Scope
All VS&A collaborators are committed to preserving the confidentiality, integrity and availability of all information assets based on the best practices of the ISO 27001 Standard and the controls defined in the SoA VSA Applicability Statement approved on August 25, 2023. .
Information security requirements and any assets must be aligned with VS&A goals and objectives. Committing to implement a secure operational framework structured in accordance with the internationally recognized standard to implement and maintain an ISO/IEC 27001: 2022 Information Security Management System (ISMS).
When security management controls are required above the ISMS baseline, consideration should be given to reviewing the risks, which must be reported to VS&A as a measure of continuous improvement of the ISMS.
Strategic guidelines
The following information security guidelines are to ensure the continuity of VS&A dispatch and minimize the risk caused by threats, attackers and damage by preventing security incidents and reducing, mitigating or recovering from a potential impact on operations and services. services that have been agreed upon by contract with clients.
- Safeguard and protect VS&A customer information as well as commercially sensitive information in the organization’s custody. Ensuring the preservation of confidentiality, integrity and availability of data.
- Establish effective control measures to protect, in accordance with the provisions of the Registration Information Protection Manual (MAN-SGSI-005), VS&A information resources against theft, abuse, alteration, unauthorized publication, misuse or any form of harm or crime.
- Establish responsibility and notification of compliance with the information security guidelines applicable to VS&A through meetings with General Management.
- Encourage General Management, administration and VS&A staff to maintain an adequate level of awareness, knowledge and skill that allows them to maintain capabilities to minimize the occurrence and severity of security incidents.
- Ensure that VS&A can continue operations in accordance with the business continuity plan established by the organization.
Responsibilities
The General Management of VS&A is responsible for ensuring compliance with this policy, including the allocation of resources and responsibilities for the implementation and compliance of all policies, standards, guidelines, processes and procedures related to information security.
The General Directorate of the Office delegates authority to the ISMS Committee to supervise the control and effectiveness of the Information Security Management Systems (ISMS).
The Chief Information Security Officer (CISO) in charge of information security at VS&A is responsible for maintaining the ISMS and providing support/advice during its implementation.
The General Directorate has determined to assume the different lines of responsibility in order to coordinate information security efforts and align the activity to guarantee the continuous improvement and general effectiveness of the ISMS at a strategic and operational level.
General Management, collaborators, suppliers, project consultants and any other external party have and will be aware of their responsibilities to act based on the requirements of the VS&A ISMS. The consequences of violations of the security policy are described in the Internal Work Regulations (DOC-SGSI-001) of VS&A.
All employees, including vendors, will receive training from VS&A’s contracted information security services provider on information security awareness and training. Employees with roles and responsibilities that require high specialized knowledge will receive the same as necessary.
For new employees, training will be carried out in accordance with the provisions of the Personnel Hiring Policy (POL-SGSI-002).
Accordance
The ISMS is subject to continuous and systematic review and improvement by those responsible for Information Security.
The ISMS committee will be responsible for periodically reviewing the information security policies.
Foundation of the Security Policy
Each service in VS&A that uses the Internet as a basis for doing business poses risks for the information, systems and for the connections with which communication is maintained. Security policy is a set of rules that apply to VS&A activities and processes.
VS&A establishes as an information security policy the preservation of the confidentiality, integrity and availability of the information of all its collaborators, clients and suppliers in the services provided for the organization.
Security Policy Objectives
The objectives of the security policy at VS&A are described below, which focus on the following categories:
a) Protection of information or technological assets.
The resource protection scheme ensures that only authorized users will be able to access VS&A information or technology assets. The ability to secure all types of resources is one of the advantages of ISMS. First, the different categories of users who can access the organization’s technological environment will be exactly identified. Likewise, define the types of access authorization that will be managed and granted to the different groups of users and clients.
b) Authentication
It is the security or verification that the resource (person or system) located at the other end of the session is really who it says it is. The authentication levels used are compelling, maintaining the capabilities necessary to protect the environment against security risks such as spoofing, where the sender or recipient uses a false identity to access the system. Different security filters will be maintained such as passwords and usernames for authentication, digital certificates, additional authentication factors, etc. In accordance with the provisions of the Access Control Policy (POL-SGSI-015). When establishing communication with a public network such as the Internet, user authentication must take on new dimensions. An important difference between the Internet and an intranet is the ability to trust the identity of the user who logs in. Therefore, more secure authentication methods were implemented. Authenticated users will have different types of permissions, depending on their authorization level.
c) Authorization
Being an accounting and auditing services company, you must have the ability to know how, when and who is carrying out activities within the technological ecosystem. That is, the security must be guaranteed that the person or system located at the other end of the session has permission to carry out the request or operation that it is or wants to carry out. Authorization is the process of determining who or what can access system resources or perform certain activities on a system. Authorizations will be continually managed in the context of authentication by establishing registration, analysis and detection mechanisms.
d) Integrity
This part addresses the assurance that the incoming information is the same as that which has been sent, so security mechanisms and controls must guarantee the integrity of operations and that of clients at VS&A.
Data integrity: Data is protected from unauthorized changes or manipulations. Data integrity defends against security risks such as tampering, where someone intercepts and modifies the information without being authorized to do so.
In addition to protecting data stored on the network, additional security measures will be implemented to ensure the integrity of data when it enters the system from untrusted sources. When the data entered is related to a public network, security methods will be activated to perform these tasks:
- Protect data so that it cannot be manipulated or interpreted by encrypting it.
- Ensure that data transmission has not been modified or altered (data integrity).
- Demonstrate that transmission has occurred.
- For some clients it may be necessary to transmit information by specific means.
System integrity: Business systems and platforms must provide results consistent with expected performance. System integrity is the most monitored security component, because it is a fundamental part of VS&A services.
e) Non-repudiation
Proof that a transaction has occurred or that a message has been sent or received. The use of digital certificates and public key cryptography to sign transactions, messages and documents is the basis of non-repudiation. The sender and recipient both agree that the exchange is taking place. The digital signature of the data is sufficient proof.
f) Confidentiality
Consequently, VS&A must maintain security controls with clients’ FIEL, in accordance with the provisions of the FIEL Safeguarding Manual (MAN-SGSI-003), that confidential information remains private and is not visible to intruders. or attackers. Confidentiality is essential for the complete security of customer data. The encryption used in the software used by the company will be that specified by the manufacturer or with a virtual private network (VPN) connection to ensure confidentiality when transmitting data between several untrusted networks. The security policy should indicate what methods will be used to provide the confidentiality of information within the network and information leaving it.
g) Audit activities
The defined mechanism is to support the monitoring of security-related events to provide a log file of successful and unsuccessful (denied) accesses. Successful access logs indicate who is doing each task on the systems. Unsuccessful (denied) access logs indicate the possibility that someone is attempting unauthorized entry or that someone is having difficulty accessing the system.