Information Security Policy

1.Objetive

This policy is intended to facilitate the directives or guidelines that must be followed to protect Beedigital’s (hereinafter referred to as «the Organization») information from a wide range of threats, in order to:

  • Guarantee the security of the operations carried out through the Information Systems.
  • Minimize the risks of damage.
  • To ensure the fulfillment of the objectives of the Organization.

The organization is committed to making the principles of the Information Security Policy part of the Organization’s culture, for which it has implemented an Information Security Management System based on an internationally recognized standard.
All the personnel of the Organization, including employees, suppliers and management, must be aware of and comply with this policy.
This Policy will be developed through regulations, procedures, operating instructions, guides, manuals and all those organizational instruments considered useful to achieve its objectives.

2.Scope

The scope of the Information Security Policy coincides with the scope of the ISMS defined by the Organization and established in an internal document where the context of the Organization is defined.
This document develops the requirements of ISO/IEC 27001:2022 in its section: 5.2 «Policy».

3.Definitions and acronyms

For the purposes of a correct interpretation of this Policy, the following definitions are included:

  • Information: Data that has meaning, in any format. It refers to any communication or representation of knowledge.
  • Information System: Refers to a set of related and organized resources for the processing of information, according to certain procedures, both computer and manual.

4.Policy Development

A framework is established for the achievement of the information security objectives for the Organization. These objectives will be achieved through a series of organisational measures and concrete and clearly defined rules.
This Security Policy will be maintained, updated and appropriate for the purposes of the organization.
The principles that must be respected, based on the basic dimensions of safety, are the following:

  • Confidentiality: Property by which only those who are authorized to do so can access the information managed by the Organization, after identification, at the time and by the means enabled.
  • Integrity: property that guarantees the validity, accuracy and completeness of the information managed by the Organization, its content being that provided by those affected without any type of manipulation and allowing it to be modified only by those who are authorized to do so.
  • Availability: property of being accessible and usable at the agreed intervals. The information managed by the Organization is accessible and usable by authorized and identified customers and users at all times, guaranteeing its own persistence in the event of any foreseen eventuality.

In addition, given that any Information Security Management System must comply with current legislation, the following principle will be followed:

  • Legality: refers to compliance with the laws, rules, regulations or provisions to which the Organization is subject, especially in terms of personal data protection.

4.1.Risk management

Information Security management in the Organization is risk-based, in accordance with the international standard ISO/IEC 27001:2022.
It is articulated through a general process of assessment and treatment of risk, which can potentially affect the security of the information of the services provided, consisting of:

  • Identify threats, which will exploit vulnerabilities in Information Systems that support, or depend on, information security.
  • Analyze the risk, based on the consequence of the threat materializing and the probability of occurrence.
  • Assess the risk, according to a previously established and approved level of broadly acceptable, tolerable and unacceptable risk.
  • Address the unacceptable risk, through appropriate controls or safeguards.

This process is cyclical and must be carried out periodically, at least once a year. For each identified risk, an owner will be assigned, and multiple responsibilities may fall on the same person or committee.

4.2.Framework for setting information security objectives

The setting of information security objectives is carried out taking into account the following inputs:

  • Reports from the Security Manager of the Information Security Management System, approved by the Organization’s Management.
  • Opportunities for improvement found during the operation of the ISMS.

When setting objectives, it must be taken into account that they must be measurable and achievable, hence the planning for their achievement must include:

  • What is going to be done
  • The resources needed
  • Who will be responsible
  • The deadline for achieving it
  • How the results will be evaluated.
  • If applicable, the indicator associated with that objective.

Management, together with the Information Security Management System Security Officer, will be responsible for defining the information security objectives for the Organization. These must be specific and consistent with your Information Security Policy, mission, vision and values.

4.3.Objectives of the ISMS

The Organization’s ISMS should ensure:

  • That policies, regulations, procedures and operational guides are developed to support the information security policy.
  • That the information that must be protected is identified.
  • Risk management is established and maintained in line with the requirements of the ISMS policy and the Organization’s strategy.
  • That a methodology be established for the assessment and treatment of risk.
  • That criteria be established with which to measure the level of compliance with the ISMS.
  • That the level of compliance with the ISMS be reviewed.
  • That non-conformities are corrected through the implementation of corrective actions.
  • That staff receive training and awareness on information security.
  • That all personnel are informed about the obligation to comply with the information security policy.
  • The allocation of the necessary resources to manage the ISMS.
  • The identification and compliance with all legal, regulatory and contractual requirements.
  • Identify and analyze the information security implications of business requirements.
  • That the degree of maturity of the information security management system itself is measured.

That continuous improvement be carried out on the ISMS.

4.4.Organization and responsibilitiess

  • The General Management of the Organization is responsible for approving this policy.
  • The Information Security Management Committee is responsible for reviewing this policy.
  • The ISMS Security Officer is responsible for maintaining this policy.

This policy must be reviewed regularly together with the rest of the Corporate Policies based on the agreed review scheme, and whenever relevant changes are made, in order to ensure that it is aligned with the company’s strategy.

4.5.Policy Enforcement

The organization has developed this document containing the General Policy for Information Security and which has been approved by the General Management and made known to all company personnel and external stakeholders.

4.6.Training and awareness

The Security Manager of the Information Security Management System must ensure that all personnel involved in the ISMS are aware of this policy, its objectives and processes, through its dissemination, training actions and awareness-raising actions.
It must also guarantee the distribution of the documents that apply to each level, according to the different roles defined in the company.

4.7.Audit

The General Management of the Organization must guarantee and verify, through internal and external audits, the degree of compliance with the guidelines of this Policy and that they are operated and implemented correctly, taking responsibility for compliance with the corrective measures that may have been determined in order to maintain continuous improvement.

4.8.Validity and Updating

This policy is effective from the time of publication and is reviewed at least once a year.
The objective of the periodic reviews is to adapt it to changes in the context of the organization, with attention to external and internal issues, analyzing the information security incidents that have occurred and the Non-Conformities found in the ISMS. All this is harmonized with the results of the different risk assessment processes.
When reviewing the Policy, all the regulations and other documents that develop it will also be reviewed, following a periodic update process subject to relevant changes that may occur: company growth and organizational changes, changes in infrastructure, development of new services, among others.
As a result, a list of objectives and actions to be undertaken and executed during the following year will be drawn up to guarantee Information Security and the proper use of the resources that support and treat it in the Organization.