SECURITY POLITICS
Download security policies document
1. GENERAL
Computer security has taken a great boom, due to changing conditions and new available technological platforms. The possibility of interconnecting through networks has opened new horizons for companies to improve their productivity and be able to explore beyond national borders, which logically has brought with it the appearance of new threats to information systems. These risks they face have led to the development of a document of guidelines that guide the proper use of these technological skills and recommendations to obtain the maximum benefit from these advantages, and avoid their misuse, which can cause serious problems to the goods, services and operations of the company GTCloud SAS. In this sense, the IT security policies defined starting from the analysis of the risks to which GTCLOUD is prone, emerge as an organizational tool to make the organization's collaborators aware of the importance and sensitivity of the information and critical services that allow the company to grow and stay competitive. Faced with this situation, proposing our security policy requires a high commitment to the organization, technical acuity to establish flaws and weaknesses in its application, and perseverance to renew and update said policy based on the dynamic environment that surrounds GTCLOUD.
2. SCOPE OF THE POLICIES
This security policy manual is prepared in accordance with the analysis of risks and vulnerabilities in the GTCloud SAS dependencies, therefore, the scope of these policies is subject to the company.
3. OBJECTIVES
Developing a security system means "planning, organizing, directing and controlling activities to maintain and guarantee the physical integrity of computing resources, as well as safeguarding company assets." The objectives to be achieved after implementing our security system are the following:
• Establish a security scheme with perfect clarity and transparency under the responsibility of GTCLOUD in risk management.
• Commitment of all company personnel to the security process, speeding up the application of controls with dynamism and harmony.
• That the provision of the security service gains in quality.
• All employees become auditors of the security system.
4. ANALYSIS OF THE REASONS THAT PREVENT THE APPLICATION OF THE COMPUTER SECURITY FILMS
Despite the fact that a large number of organizations channel their efforts to define security guidelines and specify them in documents that guide their actions, very few achieve success, since the first barrier they face is convincing the senior executives of the need and benefits of good computer security policies. Other drawbacks are represented by IT technicalities and the lack of a marketing strategy on the part of IT Managers or security specialists, which lead senior managers to thoughts such as: "more money for toys from the IT Department." This situation has led many companies with very important assets to be exposed to serious security problems and unnecessary risks, which in many cases compromise sensitive information and therefore their corporate image. Faced with this situation, security managers must confirm that people understand important security issues, know their scope, and agree with the decisions made on those issues. If the security policies are to be accepted, they must be integrated into the business strategies, its mission and vision, so that those who make decisions recognize their importance and impact on the projections and profits of the company. Finally, it is important to point out that policies by themselves do not constitute a guarantee for the security of the company, they must respond to business interests and needs based on the business vision, which lead to a joint effort of its actors to manage its resources. , and to recognize in the computer security mechanisms factors that facilitate the formalization and materialization of the commitments acquired with the company.
5. RESPONSIBILITIES
It is the responsibility of the Computer Security supervisor to develop, review and disseminate in addition to the other means of dissemination (intranet, email, official website, internal magazines) of the Security Procedures. Likewise, it is the responsibility of the immediate supervisor to train their employees in relation to Safety Procedures.
6. DEFINITION OF COMPUTER SECURITY POLICIES
This section of the document presents a security policy proposal, as a resource to mitigate the risks to which GTCloud is exposed.
6.1 GENERAL PROVISIONS
Article 1
The purpose of this regulation is to standardize and contribute to the computer development of the different areas of the GTCloud SAS Company. (GTCLOUD)
Article 2
For the purposes of this instrument, the following shall be understood as: Committee The team made up of Management, area heads and administrative staff (occasionally) called for specific purposes such as:
• Hardware and software acquisitions
• Establishment of GTCLOUD Company standards for both hardware and software
• Establishment of the group's technological architecture.
• Establishment of guidelines for bidding contests
IT Administration It is made up of the Management and area heads, who are responsible for:
• Ensure the operation of the information technology used in the different areas.
• Prepare and monitor the Computer Master Plan
• Define strategies and objectives in the short, medium and long term
• Maintain the technological architecture
• Control the quality of the service provided
• Maintain the updated Inventory of computer resources
• Ensure compliance with the established Policies and Procedures.
Article 3
For the purposes of this document, Informatics Policies are understood to be the set of mandatory rules, which must be observed by the Heads of Systems responsible for existing hardware and software in GTCLOUD, being the responsibility of the Information Technology Administration, to monitor their strict observance in scope of its competence, taking preventive and corrective measures so that they are fulfilled.
