ISMS Policy
Establish the commitment and leadership of senior management through the definition of the General Information Security Policy in accordance with the Information Security Management System of Aranda Software and in order to preserve the integrity, confidentiality and availability of information.
Applies to all Aranda Software processes and stakeholders that manage, use or access the organization's information assets.
All employees and other stakeholders who manage, use or access Aranda Software's information assets.
- Senior Management: definition, publication, communication and implementation of the General Information Security Policy.
- Process Leaders: Leading the implementation and adoption, in their processes, of the General Information Security Policy.
- Employees and other interested parties: adopting and complying with the guidelines contained in the General Information Security Policy.
- Third parties and/or supply chain: Adopting and complying with the guidelines contained in the General Information Security Policy issued by Aranda Software within this document.
Asset: any element that has value for the organization. for information security risk management the following are considered: information, software, physical elements, services, people and intangibles.
- Confidentiality: property of the information that makes it unavailable or not disclosed to unauthorized individuals, entities or processes.
- Availability: property of being accessible and usable on demand by an authorized entity. [Source: ISO 27000.]
- Importance of the asset: value that reflects the level of protection required by an information asset against the three properties of information security: integrity, confidentiality and availability.
- Integrity: property of accuracy and completeness. [Source: ISO 27000].
- Monitoring: verification, supervision, critical observation or continuous determination of the status in order to identify changes with respect to the required or expected level of performance.
- Involved party: a person or organization that may affect, be affected by, or perceive itself to be affected by a decision or activity. A decision maker may be an involved party. [Source: ISO 31000].
- Risk: the effect of uncertainty on objectives. An effect is a deviation from what is expected, whether positive, negative or both. Objectives can have different aspects (economic, image, environment) and can be applied at different levels (strategic, operational, organization-wide) [Source: ISO 31000].
The regulations applicable to this policy may be consulted in the Information Security Management System - ISMS.
The purpose of this document is to describe the General Policy of the Information Security Management System - ISMS, in accordance with the international framework NTC ISO 27001 and other national and international provisions regarding the principles of information security (integrity, confidentiality and availability).
The application of the Policy should seek to protect the information assets of Aranda Software against any threat that affects the three pillars of information.
Considering that information security must remain in constant evolution, since organizations face persistent and new threats according to technological changes and the conditions of their environment, the Information Security Management System must adapt to this situation.
By virtue of the above, policies require permanent review, updating, approval and adaptation to achieve the purpose of continuous improvement.
Aranda Software, aware of the importance of information security and considering it as a fundamental factor that must be incorporated into its processes and institutional mission, is committed to preserving the confidentiality, integrity and availability of information through the implementation and continuous improvement of the Information Security Management System (ISMS).
Information - ISMS. Monitoring compliance with the objectives of the Management System; implementing strategies, controls and guidelines to adequately manage its assets, risks and information security incidents, and allocating the necessary resources to ensure compliance with legal requirements, organizational and contractual obligations in relation to the handling and / or processing of information.
Promote among its employees and other related persons, the formation of a culture of information security, allowing the effective adoption of controls and good security practices designed within the organization.
- To reduce the probability of materialization of risks associated with information security, which may violate the confidentiality, integrity and availability of information, by means of adequate risk management.
- Raise employee awareness of the importance of protecting information assets, through training on information security issues, so that compliance with policies, procedures and other guidelines designed within the framework of the management system can be evidenced.
- Ensure timely attention to information security incidents, implementing an effective procedure for their identification, reporting and treatment.
- Address in a timely manner corrective actions and observations issued by follow-ups, internal/external audits and planned reviews.
- Provide the financial, human and infrastructure resources required to maintain the Information Security Management System - ISMS and ensure adequate treatment of risks in Aranda Software.
This policy is effective as of (12/28/2023) the date it was approved, it must be reviewed annually or updated whenever there are changes in the purpose or context of the organization, in the scope of the Information Security Management System or when there are legal, statutory or regulatory changes; and compliance with the provisions contained herein must be monitored.
All employees and in general for all stakeholders identified in the Information Security Management System of Aranda Software, must comply with 100% of the policy.
Failure to comply with this policy and the provisions contained herein may lead to disciplinary actions, investigations and / or legal actions, according to the internal procedures of Aranda Software and other guidelines applicable to the organization.