SECURITY POLICIES
Download security policy document
1. GENERAL INFORMATION
​
Information security has become increasingly important due to changing conditions and the availability of new technological platforms. The ability to interconnect through networks has opened new horizons for companies to improve their productivity and explore opportunities beyond national borders. This has, of course, brought with it new threats to information systems. These risks have led to the development of a guidelines document that provides guidance on the proper use of these technological skills and recommendations for maximizing their benefits and preventing their misuse, which can cause serious problems for the assets, services, and operations of GTCloud SAS. In this sense, the information security policies defined based on an analysis of the risks to which GTCloud is susceptible serve as an organizational tool to raise awareness among employees about the importance and sensitivity of the information and critical services that allow the company to grow and remain competitive. Given this situation, proposing our security policy requires a high level of commitment to the organization, technical acumen to identify flaws and weaknesses in its application, and consistency to renew and update said policy in accordance with the dynamic environment surrounding GTCLOUD.
​
2. SCOPE OF POLICIES
​
This security policy manual is developed in accordance with the risk and vulnerability analysis of GTCloud SAS's facilities. Therefore, the scope of these policies is subject to the company's requirements.
​
3. OBJECTIVES
​
Developing a security system means "planning, organizing, directing, and controlling the activities to maintain and guarantee the physical integrity of IT resources, as well as safeguarding the company's assets." The objectives to be achieved after implementing our security system are the following:
• Establish a security framework with perfect clarity and transparency under GTCloud's responsibility for risk management.
• Commitment from all company personnel to the security process, streamlining the application of controls with dynamism and harmony.
• Improve the quality of security services.
• All employees become stakeholders in the security system.
​
4. ANALYSIS OF THE REASONS PREVENTING THE IMPLEMENTATION OF COMPUTER SECURITY MEASURES
​
Although a large number of organizations channel their efforts into defining security guidelines and formalizing them in documents that guide their actions, very few achieve success. The first barrier they face is convincing senior executives of the need for and benefits of sound computer security policies. Other obstacles include technical jargon and the lack of a marketing strategy on the part of IT managers or security specialists, leading senior management to think things like, "more money for IT department gadgets." This situation has resulted in many companies with significant assets being exposed to serious security problems and unnecessary risks, which in many cases compromise sensitive information and, consequently, their corporate image. Given this situation, those responsible for security must ensure that individuals understand important security matters, are aware of their scope, and agree with the decisions made regarding these matters. For security policies to be accepted, they must be integrated into business strategies, mission, and vision, so that decision-makers recognize their importance and impact on the company's projections and profits. Finally, it is important to note that policies alone do not guarantee company security; they must respond to business interests and needs based on the business vision, leading to a collaborative effort among stakeholders to manage resources and recognize that information security mechanisms facilitate the formalization and fulfillment of commitments made to the company.
​
5. RESPONSIBILITIES
​
It is the responsibility of the Information Security Supervisor to develop, review, and disseminate the Security Procedures, in addition to other communication channels (intranet, email, official website, internal magazines). Likewise, it is the responsibility of the immediate supervisor to train their employees in matters related to Safety Procedures.
​
6. DEFINITION OF COMPUTER SECURITY POLICIES
In this section of the document, a proposal for security policies is presented as a resource to mitigate the risks to which GTCloud is exposed.
​
6.1 GENERAL PROVISIONS
​
Article 1
This regulation aims to standardize and contribute to the computer development of the different areas of the Company GTCloud SAS (GTCLOUD).
​
Article 2
For the purposes of this instrument, the following shall be understood as: Committee The team integrated by Management, area heads, and administrative personnel (occasionally) convened for specific purposes such as:
• Acquisition of Hardware and software
• Establishment of GTCLOUD Company standards for both hardware and software
• Establishment of the technological architecture of the group.
• Establishment of guidelines for bidding contests
IT Administration It is integrated by Management and area heads, who are responsible for:
• Ensuring the operation of the IT technology used in the different areas.
