INFORMATION SECURITY POLICY
- FIRST VERSION AUGUST 2018
INTRODUCTION
Goal
This information security policy (hereinafter, the "Policy") aims to establish the organizational, technical, physical and legal measures necessary for the protection of each and every one of the information components and those assets related to its creation, unauthorized access, processing, storage, use, transmission, elimination or destruction within ADBID LATINOAMERICA SAS (hereinafter, “Adbid”).
Scope
This Policy establishes the minimum Information Security requirements that must be met within Adbid, being an integral part of relationships with suppliers, customers, contractors, employees and other people who in some way or another enter Adbid facilities. or have access to Adbid information.
guiding principles
As responsible for the proper management of information, Adbid undertakes to guide and apply its actions in relation to Information Security, under the principles indicated below:
i) Principle of integrity: Adbid will ensure that the information and its processing methods are accurate and complete;
ii) Principle of availability: Adbid will ensure that authorized users have access to the information and its associated assets when required.
iii) Principle of security: Adbid will handle the information with reasonable technical, human and administrative measures according to its capacity in order to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access;
iv) Principle of confidentiality: Adbid undertakes to guarantee that all persons involved in the use of information that are not of a public nature will be obliged to guarantee the confidentiality of the information, even after the relationship has ended;
v) Principle of access control: Adbid undertakes to give access to the information only to those authorized persons;
vi) Principle of non-repudiation: Adbid undertakes to guarantee the ability to prove the participation of users in accessing the information and its associated assets.
Glossary
The definitions established in this section will be used as a reference for the correct and appropriate interpretation of this Internal Manual and Adbid's Personal Data Protection and Treatment Policy. In this sense, it will be understood as:
i) Information Asset: Any combination of physical and logical assets, including but not limited to Adbid information, computer and data processing systems, communications links, access methods, email, internet access, remote access, devices mobile phones and/or any other type of software and hardware that participates in the life cycle of the information;
ii) Information Security: They are the set of preventive and government measures aimed at protecting confidentiality, integrity and availability;
iii) Confidential Information: Refers to the physical or digital information that is used by a group of Adbid employees in the execution of their work and that cannot be known by other officials, employees, contractors, suppliers, clients or third parties without authorization. expressed by the owner of the information.
USE OF INFORMATION ASSETS
All employees, contractors, consultants and third parties using Information Assets owned by Adbid or owned by Adbid customers are responsible for fully complying with and adhering to this Policy.
Use of the systems
The system used by Adbid (Software, Hardware and peripherals) as well as the information contained therein is owned by Adbid and its use is restricted solely for the purposes of duly complying with the corporate purpose of the company and its businesses. , therefore reserving Adbid the power to monitor the system at any time.
Any unauthorized use, modification, alteration or access to the system will result in disciplinary or legal action, as appropriate. Ed use of the system by employees, consultants, contractors implies acceptance of the Policy.
Use of institutional emails
Internet use
Any communication by email between Adbid and its clients or consultants must be done through the institutional email provided by Adbid. In this sense, the use of personal accounts to communicate with clients or consultants and to transmit any type of information related to the business is prohibited.
Adbid respects the principles of freedom of expression and privacy of information of its employees and therefore does not in any way restrict their privacy and the information they store, send or receive via institutional email. However, Adbid reserves the right to inspect and monitor assigned institutional email in order to comply with the standards, guiding principles, and terms and conditions set forth in this Policy.
Institutional emails will be active during the relationship of the employee or collaborator with Adbid, except in those cases where their cancellation and/or suspension is necessary.
Adbid has a disclaimer in each of the messages that are sent through an institutional email.
The institutional e-mail mailbox is personal and non-transferable and therefore the Security of the Information contained therein corresponds to the employee or collaborator. The employee or collaborator is solely responsible for the proper use of their institutional email and, in this sense, undertakes to:
i) Respect the confidentiality of the information contained in the emails of other employees or collaborators;
ii) Use the institutional email for the development and execution of the activities of their work within Adbid, always complying with the duty of confidentiality in the information stored, used or transmitted;
iii) Use the institutional email for the purposes of the organization;
iv) Act with respect for the good name of Adbid and of people, so it will not use institutional email for the purpose of intimidation, harassment, defamation, slander or hostilities of any kind;
v) Refrain from sending messages with unwanted content (spam) or with false information (hoax) that may be offensive or harmful to other employees or collaborators as well as customers;
vi) Refrain from sending messages that are contrary to the law and good customs;
vii) Periodically maintain your institutional email;
viii) Respect the privacy of the institutional emails of other employees or collaborators;
ix) Respect the information barriers that exist within Adbid created to prevent the exchange of communications that may generate or result in a conflict of interest (Chinese Wall);
In Adbid there is no limitation to the use of the Internet. However, the employee or collaborator will refrain at all times from:
i) Download programs that automatically make connections to sites that have pornographic content, as well as refrain from making use of the resources for the distribution or reproduction of this type of material;
Shared resources
For the proper execution of the tasks and activities of the business, Adbid and its employees and collaborators use shared folders among their work teams to achieve efficiency in the development of their activities.
