Get to know our security policies and information handling
The following Information Security Policy is established for TRIARIO GROUP, hereinafter referred to as the GROUP, as the organizational framework regarding the appropriate use of resources, seeking levels of information protection and safeguarding, defining its guidelines to ensure proper control and minimize associated risks.
Establish norms to protect against potential risks of damage, loss, and misuse of information, equipment, and other IT resources of the entity, which are constantly changing and evolving in accordance with technological advancements and entity requirements.
This policy applies to all users who:
- Have any type of contact with these assets.
- Are in charge of the entity's information assets and must complete a confidentiality agreement committing them to compliance with the security policies described herein.
The GROUP also does not have its own network and adapts to each client's security policies to access their networks.
4.1 Senior Management
- Ensure the establishment of objectives and plans to guarantee Information Security.
- Define roles and responsibilities for information security.
- Communicate to the organization the importance of achieving information security objectives and complying with the security policy.
- Allocate all necessary resources to carry out plans to ensure Information Security.
- Decide on all risk acceptance criteria and their corresponding levels.
- Ensure that all internal audits are conducted.
- Conduct periodic reviews of the results obtained when executing plans to ensure Information Security.
- Approve initiatives to increase information security.
- Maintain the confidentiality of application and system passwords.
- Report suspected information security breaches.
- Ensure appropriate information input into systems.
- Adhere to GROUP security policies.
- Use GROUP information only for authorized purposes.
- If the client uses GROUP infrastructure or information, they must accept the terms and conditions of the GROUP's security policies.
- Must maintain an updated asset registry that identifies assets used for service provision.
- Must notify the GROUP of the disposal of assets used for service provision. If such assets contain other GROUP property (hardware, software, or other assets), they must be returned to the GROUP before disposal so the GROUP can withdraw its assets.
- Whenever an asset has contained sensitive information, disposal must guarantee the secure deletion of such information, applying secure deletion functions or physically destroying the asset so that the contained information cannot be recovered.
- All assets used for service provision must have a responsible party who ensures that such assets incorporate the minimum security measures established by the GROUP.
- Must establish a backup policy that ensures the safeguarding of any data or information relevant to the service provided, on a weekly basis.
4.5 Information Security Officer must
- Establish and document the organization's responsibilities regarding information security.
- Maintain the organization's information security policy and standards.
- Identify GROUP security objectives and standards (virus prevention, use of monitoring tools, etc.).
- Define methodologies and processes related to information security.
- Communicate basic information security aspects to GROUP employees. This includes an awareness program to communicate basic information security aspects and GROUP policies.
- Develop controls for the technologies used by the organization. This includes monitoring vulnerabilities documented by suppliers.
- Monitor compliance with the GROUP's security policy.
- Control and investigate security incidents or breaches.
- Conduct periodic vulnerability assessments of the systems comprising the GROUP's data network.
- Evaluate security aspects of technology products, systems, or applications used in the GROUP.
- Manage an information asset classification program, including identifying application and data owners.
- Manage access to key GROUP applications.
- Control security aspects of information exchange with external entities.
5. Internal Policies and Procedures
5.1 IT Assets and Resources
- Employees must comply with usage instructions dictated by the GROUP.
- IT resources must be used solely for work purposes.
- Employees must comply with the licenses for GROUP applications, signing a confidentiality agreement giving them access to restricted-use information.
- Users are assigned limited profiles in applications to control their access based on their role.
- Employees are responsible for their accesses and IT resources and must not allow others to perform tasks under their identity.
- Any damage to IT resources due to user negligence or third-party negligence with the user's consent is the user's responsibility.
- The GROUP may: Restrict or revoke privileges of any user, Inspect, copy, remove any data, program, or other resource contrary to objectives, Take any necessary action to manage and protect information systems, even without the user's knowledge.
- When there is a need to share any resource, it must be done with authorization from the team leader/manager.
- A user may be monitored with prior authorization from the GROUP director.
- It is strictly prohibited to access information systems without privileges and in any way damage or alter the operation of such systems.
- Users must not read, modify, copy, or delete information belonging to another user without their authorization.
- Unless there is written approval or it is part of their job function, users must not exploit security flaws in information systems to harm the systems or the information contained within.
- Any security incident must be reported in writing to the IT leader's email address.
- Only technical system area employees are authorized to change the operating system configuration of users' workstations.
- Licenses must be safeguarded and controlled by the Systems area. This area must perform software license audits at least once a year, generating the respective evidence.
- Users are prohibited from installing software and hardware on GROUP computers.
- Repair or removal of any part or element in computing equipment or other IT resources can only be performed by systems employees authorized by the GROUP.
