Establish the commitment and leadership of senior management through the definition of the General Information Security Policy in accordance with the Information Security Management System of Aranda Software and in order to preserve the integrity, confidentiality and availability of information.
Applies to the information assets necessary for the operation of the Support, Operations and Development processes located in the Microsoft Azure cloud for the solutions offered by Aranda Software in SaaS mode and must be complied with by the entire organization.
All employees and other stakeholders who manage, use or access Aranda Software's information assets.
This policy is effective as of (12/28/2023) the date it was approved, it must be reviewed annually or updated whenever there are changes in the purpose or context of the organization, in the scope of the Information Security Management System or when there are legal, statutory or regulatory changes; and compliance with the provisions contained herein must be monitored.
Asset: Any element that has value for the organization. For information security risk management, the following are considered: information, software, physical elements, services, people and intangibles.
Confidentiality: Ownership of information that renders it unavailable or undisclosed to unauthorized individuals, entities or processes.
Availability: Property of being accessible and usable upon demand by an authorized entity. [Source: ISO 27000].
Importance of the asset: Value reflecting the level of protection required by an information asset against the three properties of information security: integrity, confidentiality and availability.
Completeness: Property of accuracy and completeness. [Source: ISO 27000].
Monitoring: Verification, supervision, critical observation or continuous determination of status in order to identify changes from the required or expected level of performance.
Involved Party: A person or organization that may affect, be affected by, or perceive itself to be affected by a decision or activity. A decision maker may be a stakeholder. [Source: ISO 31000].
Risk: Effect of uncertainty on objectives. An effect is a deviation from what is expected, whether positive, negative or both. Objectives can have different aspects (economic, image, environment) and can be applied at different levels (strategic, operational, organization-wide) [Source: ISO 31000] [Source: ISO 31000].
Senior Management: Definition, publication, communication and implementation of the General Information Security Policy.
Process Leaders: Lidering the implementation and adoption of the General Information Security Policy in their processes.
Collaborators and other interested parties: Adopting and complying with the guidelines contained in the General Information Security Policy.
Third parties and/or supply chain: Adopting and complying with the guidelines contained in the General Information Security Policy issued by Aranda Software within this document.
The regulations applicable to this policy can be consulted in the Information Security Management System - ISMS.
The purpose of this document is to describe the General Policy of the Information Security Management System - ISMS, in accordance with the international framework NTC ISO 27001 and other national and international provisions regarding the principles of information security (integrity, confidentiality and availability).
The application of the Policy should seek to protect the information assets of Aranda Software against any threat that affects the three pillars of information.
Considering that information security must remain in constant evolution, since organizations face persistent and new threats according to technological changes and the conditions of their environment, the Information Security Management System must adapt to this situation.
By virtue of the above, policies require permanent review, updating, approval and adaptation to achieve the purpose of continuous improvement.
Aranda Software aware of the importance of information security and considering it as a fundamental factor that must be incorporated into its processes and institutional mission, is committed to preserving the confidentiality, integrity and availability of information through the implementation and continuous improvement of the Information Security Management System - ISMS, monitoring the fulfillment of the objectives, implementing strategies, controls and guidelines that allow to adequately manage its assets, risks and incidents of information security and allocating the necessary resources to ensure compliance with legal requirements, organizational and contractual obligations in relation to the handling and / or processing of information.
Promotes among its collaborators and other related persons, the formation of an information security culture, which allows the effective adoption of controls and good security practices designed within the organization.
- To reduce the probability of materialization of risks associated with information security, which may violate the confidentiality, integrity and availability of information, by means of adequate risk management.
- Raise employee awareness of the importance of protecting information assets, through training on information security-related topics, so that compliance with policies, procedures and other guidelines designed within the framework of the ISMS can be evidenced.
- Ensure timely attention to information security incidents, implementing an effective procedure for their identification, reporting and treatment.
- Address in a timely manner corrective actions and observations issued by follow-ups, internal/external audits and planned reviews.
- Provide the financial, human and infrastructure resources required to maintain the Information Security Management System - ISMS and ensure adequate treatment of risks in Aranda Software.
All employees and in general all stakeholders identified in the Information Security Management System of Aranda Software, must comply with 100% of the policy.
Failure to comply with this policy and the provisions contained herein may lead to disciplinary actions, investigations and / or legal actions, according to the internal procedures of Aranda Software and other guidelines applicable to the organization.
NTC ISO 27001:2022
- ISMS Objectives
- ISMS Scope