The folders are only shared between the members of the work teams and therefore have restricted access to employees or collaborators who, although they are part of the organization, are not part of the specific work team that develops work for a certain client or for the client. development of certain activities.
cloud resources
To achieve greater interaction and efficiency in the organization's activities, Adbid uses cloud computing technologies (Google Drive).
BARRIERS IN INFORMATION (CHINESE WALL)
Under the understanding that within the organization there are different teams that advise different clients who, to a certain extent, have the same or similar interests in the market and to avoid the generation of conflicts of interest, Adbid has decided to implement measures to avoid the transmission of information between different teams in the organization.
In this sense, each member of a work team within Adbid only has access to the information related to their accounts through the use of their institutional email, so they have prohibited access to resources managed by teams other than the one they do. part.
Potential conflicts of interest
There will be a potential conflict of interest within Adbid when there is one of the following events:
i) Interaction between work teams: Interaction between work teams that have clients and manage accounts that have the same or similar interests in the market is not allowed and therefore corresponds to the Digital Accounts Directors of each work team. work prevent the flow of insider information between the members of their teams and other areas;
ii) Changes in work teams: If for any reason an employee or collaborator who is a member of a work team moves to another work team where a client and an account with the same or similar interests in the market are handled the client and account managed by said employee or collaborator in his previous work team, he will not be able to use the privileged information that he has eventually received in his previous activities to take advantage;
iii) Interaction between senior executives and work teams: In the interaction between senior executives of the organization and work teams, senior executives will refrain from influencing and/or disclosing privileged information that may go against the interests of each client. and your accounts. Therefore, senior executives will not discuss their strategies with other employees or collaborators of the organization with whom there may be a potential conflict of interest.
Crossing information barriers
There will be crossing of information barriers within Adbid when the following events occur:
i) Crossing the wall: This information barrier crossing event occurs when an employee or collaborator who does not belong to a certain work team needs, for some reason, to have access to the privileged information of another work team;
ii) Over the wall: This information barrier crossing event occurs when a senior executive, who is above the information barrier, has access to privileged information;
Procedure for crossing information barriers
If an employee or collaborator who is a member of a work team and for reasons solely related to Adbid's business, needs to share privileged information about his work team, his clients and his accounts or access privileged information from another work team, his clients and your accounts, for this, in addition to objectively considering whether the benefits of crossing the wall are greater than the consequences of crossing it, you must follow the following procedure:
8
i) Send a request to the Adbid CSO, in which you must specify: a) the reasons why the wall must be crossed; b) the employees or collaborators who will cross the wall and; c) the privileged information to be analyzed and its specific destination;
ii) If it is information that, in the opinion of the CSO, is privileged and may affect the interests of its clients, it will inform the client to whom their information will be disclosed and will request their authorization, explaining the reasons for said information and the use that it will give it;
iii) Once the authorization of the client is obtained, in the cases in which it is necessary, the CSO will inform the applicant that he wishes to cross the wall, the approval or not of his request. If approved, the applicant will receive only the requested information with the restrictions that both the client and the CSO deem necessary and will be limited to those activities explicitly described in the application.
Environment Security
All employees and collaborators must have a unique personal identification to use the organization's resources. Only in exceptional circumstances will the creation of a shared user be authorized, this in cases where the creation of a work team is needed for a certain task and the creation of said shared user is necessary to avoid crossing information barriers.
Access control
Employees and collaborators, in the exercise of their activities, will keep their workplaces clean at all times.
If an employee or collaborator is absent from his workplace, he must lock his computer to reduce the risk of unauthorized access to information. However, computers will automatically lock after five (5) minutes of inactivity.