All ITOSYS’ information must be protected according to its confidentiality, value and criticality, so as to avoid —as much as possible— that any individual or entity can access, obtain, modify and disseminate such information fraudulently and/or illegally, regardless of the medium or location in which it is stored, processed by technological systems, or managed by staff or users.
Therefore, the following guidelines are mandatory under the described scope.
The security and integrity of individuals must be guaranteed according to legal and regulatory guidelines, to ensure their physical integrity during the execution of their processes and handling of information and technological infrastructure, inside and outside the company.
ITOSYS’ information assets must be identified, classified, and prioritized according to their respective criticality to establish the neccesary controls and mechanisms for its protection..
All information generated, managed, operated or safeguarded by ITOSYS is wholly owned and under responsibility of the company, and its usage will be limited to facilitate services’ provision; therefore, unauthorized usage and dissemination of such information, usage and disposal of informaton assets and technological infrastructure for personal purposes, or unrelated purposes to its operation and function regarding their contractual relationship with ITOSYS.
Controls must be established in order to guarantee that the information of ITOSYS —or the information of its customers— is protected using processes that ensure the confidentiality, integrity and availability of such information, and the infrastructure and systems that support it.
All personnel that works for ITOSYS, directly or indirectly, all providers or business and/or service associates, and every entity that maintains a business relationship with ITOSYS, must underwrite a Confidentiality And Non-Disclosure Agreement (NDA), which must be essential part or appendant of the corresponding contractual document. The abstraction or disclosure of such information may constitute an unlawful criminal act for those who take such actions.
Hereby is prohibited without any exception the reproduction of ITOSYS’ information, by any medium or method, without previous printed or digital authorization by Operations Management.
It is the obligation of personnel and/or third-parties to return the confidential information to which they had access, and the provided or accessed assets of information in the moment that the contractual relationship ends, also establishing that despite such termination, the obligation of confidentiality and secrecy will remain in force for the period that was agreed by the parties. Compliance with this guideline is responsibility of the Operation Management department with support of the Organizational Development and Information Security Administrator.
Once the validity of sensitive or valuable information belonging to ITOSYS, such information must be destroyed safely, in compliance with the procedures authorized by Operations Management.
The necessary means to guarantee the continuity of business with ITOSYS must be established.
Information security awareness and training must be provided to all ITOSYS’ personnel.