Information security policy
The purpose of this document is to set out an appropriate information security policies framework for AIA group to ensure the Information Security principles become part of its organizational culture. This Information Security Management System, based on the ISO /IEC 27001 standards, outlines the guidelines that must be followed to protect information from a wide range of threats to:
Guarantee the operations security through Information Systems.
Minimize damages risks.
Ensure compliance with the objectives of the Organization.
And to guarantee AIA´s customers and users access of information with the security and level of service required, avoid serious information loss or alteration as well as unauthorized access.
This Policy will be developed in compliance with regulations, procedures, operating instructions, guidelines, manuals, and all organizational instruments regarded as useful to achieve the objectives and will be maintained, updated, and fitted for the purposes of the organization.
This document will be subject to review, approval, distribution, derogation, and destruction as established by the person in charge of the Management System.
This policy affects all the staff of AIA group, and those involved in information management, including collaborators, suppliers, who must be aware of and comply with it.
3. OBJECTIVES OF THE INFORMATION SECURITY POLICY
An information security policy framework is set to achieve the information security objectives of AIA based on standard security dimensions:
Confidentiality: property by which access to information is only permitted for the information managed by AIA group, which is authorized to do so, subject to prior identification check at the time of accessing and by the means enabled.
Integrity: property that guarantees the validity, accuracy and completeness of the information managed by AIA group. Its content is provided by those involved and no manipulation is allowed. Only authorized people can do it.
Availability: Property must be accessible and usable at agreed intervals. The information managed by AIA group must be accessible and usable by authorized and identified clients and users. Its own persistence is guaranteed against any foreseen contingencies.
Additionally, since any Information Security Management System must comply with current legislation, the following principle shall be observed:
- Legality: refers to compliance with the laws, rules, regulations, or provisions to which AIA group is subject, especially in terms of personal data protection.
AIA Group pursues the monitoring and management of the following Information Security objectives:
Safeguard the Organization’s assets within the scope of information security and business continuity, through the implementation of controls and safeguards. This will allow to reduce the impact or probability of threats, while reducing their effect on the company’s activity.
Mitigate the adverse effects of security incidents.
Establish information classification mechanisms that would enable to adequately protect each asset based on its criticality.
Define the roles and responsibilities of security and continuity requirements to guarantee the correct management of the ISMS system.
Prepare a documentary body attached to this Policy that guarantees the correct governance of the ISMS system.
Clearly define the actions associated with breaches of the Security Policy.
Evaluate the assets risks within the scope of security/business continuity, which should enable the correct definition and application of controls and safeguards to protect them, as well as the need to ensure the continuity of the activity of the company in contingency circumstances.
Verify the proper functioning of safeguards, controls, and contingency plans by conducting independent internal audits.
Conduct training programs to educate and raise awareness among employees regarding Information Security and Business Continuity.
Evaluate and enforce current legislation on Information Security management system of AIA group.
Defend assets against internal or external attacks so that security events do not become security incidents or outage events.
Supervise the operation of information security controls and safeguards, as well as contingency plans defined in response to identified risk scenarios.
Continuous improvement of ISMS system implemented for Information Security and Business Continuity management.
To achieve all the objectives described above, Management is committed to allocate the necessary resources and active supervision of the ISMS system.
4. SAFETY REQUIREMENTS COMMITMENTS
4.1 RISK MANAGEMENT
Information Security Management in AIA is risk-based in compliance with the International Standard ISO/IEC 27001
It is based on a general process of assessment and risk treatment, which can potentially affect the information security of the services provided, consisting of:
Identify the threats that will take advantage of vulnerabilities in the Information Systems that support, or on which the information security depends.
Analyze risk, based on the consequence of materializing the threat and the probability of occurrence.
Assess risk, based on a previously established and approved level of broadly acceptable, tolerable, and unacceptable risk.
Managing unacceptable risk, through appropriate controls or safeguards.
This process is cyclical, periodically reviewed, at least once a year. Specific employees will be responsible for each identified risk, and multiple responsibilities may fall on the same person or committee.
4.2 ROLES AND RESPONSIBILITIES
Information security is set according to roles and committees involved in its scope:
The GIS Security Manager.
Responsible for specific areas of the company.
In terms of Personal Data, the responsibility will be centralized in the Security Manager, although he may assign the role of “Data Protection Officer” (GDPR nomenclature) to another person, who may be an external professional hired.
The company’s Security Committee is also established, led by the CEO and made up of the Security Manager and all the heads of the different areas into which the company is divided.
4.3 TRAINING AND AWARENESS
AIA group establishes training and awareness plans for the staff in relation to Information Security, which will be reviewed annually and include the AIA´s proposal, as well as the employees´ demands.
The Security Manager verifies that there is a plan for internal and external audits, which are carried out periodically at least once a year.
5. CONTINUOUS IMPROVEMENT OF THE INFORMATION SECURITY MANAGEMENT SYSTEM
Management of AIA group guarantees and verifies compliance with the guidelines of this Policy and that these are correctly operated and implemented, taking responsibility for corrective measures that may be determined for continuous improvement.
6. POLICY DISCLOSURE
The System Security Manager guarantees that personnel involved in AIA are aware of this policy, its objectives, and processes by its dissemination, training, and awareness actions.
Likewise, it also guarantees the distribution of the documents that apply to each level, according to the separate roles defined in the company and the external interested parties, clients, and suppliers.
Failure to comply with the Information Security Policy and other regulations and procedures, will result in the application of sanctions, according to the magnitude and characteristics of the non-compliance aspect and in accordance with current legislation.
8. VALIDITY AND PERFORMANCE
This policy will be effective from the moment of its publication and will be reviewed at least once a year.
The objective of periodic reviews is to adapt it to organizational changes, with attention to external and internal issues, analyzing the information security incidents that have occurred and the non-conformities found in the Information Security System. All this, harmonized with the results of the different risk assessment processes.
When reviewing the Policy, all the Standards and other documents that develop it will also be reviewed, following a periodic update process subject to relevant changes that may occur: company growth and organizational changes, changes in infrastructure, development of new services, among others.