Article 4
The Informatics Policies are the set of regulations and guidelines framed in the legal and administrative sphere of GTCLOUD. These rules affect the acquisition and use of IT Goods and Services, which must be observed invariably, by those instances that intervene directly and / or indirectly in it.
Article 5
The governing body of the GTCLOUD IT systems is the Management, and the competent body for the application of this regulation is the Committee. Article 6 The Policies contained herein are of observance for the acquisition and use of IT goods and services, in GTCLOUD, the non-compliance of which will generate administrative liability; subject to the provisions of the Systems Administrative Responsibilities section. Article 7 GTCLOUD must have a boss or person in charge, in whom the administration of the Goods and Services falls, who will oversee the correct application of the regulations established by the Committee and other applicable provisions.
6.2 GUIDELINES FOR THE ACQUISITION OF COMPUTER ASSETS
Article 8
All computer technology acquisition will be made through the Committee, which is made up of the personnel of the Information Technology Administration.
Article 9
The acquisition of IT Assets in GTCLOUD will be subject to the guidelines established in this document.
Article 10
The Information Technology Administration, when planning operations related to the acquisition of computer assets, will establish priorities and in its selection must take into account: technical study, price, quality, experience, technological development, standards and capacity, understood as: Price Initial cost , cost of maintenance and consumables for the estimated period of use of the equipment; Quality Qualitative parameter that specifies the technical characteristics of computer resources. Experience Presence in the national and international market, service structure, the reliability of the goods and quality certificates that are available. Technological Development Its degree of obsolescence, its technological level with respect to the existing offer and its permanence in the market must be analyzed. Standards All procurement is based on standards, that is, the business group architecture established by the Committee. This architecture has a minimum permanence of two to five years. Capacities It must be analyzed if it satisfies current demand with a margin of slack and growth capacity to support the workload of the area.
Article 11
For the acquisition of Hardware the following will be observed:
• The equipment to be purchased must be within the lists of
• current sales of the manufacturers and / or distributors of this and within the standards of GTCLOUD.
• Complementary equipment must have a minimum guarantee of one year and must have the corresponding technical service in the country.
• They must be factory-integrated equipment or assembled with components previously evaluated by the Committee.
• The brand of the equipment or components must have a proven presence and permanence in the national and international market, as well as local technical and spare parts assistance. In the case of microcomputers, in order to keep the GTCLOUD IT architecture updated, the Committee will periodically issue the minimum technical specifications for their acquisition.
• The storage devices, as well as the input / output interfaces, must be in accordance with current state-of-the-art technology, both in data transfer speed and in processing.
• Printers must adhere to the Hardware and Software standards in force in the market and in GTCLOUD, confirming that the supplies (ribbons, paper, etc.) are easily available in the market and are not subject to a single supplier.
• Together with the equipment, the appropriate complementary equipment must be acquired for its correct operation in accordance with the manufacturers' specifications, and that this acquisition is manifested in the cost of the initial item.
• The equipment purchased must have, preferably with technical assistance during the installation of these.
• Regarding servers, communications equipment, media concentrators (HUBS) and other equipment that is justified as being of critical operation and / or high cost, they must have a preventive and corrective maintenance program that Include the supply of spare parts when your warranty period expires.
• Regarding personal computers, when their purchase warranty expires, they must have at least one corrective maintenance service program that includes the supply of spare parts. Any project for the acquisition of computer assets must be subject to the analysis, approval and authorization of the Committee.
Article 12
In the acquisition of Computer Equipment, the current Software preloaded with its corresponding license must be included, considering the provisions of the following article.
Article 13
For the acquisition of basic software and utilities, the Committee will periodically announce the trends with current cutting edge technology, the list of authorized products being the following: Operating Systems Platforms
• MS-Windows. Databases
• Oracle Languages and programming tools The languages and programming tools used must be compatible with the listed platforms.
• PL / SQL
• JAVA
• ORACLE Forms
• ORACLE Reports
• ORACLE Designer
• ORACLE Workflow Builder
• PL / SQL Developer
• ORACLE Jdeveloper
• Macromedia Dreamweaver
• Macromedia Fireworks
• Java Decompiler Office Utilities
• Microsoft Office Antivirus programs
• Windows DEFENDER Email manager
• Microsoft Outlook Internet browsers
• Internet Explorer
• Mozilla
• Chrome
File compressors
• Winzip
• Winrar
In exceptional cases, only the latest released versions of the selected products will be purchased, except for specific situations that must be justified before the Committee. All software products that are acquired must have their respective use license, documentation and guarantee.
Article 14
All Software products used from the date this ordinance enters into force must have their respective use license; Therefore, the regularization or elimination of products already installed that do not have the due licensing will be promoted.