• Preparing and following up on the Master IT Plan
• Defining short, medium, and long-term strategies and objectives
• Maintaining the technological architecture
• Controlling the quality of the service provided
• Keeping the inventory of IT resources updated
• Ensuring compliance with the established Policies and Procedures.
​
Article 3
For the purposes of this document, IT Policies are understood as the set of mandatory rules that must be observed by the Systems Heads responsible for the existing hardware and software in GTCLOUD, with the IT Administration being responsible for monitoring their strict observance within their competence, taking preventive and corrective measures to ensure compliance.
​
Article 4
IT Policies are the set of regulations and guidelines framed within the legal and administrative scope of GTCLOUD. These standards affect the acquisition and use of IT Goods and Services, which must be invariably complied with by those instances that intervene directly and/or indirectly in them.
​
Article 5
​
The governing body of GTCLOUD's IT systems is Management, and the competent body for the application of this regulation is the Committee. Article 6 The Policies contained herein are for observance in the acquisition and use of IT goods and services in GTCLOUD, whose non-compliance will result in administrative liability; subject to the provisions in the Administrative Responsibilities of Systems section. Article 7 GTCLOUD must have a head or responsible person, on whom the administration of Goods and Services falls, who will monitor the correct application of the regulations established by the Committee and other applicable provisions.
​
6.2 GUIDELINES FOR THE ACQUISITION OF IT GOODS
​
Article 8
All acquisition of IT technology will be carried out through the Committee, which is composed of personnel from the IT Administration.
​
Article 9
The acquisition of IT Goods in GTCLOUD will be subject to the guidelines established in this document.
​
Article 10
The IT Administration, when planning operations related to the acquisition of IT Goods, will establish priorities and in its selection must take into account: technical study, price, quality, experience, technological development, standards, and capacity, understood as: Price Initial cost, maintenance cost, and consumables for the estimated use period of the equipment; Quality Qualitative parameter that specifies the technical characteristics of IT resources. Experience Presence in the national and international market, service structure, reliability of goods, and quality certificates available. Technological Development The degree of obsolescence must be analyzed, its technological level with respect to the existing offer, and its permanence in the market. Standards All acquisitions are based on standards, i.e., the corporate architecture established by the Committee. This architecture has a minimum permanence of two to five years. Capabilities It must be analyzed whether it satisfies the current demand with a margin of slack and growth capacity to support the workload of the area.
​
Article 11
For the acquisition of Hardware, the following shall be observed:
• The equipment to be acquired must be within the current sales lists of manufacturers and/or distributors thereof and within GTCLOUD standards.
• Complementary equipment must have a minimum warranty of one year and must have the corresponding technical service in the country.
• They must be factory-integrated equipment or assembled with components previously evaluated by the Committee.
• The brand of the equipment or components must have demonstrated presence and permanence in the national and international market, as well as local technical and spare parts assistance. Regarding microcomputers, in order to keep GTCLOUD's IT architecture updated, the Committee will periodically issue the minimum technical specifications for their acquisition.
• Storage devices, as well as input/output interfaces, must be in line with current cutting-edge technology, both in data transfer speed and processing.
• Printers must adhere to the current Hardware and Software standards in the market and in GTCLOUD, verifying that supplies (ribbons, paper, etc.) are easily obtainable in the market and not subject to a single supplier.
• Together with the equipment, the appropriate complementary equipment for its correct operation must be acquired according to the manufacturers' specifications, and this acquisition must be reflected in the initial item cost.
• The acquired equipment must preferably have technical assistance during their installation.
• Regarding servers, communications equipment, media concentrators (HUBS), and other equipment justified as critical operation and/or high cost, they must have a preventive and corrective maintenance program that includes the supply of spare parts upon expiration of their warranty period.