5.2 Confidentiality Agreements
- Every user must sign a confidentiality agreement and an information systems security agreement, which may be tied to the employment contract.
- Participation in GROUP client projects must also involve the signing of confidentiality agreements by users.
5.3 Application User Management
- Each user is assigned a password for accessing information systems, which must be personal, confidential, and non-transferable.
- Each user must ensure that their passwords are not seen or learned by others.
- Each user must use different passwords for each resource they access.
- All employees must change their passwords when prompted by the information system.
- All passwords must have a minimum length of TWELVE (12) characters: Including a combination of numbers, uppercase and lowercase letters, and symbols or special characters, they must not be proper names or dictionary words.
- Passwords must not consist of a fixed combination of characters and a variable but predictable combination, e.g., dates, etc.
- The user must not generate a password identical or substantially similar to one previously used.
- No password should be saved in readable form in "batch" files, scripts, macros, terminal function keys, text files, on computers, or in other locations where unauthorized persons may discover or use them.
- Any password must be changed immediately if its confidentiality is suspected or known to be compromised.
- Revealing the password to other employees or third parties is not allowed.
- No user should attempt to obtain passwords from other users.
5.4 Asset Delivery and Return
- When a user begins their employment with the GROUP, they must complete the inventory delivery document.
- When a user ends their employment, or under any other circumstances stops using the personal computer or technological resource provided on a permanent basis, a validation of what was delivered by the user against what is registered in the inventory discharge form must be performed.
- The employee will be responsible for damages or harm caused to hardware equipment due to their negligence.
- Every system or application must have a development environment and a production environment. Likewise, production data should not be used for testing purposes.
- Any changes and/or updates to information systems in production will be evaluated in test environments, the purpose of which is to determine proper functionality and compatibility with base tools.
- Any changes and/or updates to information systems in production must have the respective documentation.
- No password should be incorporated into the code of software developed or modified by the GROUP or its suppliers to allow passwords to be changed regularly.
- A logging system or activity record for systems must be developed for monitoring actions and information.
- Modification of information in production should only occur through processes with privileges within the application managing such information. This is to prevent information from being modified through channels not established.
- During application development, the developer must consider input validation to prevent execution of commands that may compromise system security.
- System and application logs should not be accessible to unauthorized personnel. Unauthorized personnel include those not belonging to internal audit, IT security personnel, system administration personnel, or database administrators.
- For developments in HubSpot and WordPress, the guidelines outlined in the security document must be followed.
5.6 Backup and Recovery
- A backup schedule for information systems should be established with a frequency defined for each project or system.
- When developing or updating an existing application, partial or complete backup of the source code must be performed.
- All developments must be uploaded and managed with GIT, with daily commits.
- Backups should be performed for both the source code repository and the database containing metadata and other meta-information.
- Backups should be periodically verified by restoring a replica.
5.7 Mobile Devices
- Do not download or store GROUP information on mobile devices.
- Install and configure antivirus software.
- Configure screen lock for a maximum of 2 minutes of inactivity.
- Configure remote data wipe option on mobile devices to delete data remotely if required.
- Mobile device encryption is necessary.
- In case of loss or theft of mobile devices that connect to or store GROUP information, the loss must be reported to immediate or personnel management.
5.8 Supplier Management
- All agreements related to the handling of GROUP information or IT resources by third parties must include a special clause involving confidentiality and reserved rights.
- The GROUP may audit the controls used for information management and specifically how information will be protected.
- Business partners, suppliers, clients, and other associates to GROUP business must be aware of their responsibilities related to IT security, and this responsibility must be reflected in contracts with the GROUP and verified by management. The person responsible for managing these third parties must provide controlled accompaniment during their participation in involved projects.
5.9 Google and AWS (Amazon Web Services) Infrastructure
- The GROUP, its employees, and suppliers accept and comply with the security policies of each of these technology service provider companies.
- Procedures will be guaranteed to ensure the security of the infrastructure we use.
5.10 Remote Work
- Employees must audit vulnerabilities in their own home environment before connecting work devices.
- Employees must have access to chat, video, and conferencing systems to communicate with other employees.
- Connect to secure and controlled networks where individuals outside of their family or work environment do not have access.
- When leaving the computer or mobile device unattended, lock it to prevent access by unauthorized persons.
- Documents related to the GROUP that are downloaded must be uploaded to the entity's cloud and subsequently deleted from the device.
Efforts will be made to mitigate, eliminate, or manage risks associated with GROUP information and information assets.
5.12 Compliance and Sanctions
Every employee must comply with this policy; in case of non-compliance, the GROUP will take corrective measures and sanctions relevant to each case.