Article 15
For the operation of the network software in case of handling business data through information systems, the following should be taken into consideration:
• All institutional information must invariably be operated through the same type of database management system to benefit from the integrity, security and information recovery mechanisms in the event of any failure.
• Access to information systems must have access privileges or security levels sufficient to guarantee the total security of institutional information. The access security levels must be controlled by a single administrator and can be manipulated by software.
• Responsibilities should be defined as to who is authorized to consult and / or modify the information in each case, taking the relevant security measures.
• The information systems data must be backed up according to the frequency of updating their data, rotating the backup devices and periodically saving historical backups. It is essential to keep an official log of backups made, likewise, backup CDs should be kept in a restricted access place with sufficient environmental conditions to guarantee their conservation. Regarding the information of personal computer equipment, the Information Technology Unit recommends that users make their own backups on the network or on alternative storage media. • All information systems in operation must have their respective updated manuals. A technician who describes the internal structure of the system, as well as the programs, catalogs and files that comprise it and another who describes the users of the system and the procedures for their use.
• Information systems must consider the historical record of transactions on relevant data, as well as the user's password and the date it was carried out (Basic Audit and Control Standards).
• Periodic auditing routines of data integrity and computer programs must be implemented to guarantee their reliability.
Article 16
For the provision of the application software development or construction service, the following will be observed: Any software development or construction contracting project requires a feasibility study to establish the profitability of the project, as well as the benefits that will be obtained from it. .
6.3 INSTALLATIONS OF THE COMPUTER EQUIPMENT
Article 17
The installation of the computer equipment will be subject to the following guidelines:
• The equipment for internal use will be installed in suitable places, away from dust and human traffic.
• The Information Technology Administration, as well as the operational areas, must have an updated sketch of the electrical and communications facilities of the networked computer equipment.
• The electrical and communications installations will be of fixed preferences or, failing that, protected from the passage of people or machines, and free from any electrical or magnetic interference.
• The facilities will strictly adhere to the requirements of the equipment, taking care of the specifications of the wiring and the necessary protection circuits.
• In no case will improvised or overloaded installations be allowed. Article 18 The supervision and control of the facilities will be carried out within the deadlines and through the mechanisms established by the Committee.
6.4 GUIDELINES IN COMPUTING: INFORMATION
Article 19
Information stored on magnetic media must be inventoried, attaching its description and specifications, classifying it into three categories:
• Historical information for audits.
• Information of interest to the Company
• Information of exclusive interest to a particular area.
Article 20
The heads of the area responsible for the information contained in the departments under their charge, will define the responsibilities of their subordinates and will determine who is authorized to carry out emergent operations with said information, taking the relevant security measures.
Article 21
Three types of priority are established for information:
• Information vital to the operation of the area;
• Information necessary, but not essential in the area.
• Occasional or occasional information.
Article 22
In the case of vital information for the operation of the area, collaborative processes must be in place, as well as having daily backup of the modifications made, rotating backup devices and saving historical backups weekly. Article 23 The necessary but not essential information must be backed up with a minimum frequency of one week, rotating the backup devices and saving historical backups on a monthly basis. Article 24 The endorsement of occasional or eventual information is at the discretion of the area. Article 25 The information stored on magnetic media, of a historical nature, will be documented as assets of the area and will be duly protected in its storage place. It is the obligation of the person in charge of the area, the convenient delivery of the information, to whoever succeeds in the position. Article 26 Information systems in operation, such as those that are developed, must have their respective manuals. A user manual that describes the operating procedures and the technical manual that describes its internal structure, programs, catalogs and files. Article 27 No collaborator in software projects and / or specific works, shall possess, for uses not proper to their responsibility, any material or confidential information of GTCLOUD both now and in the future.
6.5. OPERATION OF COMPUTER EQUIPMENT
Article 28
It is the obligation of the Information Technology Administration to ensure that the computer equipment is used under the conditions specified by the provider and in accordance with the functions of the area to which it is assigned.
Article 29
When using the computer equipment, the company's collaborators will refrain from consuming food, smoking or performing acts that impair its operation or deteriorate the information stored on magnetic, optical, or removable storage media of the latest generation.
Article 30
For the security of computer resources, safeguards must be established:
• Physical
• Operating system
• Software
• Communications
• Database
• Process
• Applications
Therefore, the following guidelines are established:
• Maintain passwords that allow use only by authorized personnel.
• Verify the information that comes from external sources in order to corroborate that it is free of any contaminating or harmful agent for the operation of the equipment.
• Maintain insurance policies for computer resources in Operation.