• Regarding personal computers, upon expiration of their acquisition warranty, they must at least have a corrective maintenance service program that includes the supply of spare parts. Every IT goods acquisition project must be subject to the analysis, approval, and authorization of the Committee.
​
Article 12
In the acquisition of Computing Equipment, the current Software must be included preloaded with its corresponding license, considering the provisions of the following article.
​
Article 13
For the acquisition of base and utility Software, the Committee will periodically announce trends with current cutting-edge technology, with the list of authorized products being the following: Operating Systems Platforms
• MS-Windows. Databases
• Oracle Programming Languages and Tools The programming languages and tools used must be compatible with the listed platforms.
• PL/SQL
• JAVA
• ORACLE Forms
• ORACLE Reports
• ORACLE Designer
• ORACLE Workflow Builder
• PL/SQL Developer
• ORACLE Jdeveloper
• Macromedia Dreamweaver
• Macromedia Fireworks
• Java Decompiler Office Utilities
• Microsoft Office Antivirus Programs
• Windows DEFENDER Email Manager
• Microsoft Outlook Internet Browsers
• Internet Explorer
• Mozilla
• Chrome
File Compressors
• Winzip
• Winrar
In exceptional cases, only the latest released versions of the selected products will be acquired, except for specific situations that must be justified before the Committee. All Software products acquired must have their respective use license, documentation, and warranty.
​
Article 14
All Software products used from the date this regulation enters into force must have their respective use license; therefore, the regularization or elimination of already installed products that do not have proper licensing will be promoted.
​
Article 15
For the operation of network software in case of handling corporate data through information systems, the following must be taken into consideration:
• All institutional information must invariably be operated through the same type of database management system to benefit from integrity, security, and information recovery mechanisms in case of any failure.
• Access to information systems must have sufficient privileges or security levels to guarantee the total security of institutional information. Access security levels must be controlled by a single administrator and can be manipulated by software.
• Responsibilities must be delimited regarding who is authorized to consult and/or modify information in each case, taking the pertinent security measures.
• Data from information systems must be backed up according to the frequency of their data updates, rotating backup devices and periodically storing historical backups. It is essential to keep an official log of the backups performed; likewise, backup CDs must be stored in a restricted access place with sufficient environmental conditions to guarantee their preservation. Regarding information from personal computing equipment, the IT Unit recommends that users perform their own backups on the network or on alternate storage media. • All information systems in operation must have their respective updated manuals. One technical manual describing the internal structure of the system, as well as the programs, catalogs, and files that compose it, and another describing the system users and procedures for its use.
• Information systems must contemplate the historical record of transactions on relevant data, as well as the user key and date on which it was performed (Basic Audit and Control Standards).
• Periodic routines of auditing the integrity of data and computer programs must be implemented to guarantee their reliability.
​
Article 16
For the provision of the software development or construction service, the following shall be observed: Every contracting project for development or construction of software requires a feasibility study that allows establishing the profitability of the project, as well as the benefits to be obtained from it.
​
6.3 INSTALLATION OF COMPUTING EQUIPMENT
​
Article 17
The installation of computing equipment will be subject to the following guidelines:
• Equipment for internal use will be installed in appropriate places, away from dust and foot traffic.
• The IT Administration, as well as the operational areas, must have an updated sketch of the electrical and communications installations of the networked computing equipment.
• Electrical and communications installations will preferably be fixed or, failing that, protected from the passage of people or machines, and free from any electrical or magnetic interference.
• Installations will strictly adhere to the equipment requirements, taking care of the wiring specifications and necessary protection circuits.
• Under no circumstances will improvised or overloaded installations be allowed. Article 18 The supervision and control of the installations will be carried out within the deadlines and by the mechanisms established by the Committee.
​
6.4 IT GUIDELINES: INFORMATION
​
Article 19
The information stored on magnetic media must be inventoried, attaching its description and specifications, classifying it into three categories:
• Historical information for audits.
