responsibilities within the same role.
The Security Policy will be reviewed by the Security Committee at planned intervals, which should be no longer than 2 years, or whenever significant changes advise it, to ensure its suitability, adequacy, and effectiveness are maintained. Any updates to this Policy should be communicated to all relevant parties.
This Security Policy will be made available for reference to all employees of IDESA through the organization´s information systems and/or published on its website. The necessary actions will also be taken to communicate, ensure understanding, and implement the Policy effectively.