Article 31
In no case will the use of devices unrelated to the area's IT processes be authorized. Consequently, the entry and / or installation of particular hardware and software is prohibited, that is, it is not owned by GTCLOUD, except in emergent cases authorized by the Management.
6.6 COMPUTER CONTINGENCY PLAN
Article 32
The Information Technology Administration will create a computer contingency plan for the departments that includes at least the following points:
• Continue with the operation of the area with computerized procedures
• alternates.
• Keep the backups of information in a safe place, outside the place where the equipment is located.
• Have the support by magnetic means or in documentary form, of the operations necessary to reconstruct the damaged files.
• Have an operating instructions for the detection of possible failures, so that any corrective action is carried out with the minimum possible degradation of the data.
• Have a directory of internal staff and external support staff, which can be called upon when any anomaly is detected.
• Run tests of the plan's functionality.
• Maintain reviews of the plan in order to carry out the respective updates.
6.7 IT STRATEGIES
Article 33
GTCLOUD's IT strategy is consolidated in the IT Master Plan and is oriented towards the following points: • Open Systems Platform (Portables).
• Operation diagrams under the multilayer concept.
• Standardization of hardware, base software, utilities and data structures
• Exchange of experiences between Departments.
• Management of joint projects with the different areas.
• Permanent training program for company employees.
Article 34
For the preparation of computer projects and for their budgeting, both the hardware and software needs of the requesting area, as well as the availability of resources that GTCLOUD has, will be taken into account.
6.8 PHYSICAL ACCESS
Article 35
Only authorized personnel are allowed access to the facilities where GTCLOUD's confidential information is stored.
Article 36
Only under the supervision of authorized personnel, may external personnel enter the premises where confidential information is stored, and for a justified period of time
6.9 USER IDENTIFIERS AND PASSWORDS
Article 37
All users with access to an information system or a computer network will have a single access authorization consisting of a user identifier and password.
Article 38
No user will receive an identifier for access to the Communications Network, Computer Resources or Applications until they formally accept the current Security Policy.
Article 39
Users will have authorized access only to those data and resources that they require for the development of their functions, in accordance with the criteria established by the person responsible for the information.
Article 40
The minimum length of passwords will be equal to or greater than eight characters, and will be made up of a combination of alphabetic, numeric and special characters.
Article 41
The identifiers for temporary users will be configured for a short period of time. Once this period has expired, they will be deactivated from the systems.
6.10 PERSONAL RESPONSIBILITIES
Article 42
Users are responsible for all activity related to the use of their authorized access.
Article 43
Users should not reveal under any circumstances their identifier and / or password to another person or keep it in writing in view, or within the reach of third parties.
Article 44
Users must not use any authorized access from another user, even if they have the owner's authorization.
Article 45
If a user suspects that his authorized access (user identifier and password) is being used by another person, he must proceed to change his password and inform his immediate boss, who will report to the person responsible for the administration of the network.
Article 46
The User must use a password composed of a minimum of eight characters made up of a combination of alphabetic, numeric and special characters.
Article 47
The password must not refer to any recognizable concept, object or idea. Therefore, you should avoid using significant dates, days of the week, months of the year, people's names, and telephone numbers in passwords.
Article 48
In case the system does not request it automatically, the user must change the provisional password assigned the first time they make a valid access to the system.
Article 49
In the event that the system does not request it automatically, the user must change their password at least once every 30 days. Otherwise, access may be denied and the immediate manager must be contacted to request a new password from the network administrator.
Article 50
Protect, as far as possible, the personal data to which they have access, against unauthorized or accidental disclosure, modification, destruction or misuse, whatever the medium on which the data is contained.
Article 51
Keep the maximum reserve indefinitely and personal data contained in any type of support should not be issued abroad.
Article 52
Use the least number of lists that contain personal data and keep them in a safe place and out of the reach of third parties.
Article 53
When you come into possession of personal data, it is understood that such possession is strictly temporary, and you must return the media containing the data immediately after the completion of the tasks that led to the temporary use of them.
Article 54
Users may only create files containing personal data for temporary use and always necessary for the performance of their work. These temporary files will never be located on local drives on the job computer and must be destroyed when they are no longer useful for the purpose for which they were created.
Article 55
Users must notify their immediate manager of any incident that they detect that affects or may affect the security of personal data: loss of lists and / or diskettes, suspicions of improper use of authorized access by other people, data recovery.
Article 56
Users will only enter identification data and addresses or telephone numbers of people in the contact agendas of the office tools (for example, in Outlook)
6.11 OUTPUT OF INFORMATION
Article 57
All information output (on computer media or by email) may only be carried out by authorized personnel and the formal authorization of the person in charge of the area from which it comes will be necessary.