• Information of interest to the Company
• Information of exclusive interest to a particular area.
​
Article 20
The area heads responsible for the information contained in the departments under their charge will delimit the responsibilities of their subordinates and determine who is authorized to perform emergency operations with said information, taking the pertinent security measures.
​
Article 21
Three types of priority for information are established:
• Information vital for the operation of the area;
• Information necessary but not indispensable in the area.
• Occasional or eventual information.
​
Article 22
In the case of information vital for the operation of the area, collaborative processes must be had, as well as daily backup of the modifications made, rotating backup devices and storing historical backups weekly. Article 23 Information necessary but not indispensable must be backed up with a minimum frequency of one week, rotating backup devices and storing historical backups monthly. Article 24 The backup of occasional or eventual information is at the discretion of the area. Article 25 The information stored on magnetic media, of a historical nature, will be documented as area assets and duly safeguarded in its storage place. It is the obligation of the area manager to conveniently deliver the information to whoever succeeds them in the position. Article 26 Information systems in operation, as well as those developed, must have their respective manuals. A user manual describing the operation procedures and the technical manual describing its internal structure, programs, catalogs, and files. Article 27 No collaborator in software projects and/or specific work must possess, for uses not proper to their responsibility, any confidential material or information from GTCLOUD both now and in the future.
​
6.5 OPERATION OF COMPUTING EQUIPMENT
​
Article 28
It is the obligation of the IT Administration to monitor that the computing equipment is used under the conditions specified by the provider and according to the functions of the area to which it is assigned.
​
Article 29
Company collaborators, when using computing equipment, will refrain from consuming food, smoking, or performing acts that harm its operation or deteriorate the information stored on magnetic, optical media, or latest-generation removable storage media.
​
Article 30
For the security of IT resources, securities must be established:
• Physical
• Operating System
• Software
• Communications
• Database
• Process
• Applications
Therefore, the following guidelines are established:
• Maintain access keys that allow use only by authorized personnel.
• Verify information from external sources to corroborate that it is free of any contaminant or harmful agent for the operation of the equipment.
• Maintain insurance policies for IT resources in operation.
​
Article 31
Under no circumstances will the use of devices foreign to the area's IT processes be authorized. Consequently, the entry and/or installation of personal hardware and software, i.e., that is not GTCLOUD property, is prohibited, except in emergency cases authorized by Management.
​
6.6 IT CONTINGENCY PLAN
​
Article 32
The IT Administration will create for the departments an IT contingency plan that includes at least the following points:
• Continue with the area's operation with alternate IT procedures.
• Have information backups in a secure place, outside the place where the equipment is located.
• Have support by magnetic means or in documentary form for the operations necessary to reconstruct damaged files.
• Have an operation instruction for detecting possible failures, so that any corrective action is performed with the minimum possible degradation of data.
• Have a directory of internal personnel and external support personnel to which recourse can be made when any anomaly is detected.
• Execute tests of the plan's functionality.
• Maintain plan reviews in order to make the respective updates.
​
6.7 IT STRATEGIES
​
Article 33
GTCLOUD's IT strategy is consolidated in the Master IT Plan and is oriented towards the following points: • Open Systems Platform (Portable).
• Operation schemes under the multi-layer concept.
• Standardization of hardware, base software, utilities, and data structures
• Exchange of experiences between Departments.
• Management of joint projects with different areas.
• Permanent training program for company collaborators.
​
Article 34
For the preparation of IT projects and their budgeting, both the needs of hardware and software of the requesting area, as well as the availability of resources available to GTCLOUD, will be taken into account.
​
6.8 PHYSICAL ACCESS
​
Article 35
Only authorized personnel are allowed access to the facilities where GTCLOUD's confidential information is stored.
​
Article 36
Only under the supervision of authorized personnel may external personnel enter the facilities where confidential information is stored, and for a justified period of time.
