Document No: PL-SSI-01
Version: 12
Date: 31/03/2023
Written by: Information Security
Revised | Approved | |
---|---|---|
Name | ||
Position | Risks and Information Security Manager | President & CEO |
Date | 31/03/2023 | 31/03/2023 |
Date | Version | Author | Description |
---|---|---|---|
11/03/2021 | 09 | Risk & Information Security Administrator |
|
02/09/2021 | 10 | Risk & Information Security Administrator |
|
30/03/2022 | 11 | Risk & Information Security Administrator |
|
31/03/2023 | 12 | Risk & Information Security Administrator |
|
Information Security Policy of Sophos Solutions is the result of the commitment of the senior management to provide a guideline aimed at exercising a safe and adequate management to the company’s strategy on the Information Security Management System, which, through the establishment of mechanisms and strategies looks to protect the information assets of itself and its customers, ensuring the implementation of appropriate controls for the treatment of threats, risks and vulnerabilities that affect them, minimizing to a greater extent their materialization and impact.
It is important to mention that this Information Security Management System integrates with the management of Risk, Cybersecurity, Infrastructure and Business Continuity to comply with the regulatory frameworks established in Colombia and within the organization, in addition to the policies, procedures and controls established for this purpose.
By implementing the ISO/IEC 27001:2013 standard, Sophos Solutions S.A.S. adopts, establishes, operates, verifies, and improves the Information Security System for Software Development Factory processes “including Project Planning and Management, Requirements identification, Analysis and Design, Construction, Testing, Implementation, Support and Consulting.”
Sophos Solutions S.A.S is a Colombian multinational, with offices in the city of Bogotá D.C. and Medellín, which provides consulting services, implementation of banking core, software factory for all types of organizations, especially companies in the financial and stock market sector.
The Sophos Solutions SAS company, understanding the importance of protecting the confidentiality, integrity and availability of information for each of the information assets and IT services it offers to the financial and stock market industry, as well as the Fintech industry as a digital innovation leader, has committed to Establish, Implement, Adopt, Operate and Improve the Information Security Management System as a cross-cutting tool to identify, analyze, contain and remedy the identified security risks in order to sustain the continuous improvement of the system, aligned to the regulatory and strategic requirements of the company.
Therefore, the Information Security Policy applies to internal stakeholders of Sophos Solutions S.A.S. in accordance with the scope determined for the Management System.
Other policies that result from the implementation of the ISMS and its continuous improvement process will be adopted and enforced by all identified stakeholders.
At Sophos Solutions, those responsible for the implementation, management, dissemination, training, and implementation of the activities related to the Information Security Management System – ISMS, will be the Senior Management, the Information Security Committee, the Information Security Area and some processes involved with the scope of the system. The roles and responsibilities will therefore be determined considering these responsibilities:
Risk & Information Security Manager is designated as the person responsible for the Information Security
Management System of the company, who will be responsible for:
It is also designated as Special Authority on the Information Security Management System, by the Chief Technology Innovation Officer – CTIO according to the information made on March 16, 2023, and socialized in the Information Security Committee on March 31, 2023:
It is the Risk & Information Security Manager’s obligation to demonstrate through logs and time traces each of the decisions, changes or adjustments made and executed before the execution of the granted authority, as well as to communicate it directly and immediately to the CTIO. This evidence must be validated and verified by the Internal Audit Office and other control bodies that exist in Sophos Solutions.
The powers granted here must be reviewed annually in the Review session by the management (Sophos Pitch), or sooner if the CTIO – Chief Technology Innovation Officer or the Security Committee deems it necessary.
The Senior Management is the highest organ of the company; therefore, it is their responsibility to ensure the implementation and continuous improvement of the Information Security Management System – ISMS through the fulfillment of the following activities:
The Information Security Committee consists of:
The Information Security Committee shall be responsible for:
Explanatory notes:
In compliance with the continuous improvement of the Information Security Management System, it is established that the Information Security Policy should be reviewed every 6 months from the last change made or when there are modifications or new guidelines that warrant it.
The update of the Security Policy shall be socialized and validated by the Information Security Committee.
The update of the Security Policy should be approved by the Senior Management.
“Sophos Solutions S.A.S. reserves the right to modify this document according to changes that arise within the company.”