Policies and Security

Service Policy

Intosys’ Service Management goals should be planned and implemented using all necessary processes to deliver results in accordance with customer needs. These processes should be monitored and measured informing the Directorate General on its findings, undertaking the necessary actions to continually improve performance and behavior of each of the processes.


The Board of ITOSYS, establishes its commitment regarding the protection of your information —and your customers’ information— as an essential part for the provision of services, recognizing the importance of ensuring the guarantee of the information’s integrity, confidentiality, availability and security, to avoid destruction, modification, disclosure or unauthorized use of such information. This policy is an integral part of our Service Management System and Information Security in accordance with ISO/IEC 27001:2013, and is part of our Service Management and Information Security reviewing and continued-improvement processes. As essential part of this Information Security Policy, the following policies and guidelines are being developed to represent the vision and commitment of ITOSYS regarding the protection and assets of such information, and the technological infrastructure that supports it.


All ITOSYS’ information must be protected according to its confidentiality, value and criticality, so as to avoid —as much as possible— that any individual or entity can access, obtain, modify and disseminate such information fraudulently and/or illegally, regardless of the medium or location in which it is stored, processed by technological systems, or managed by staff or users. Therefore, the following guidelines are mandatory under the described scope. The security and integrity of individuals must be guaranteed according to legal and regulatory guidelines, to ensure their physical integrity during the execution of their processes and handling of information and technological infrastructure, inside and outside the company. ITOSYS’ information assets must be identified, classified, and prioritized according to their respective criticality to establish the neccesary controls and mechanisms for its protection.. All information generated, managed, operated or safeguarded by ITOSYS is wholly owned and under responsibility of the company, and its usage will be limited to facilitate services’ provision; therefore, unauthorized usage and dissemination of such information, usage and disposal of informaton assets and technological infrastructure for personal purposes, or unrelated purposes to its operation and function regarding their contractual relationship with ITOSYS. Controls must be established in order to guarantee that the information of ITOSYS —or the information of its customers— is protected using processes that ensure the confidentiality, integrity and availability of such information, and the infrastructure and systems that support it. All personnel that works for ITOSYS, directly or indirectly, all providers or business and/or service associates, and every entity that maintains a business relationship with ITOSYS, must underwrite a Confidentiality And Non-Disclosure Agreement (NDA), which must be essential part or appendant of the corresponding contractual document. The abstraction or disclosure of such information may constitute an unlawful criminal act for those who take such actions. Hereby is prohibited without any exception the reproduction of ITOSYS’ information, by any medium or method, without previous printed or digital authorization by Operations Management. It is the obligation of personnel and/or third-parties to return the confidential information to which they had access, and the provided or accessed assets of information in the moment that the contractual relationship ends, also establishing that despite such termination, the obligation of confidentiality and secrecy will remain in force for the period that was agreed by the parties. Compliance with this guideline is responsibility of the Operation Management department with support of the Organizational Development and Information Security Administrator. Once the validity of sensitive or valuable information belonging to ITOSYS, such information must be destroyed safely, in compliance with the procedures authorized by Operations Management. The necessary means to guarantee the continuity of business with ITOSYS must be established. Information security awareness and training must be provided to all ITOSYS’ personnel.