​
6.9 USER IDENTIFIERS AND PASSWORDS
​
Article 37
All users with access to an information system or IT network will have a single access authorization composed of a user identifier and password.
​
Article 38
No user will receive an access identifier to the Communications Network, IT Resources, or Applications until they formally accept the current Security Policy.
​
Article 39
Users will have authorized access only to those data and resources they need for the development of their functions, according to the criteria established by the information manager.
​
Article 40
The minimum length of passwords will be equal to or greater than eight characters, and they will be composed of a combination of alphabetic, numeric, and special characters.
​
Article 41
Identifiers for temporary users will be configured for a short period of time. Once said period expires, they will be deactivated from the systems.
​
6.10 PERSONAL RESPONSIBILITIES
​
Article 42
Users are responsible for all activity related to the use of their authorized access.
​
Article 43
Users must not under any circumstances reveal their identifier and/or password to another person nor keep it written in view or within reach of third parties.
Article 44
Users must not use any other user's authorized access, even if they have the owner's authorization.
​
Article 45
If a user suspects that their authorized access (user identifier and password) is being used by another person, they must proceed to change their password and inform their immediate supervisor, who will report to the network administration manager.
​
Article 46
The User must use a password composed of a minimum of eight characters made up of a combination of alphabetic, numeric, and special characters.
​
Article 47
The password must not refer to any recognizable concept, object, or idea. Therefore, the use of significant dates, days of the week, months of the year, names of people, phone numbers in passwords must be avoided.
​
Article 48
In case the system does not request it automatically, the user must change the provisional password assigned the first time they make a valid access to the system.
​
Article 49
In the case that the system does not request it automatically, the user must change their password at least once every 30 days. Otherwise, access may be denied, and they must contact their immediate supervisor to request a new key from the network administrator.
​
Article 50
Protect, to the best of their ability, the personal data to which they have access, against unauthorized or accidental disclosures, modification, destruction, or misuse, regardless of the medium in which they are contained.
​
Article 51
Keep indefinite maximum reserve and must not issue to the outside personal data contained in any type of medium.
​
Article 52
Use the minimum number of listings containing personal data and keep them in a secure place and out of reach of third parties.
​
Article 53
When in possession of personal data, it is understood that said possession is strictly temporary, and the media containing the data must be returned immediately after the completion of the tasks that originated their temporary use.
​
Article 54
Users may only create files containing personal data for temporary use and always necessary for the performance of their work. These temporary files will never be located on local disk units of the work computer and must be destroyed when they are no longer useful for the purpose for which they were created.
​
Article 55
Users must notify their immediate supervisor of any incident they detect that affects or may affect the security of personal data: loss of listings and/or disks, suspicions of misuse of authorized access by other people, data recovery.
​
Article 56
Users may only enter identification data and addresses or phone numbers of people in the contact agendas of office tools (for example, in Outlook)
​
6.11 INFORMATION OUTPUT
​
Article 57
Any output of information (on IT media or by email) may only be carried out by authorized personnel and will require formal authorization from the manager of the area from which it originates.
​
Article 58
In addition, in the output of especially protected data (such as personal data for which the Regulation requires high-level security measures), they must be encrypted or use any other mechanism that guarantees that the information is not intelligible or manipulated during its transport.
​
6.12 APPROPRIATE USE OF RESOURCES
​
Article 57
IT Resources, Data, Software, Corporate Network, and Electronic Communication Systems are available exclusively to fulfill the obligations and purpose of the operation for which they were designed and implemented. All personnel users of said resources must know that they have no right to confidentiality in their use. It is Prohibited
​
Article 58
The use of these resources for activities not related to the purpose of the business, or with overstepping in their use.
​
Article 59
Activities, equipment, or applications that are not directly specified as part of the Software or Standards of GTCLOUD's own IT Resources.
