Information Systems Security Policy

For InLOG and for the people and companies that depend on its services, information is one of its most valuable assets and a critical good without which it could not develop its activity. InLOG bases the quality of its management to a large extent on the use of this information in an accurate, complete and timely manner.

Therefore, it recognizes the great importance of security measures to ensure that the information is not affected by threats such as errors, fraud, embezzlement, sabotage, extortion, industrial espionage, privacy violations, service interruptions and natural disasters. InLOG’s management recognizes its responsibility to develop security guidelines to minimize the potential risks to which it is exposed in order to achieve its strategic business objectives. The objective of this Information Systems Security Policy is to define the main guidelines that lead to the formulation of Information Systems Security procedures, in order to safeguard the information as mentioned in the previous paragraph. The formulation of the Corporate Information Systems Security Policy is based on the following key pillars to achieve the protection of InLOG’s information:

– InLOG’s information and Information Systems are critical assets that must be protected to ensure their operation.

– InLOG information must be protected according to its susceptibility, value and criticality.

– All employees and third party collaborators of InLOG have a responsibility to protect the information entrusted to them.

– The protection of information enables InLOG’s business development; protection measures must be developed in accordance with a risk assessment.

To determine what protection measures are necessary, the confidentiality, integrity and availability of the information must be ensured and the information must be classified as Confidential, Internal Use or Public.

The information security principles around which Information Systems security measures are built are as follows:

– Information must be protected throughout its life cycle, from its creation or receipt to its processing, communication, transport, storage, dissemination to third parties and eventual destruction.

– InLOG will protect the information from unauthorized disclosure or manipulation or loss.

– Third parties that may access InLOG’s proprietary information must be subject to the control of the defined information security standards.

– Each employee has an obligation and duty to adequately protect information in accordance with InLOG’s classifications and standards.

The Corporate Information Systems Security Policy shall apply to all InLOG employees, whether or not they are employees, including anyone outside InLOG who has access to the information managed or owned by InLOG. The policy shall also apply to all digital information and Information Systems owned or managed for InLOG.

The Corporate Information Systems Security Policy contemplates the classification of information sensitivity levels in order to guarantee the confidentiality, integrity and availability control commitments of the information in an optimal way. This policy advocates the classification of information according to security levels as follows:

– Confidentiality: This includes the most sensitive information for InLOG, which requires strong measures to protect it from unauthorized disclosure (confidentiality) and/or unauthorized modifications (integrity).

– Internal Use: Applies to less sensitive information, which is intended to be internal to InLOG and, although its unauthorized dissemination is against this policy, it is not expected to have a serious negative impact.

– Public: That applies to information that has been explicitly approved by InLOG’s management to be shown to the public.

The requirements of this Corporate Security Policy are as follows:

– InLOG’s Corporate Information Systems Policy is approved by InLOG’s Management.

– Its contents are mandatory for all InLOG personnel and subcontracted third parties.

– The proposed corrective measures are binding on those responsible for implementing them.

– The implementation of and compliance with the Corporate Information Systems Security Policy must be verified and checked at the previously established intervals.

– The Corporate Information Systems Security Policy is a living document that is updated and modified through the procedure established therein. Likewise, the Policy must be known by all members of the InLOG organization.

The policies and procedures developed by InLOG are aimed at safeguarding information from unauthorized third parties. The confidentiality commitment is determined by the classification that InLOG makes distinguishing between levels of information: confidential, internal use and public.

This Security policy includes the policies/procedures that are part of InLOG’s Manual on Information Security and Privacy Policies (MPSPI), namely: Mobility Device Use Policy, Access Control Policy, Cryptographic Controls Use Policy, Clean Desktop and Clean Screen Policy, Communications Security Policies, Secure Software Development Policy, and Supplier Information Security Policy.

InLOG will provide the necessary means to disseminate to all its employees and subcontracted personnel the procedures designed to promote a culture of control. In this sense, it is considered a strategic objective of InLOG to maintain a high level of awareness of the importance of the security function. Consequently, InLOG considers all the rules created for this purpose as binding for all employees and subcontracted personnel, so that strict compliance with them must be observed.

