Política de Information Security

All employees, contractors, consultants, temporary staff, interns, and any other individuals with a professional relationship with Sofis Solutions, including third-party personnel.

All locations where Sofis Solutions' information technology assets are housed or used.

All of Sofis Solutions' information technology assets.

Any information that is not specifically identified as belonging to third parties and that is transmitted or stored on Sofis Solutions’ information technology assets or those contracted by Sofis Solutions (including files, emails, and instant messages).

All devices connected to Sofis Solutions' networks or used to access its assets.

• Sofis Solutions’ management is ultimately responsible for managing security risks and threats and oversees the strategy, funding, and resources for information security, with the support of managers and coordinators.

• Management has the authority to:

  • Establish the strategy, governance, and oversight of information security.

  • Assign responsibilities for information security management.

• Management is responsible for:

  • Take the lead on information security policies, standards, and guidelines.

  • Identify and document information security controls and monitor their effectiveness.

  • Sofis Solutions' Comprehensive Information Security Risk and Threat Management.

  • Provide assistance and raise awareness on cybersecurity issues.

  • Manage information security incidents.

  • Provide support for privacy and compliance matters in accordance with the existing privacy policy.

• Managers, supervisors, and service coordinators are responsible for managing information security risks and threats within their areas of responsibility.

• Owners of information and IT assets are responsible for:

  • Assess, report, and escalate information security risks and threats—including those related to availability, confidentiality, and integrity—associated with your information and IT assets.

  • Assess and manage information security risks and threats associated with your service providers.

  • Monitor access to your IT assets.

  • Ensure the management of its information security controls.

  • Compliance with general requirements established or approved by the organization, as well as relevant laws, regulations, and applicable policies.

• Sofis Solutions employees are responsible for complying with the security policy.

• Employees are responsible for monitoring and safeguarding data and information systems within their defined scope of control and ownership. They are required to comply with policies and standards related to risk and to immediately report any actual or potential information security incidents or threats through the established procedures.

Information security refers to the preservation of the confidentiality, availability, and integrity of a company’s or a third party’s information.

• An inventory of information assets and information technology must be maintained.

• Information security risks and threats must be managed throughout the lifecycle of information technology assets.

• Information technology assets must be secured in accordance with the risk they pose and with appropriate mitigation controls.

• All access to IT assets must be approved on a need-to-know basis and reviewed periodically.

• Information security incidents and anomalous activities must be monitored and analyzed in a timely and appropriate manner.

• Information security incidents must be managed and mitigated in a timely and appropriate manner.

• Business continuity and disaster recovery plans must be developed and tested.

• Information and IT assets must be managed in accordance with applicable laws, regulations, and contracts.

• Remote access is restricted to the operational needs of Sofis Solutions and must be supported by robust security configurations and encryption methods.

• The information security policy serves as a framework for a documented, comprehensive program that includes policies, processes, and procedures related to the access, use, protection, and management of logical and physical assets.

• Under this policy, information security objectives are established periodically within the ISMS (Information Security Management System), and their alignment with legal, regulatory, contractual, and business requirements, as well as with the organization’s specific objectives and strategy, is ensured.

• Security incidents must be reported immediately to management.

• Information security performance indicators must be reported to management at least once a year.

• Information security risk indicators must be reported at least once a year to management and to the Coordinator of the Integrated Sustainable Management System.

This Policy establishes a commitment to the continuous improvement of the established Information Security Management System. This includes management based on the PDCA cycle, taking into account, among other tools: the management of risks and related threats, the implementation of controls and reviews, and the evaluation of the system’s effectiveness through periodic reviews, internal and external audits, and the improvement processes established at Sofis Solutions.

Violations of this policy will be considered grounds for disciplinary action, as provided for generally in the regulations of the jurisdiction applicable to each employee and specifically in the employment contract and the confidentiality agreement.

Any exception to this policy requires formal approval from management or a duly authorized representative.