Article 58
In addition, in the output of specially protected data (such as personal data for which the Regulation requires high-level security measures), they must be encrypted or use any other mechanism that guarantees that the information is not intelligible or handled during transport.
6.12 PROPER USE OF RESOURCES
Article 57
The Computer Resources, Data, Software, Corporate Network and Electronic Communication Systems are available exclusively to fulfill the obligations and purpose of the operation for which they were designed and implemented. All personnel who use these resources must know that they do not have the right to confidentiality in their use. It's forbidden
Article 58
The use of these resources for activities not related to the purpose of the business, or with the excess in their use.
Article 59
The activities, equipment or applications that are not directly specified as part of the Software or the GTCLOUD Computing Resources Standards.
Article 60
Introduce obscene, threatening, immoral or offensive content into the Information Systems or the Corporate Network. It's forbidden
Article 61
Voluntarily introduce programs, viruses, macros, applets, ActiveX controls or any other logical device or sequence of characters that cause or are likely to cause any type of alteration or damage to the Computer Resources. The personnel hired by GTCLOUD will have the obligation to use antivirus programs and their updates to prevent the entry into the Systems of any element intended to destroy or corrupt computer data.
Article 62
Attempting to destroy, alter, disable or any other way to damage data, programs or electronic documents.
Article 63
Store personal data on local disk drives of work computers.
Article 64
Any file entered on the corporate network or in the user's workplace through automated media, the Internet, email or any other means, must meet the requirements established in these standards and, especially, those relating to intellectual property and control virus.
6.13 SOFTWARE
Article 65
All personnel who access the GTCLOUD Information Systems must only use the software versions provided and following their rules of use. Article 66 All personnel are prohibited from installing illegal copies of any program, including standardized ones. Article 67 You are also prohibited from deleting any of the legally installed programs.
6.14 NETWORK RESOURCES
Strictly speaking, no person should:
Article 68
Connect to any of the Resources, any type of communications equipment (eg modem) that enables connection to the Corporate Network.
Article 69
Connect to the Corporate Network through other means than those defined.
Article 70
Try to obtain other rights or accesses different from those that have been assigned to them.
Article 71
Trying to access restricted areas of the Information Systems or the Corporate Network.
Article 72
Attempting to distort or falsify the "log" records of the Information Systems.
Article 73
Try to decipher the encryption keys, systems or algorithms and any other security element that intervenes in the telematic processes.
Article 74
Possessing, developing or executing programs that could interfere with the work of other Users, nor damage or alter the Computer Resources.
6.15 INTERNET CONNECTIVITY
Article 75
Internet access authorization is granted exclusively for work activities. All GTCLOUD contributors have the same responsibilities regarding the use of the Internet.
Article 76
Access to the Internet is restricted exclusively through the Network established for this purpose, that is, through the security system with firewall incorporated in it. It is not allowed to access the Internet by directly calling an access service provider and using a browser, or with other Internet tools connecting with a modem.
Article 77
Internet is a work tool. All activities on the Internet must be related to tasks and activities of the work performed.
Article 78
There can only be data transfer from or to the Internet in connection with activities of the work performed.
Article 79
In the event of an important, confidential or relevant data transmission, it can only be transmitted in encrypted form.
6.16 UPDATES TO THE SECURITY POLICY
Article 80
Due to the evolution of technology and security threats, and to new legal contributions on the matter, GTCLOUD reserves the right to modify this Policy when necessary. Changes made to this Policy will be disclosed to all GTCLOUD collaborators.
Article 81
It is the responsibility of each of the GTCLOUD collaborators to read and know the most recent Security Policy.
6.17 TRANSITIONAL PROVISIONS
First article
The provisions set out here will come into effect as of the day after they are broadcast.
Second article
The rules and policies that are the object of this document may be modified or adapted according to the needs that arise, by agreement of the GTCLOUD Company's IT Technical Committee (CTI); once said modifications or adjustments are approved, their validity will be established.
Third article
The provisions described here will be detailed in the specific policies and procedures manuals.
Fourth article
The lack of knowledge of the rules described here by the collaborators does not free them from the application of sanctions and / or penalties for non-compliance with them.
7 BENEFITS OF IMPLEMENTING COMPUTER SECURITY POLICIES
The benefits of a security system with well-developed clearly conceived policies are immediate, as GTCLOUD will work on a reliable platform, which is reflected in the following points:
• Productivity increase.
• Increased staff motivation.
• Commitment to the mission of the company.
• Improvement of labor relations.
• Helps build competent teams.
• Improvement of work climates for Human Resources.