​
Article 60
Introducing into the Information Systems or the Corporate Network obscene, threatening, immoral, or offensive contents. It is prohibited
​
Article 61
Voluntarily introducing programs, viruses, macros, applets, ActiveX controls, or any other logical device or sequence of characters that cause or are susceptible to causing any type of alteration or damage to IT Resources. Personnel hired by GTCLOUD will have the obligation to use antivirus programs and their updates to prevent the entry into the Systems of any element intended to destroy or corrupt IT data.
​
Article 62
Attempting to destroy, alter, disable, or any other form of damaging data, programs, or electronic documents.
​
Article 63
Hosting personal data on local disk units of work computers.
​
Article 64
Any file introduced into the corporate network or the user's workstation through automated media, Internet, email, or any other means must comply with the requirements established in these standards and, in particular, those related to intellectual property and virus control.
​
6.13 SOFTWARE
​
Article 65
All personnel who access GTCLOUD's Information Systems must use only the versions of software provided and follow their usage standards. Article 66 All personnel are prohibited from installing illegal copies of any program, including standardized ones.
​
Article 67
​
They are also prohibited from deleting any of the legally installed programs.
​
6.14 NETWORK RESOURCES
​
Strictly, no person shall:
​
Article 68
Connect to any of the Resources any type of communications equipment (e.g., modem) that enables connection to the Corporate Network.
​
Article 69
Connect to the Corporate Network through other means than those defined.
​
Article 70
Attempt to obtain other rights or accesses different from those assigned to them.
​
Article 71
Attempt to access restricted areas of the Information Systems or the Corporate Network.
​
Article 72
Attempt to distort or falsify the “log” records of the Information Systems.
​
Article 73
Attempt to decipher keys, systems, or encryption algorithms and any other security element involved in telematic processes.
​
Article 74
Possess, develop, or execute programs that could interfere with the work of other Users, nor damage or alter IT Resources.
​
6.15 INTERNET CONNECTIVITY
​
Article 75
Authorization for Internet access is granted exclusively for work activities. All GTCLOUD collaborators have the same responsibilities regarding Internet use.
​
Article 76
Access to the Internet is restricted exclusively through the Network established for it, i.e., through the security system with an incorporated firewall. It is not permitted to access the Internet by directly calling an access service provider and using a browser, or with other Internet tools connecting with a modem.
​
Article 77
The Internet is a work tool. All activities on the Internet must be related to the tasks and work activities performed.
​
Article 78
Only data transfer to or from the Internet in connection with work-related activities may occur.
​
Article 79
In case a significant, confidential, or relevant data transmission must occur, it may only be transmitted in encrypted form.
​
6.16 UPDATES TO THE SECURITY POLICY
​
Article 80
Due to the evolution of technology and security threats themselves, and the new legal contributions in the matter, GTCLOUD reserves the right to modify this Policy when necessary. Changes made to this Policy will be disclosed to all GTCLOUD collaborators.
​
Article 81
It is the responsibility of each of the GTCLOUD collaborators to read and know the most recent Security Policy.
​
6.17 TRANSITIONAL PROVISIONS
​
Article first
The provisions framed herein will enter into force from the day following their dissemination.
Article second
The standards and policies subject to this document may be modified or adapted according to the needs that arise, by agreement of the Company's IT Technical Committee (CTI); once said modifications or adaptations are approved, their validity will be established.
Article third
The provisions described herein will be detailed in the specific policy and procedure manuals.
Article fourth
Lack of knowledge of the standards described herein by collaborators does not exempt them from the application of sanctions and/or penalties for non-compliance.
​
7 BENEFITS OF IMPLEMENTING COMPUTER SECURITY POLICIES
The benefits of a security system with clearly conceived and well-elaborated policies are immediate, as GTCLOUD will work on a reliable platform, which is reflected in the following points:
• Increase in productivity.
• Increase in personnel motivation.
• Commitment to the company's mission.
• Improvement of labor relations.
• Helps form competent teams.
• Improvement of work climates for Human Resources.