Ángel Vélez

CEO

Revised: 1/8/2017

Last update: 1/8/2017

For InLOG and for the people and companies that depend on its services, information is one of its most valuable assets and a critical good without which it could not develop its activity. InLOG bases the quality of its management to a large extent on the use of this information in an accurate, complete and timely manner.

Therefore, it recognizes the great importance of security measures to ensure that the information is not affected by threats such as errors, fraud, embezzlement, sabotage, extortion, industrial espionage, privacy violations, service interruptions and natural disasters. InLOG’s management recognizes its responsibility to develop security guidelines to minimize the potential risks to which it is exposed in order to achieve its strategic business objectives. The objective of this Information Systems Security Policy is to define the main guidelines that lead to the formulation of Information Systems Security procedures, in order to safeguard the information as mentioned in the previous paragraph. The formulation of the Corporate Information Systems Security Policy is based on the following key pillars to achieve the protection of InLOG’s information:

– InLOG’s information and Information Systems are critical assets that must be protected to ensure their operation.

– InLOG information must be protected according to its susceptibility, value and criticality.

– All employees and third party collaborators of InLOG have a responsibility to protect the information entrusted to them.

– The protection of information enables InLOG’s business development; protection measures must be developed in accordance with a risk assessment.

To determine what protection measures are necessary, the confidentiality, integrity and availability of the information must be ensured and the information must be classified as Confidential, Internal Use or Public.

The information security principles around which Information Systems security measures are built are as follows:

– Information must be protected throughout its life cycle, from its creation or receipt to its processing, communication, transport, storage, dissemination to third parties and eventual destruction.

– InLOG will protect the information from unauthorized disclosure or manipulation or loss.

– Third parties that may access InLOG’s proprietary information must be subject to the control of the defined information security standards.

– Each employee has an obligation and duty to adequately protect information in accordance with InLOG’s classifications and standards.

The Corporate Information Systems Security Policy shall apply to all InLOG employees, whether or not they are employees, including anyone outside InLOG who has access to the information managed or owned by InLOG. The policy shall also apply to all digital information and Information Systems owned or managed for InLOG.

The Corporate Information Systems Security Policy contemplates the classification of information sensitivity levels in order to guarantee the confidentiality, integrity and availability control commitments of the information in an optimal way. This policy advocates the classification of information according to security levels as follows:

– Confidentiality: This includes the most sensitive information for InLOG, which requires strong measures to protect it from unauthorized disclosure (confidentiality) and/or unauthorized modifications (integrity).

– Internal Use: Applies to less sensitive information, which is intended to be internal to InLOG and, although its unauthorized dissemination is against this policy, it is not expected to have a serious negative impact.

– Public: That applies to information that has been explicitly approved by InLOG’s management to be shown to the public.

The requirements of this Corporate Security Policy are as follows:

– InLOG’s Corporate Information Systems Policy is approved by InLOG’s Management.

– Its contents are mandatory for all InLOG personnel and subcontracted third parties.

– The proposed corrective measures are binding on those responsible for implementing them.

– The implementation of and compliance with the Corporate Information Systems Security Policy must be verified and checked at the previously established intervals.

– The Corporate Information Systems Security Policy is a living document that is updated and modified through the procedure established therein. Likewise, the Policy must be known by all members of the InLOG organization.

The policies and procedures developed by InLOG are aimed at safeguarding information from unauthorized third parties. The confidentiality commitment is determined by the classification that InLOG makes distinguishing between levels of information: confidential, internal use and public.

This Security policy includes the policies/procedures that are part of InLOG’s Manual on Information Security and Privacy Policies (MPSPI), namely: Mobility Device Use Policy, Access Control Policy, Cryptographic Controls Use Policy, Clean Desktop and Clean Screen Policy, Communications Security Policies, Secure Software Development Policy, and Supplier Information Security Policy.

InLOG will provide the necessary means to disseminate to all its employees and subcontracted personnel the procedures designed to promote a culture of control. In this sense, it is considered a strategic objective of InLOG to maintain a high level of awareness of the importance of the security function. Consequently, InLOG considers all the rules created for this purpose as binding for all employees and subcontracted personnel, so that strict compliance with them must be observed.

Ángel Vélez
CEO

Revised: 1/8/2017
Last update: 1/8/2017