Security of the information

ACTIVITY IN CONTEXT SECURITY POLICY FROM PAPER TO ACTION

QUINTERO VELASQUEZ LUIS OSWALDO 1811024524

TUTOR: ALEXANDRA PEÑA DAZA

GRANCOLOMBIAN POLYTECHNIC

FACULTY OF ENGINEERING, DESIGN AND INNOVATION

VIRTUAL MODALITY
2021
 Security of the information

CASE STUDY

Datalatina is a Latin American firm dedicated to assurance, risk management, quality and
security of information systems. The staff of consultants and teachers of this firm have the main
international certifications associated with the scope of their tasks, which have been issued by
prestigious academic organizations, such as ISACA, PMI, DRI, among others. This, added to the
vast experience generated through more than 30 years of commitment to the client, makes
Datalatina a leading company in the solutions it offers. Datalatina's three business lines are:
solutions, software and training. Solutions line: provides consulting and training on good
corporate governance, with references such as COSO and IT governance with COBIT;
comprehensive risk and audit management; money laundering and terrorist financing risk
management; information security management; business continuity management, taking as
reference the ISO 22301 standard; ethical hacking; compliance and legislation; and customized
solutions. Software line: Datalatina uses Meycor software; has developed applications for IT
governance with Cobit, ISO 27001 information security and corporate risk management aligned
with the ISO 3100 Standard. Training line: is an ISACA authorized center for training and
certification in ISA, CISM, CGEIT, CRISC, CISSP and DRI.

Datalatina is ISO/IEC 27001 certified, which ensures quality in terms of safety according to said
standard and has important clients worldwide, in addition, it works through representatives in
different countries.
 Security of the information

Based on the information above, perform the following activities:

1. Define the security policy for Datalatina, according to the structure seen in Scenario 5.

1.1 Policy Summary

Information is currently a very important asset for companies and/or people, for this reason it
must be protected regardless of the way it is transmitted, stored and shared, due to this
information security implementations are carried out.

1.2 Introduction

Datalatina, in accordance with its mission, vision and business strategy, decides to implement an
ISMS that seeks to maintain the confidentiality, integrity and availability of both the company's
information and that of its clients, having as premises risk management, the commitment of
collaborators in the maintenance and continuous improvement of processes.

Datalatina adopts the Information Security Policy as a framework for the creation and
development of measures, norms, standards, procedures and controls that regulate the proper
use of information, providing a safe environment for its treatment, complying with security
requirements. contractual, regulatory and legal provisions in force.

1.3 Aim

• Evaluate and consider the vulnerabilities and threats to information security for each of
the assets that the company considers essential and/or important for its work and
business continuity.
 Security of the information

• Ensure the confidentiality of the guideline processes proposed by the company such as
customer information.

• Ensure the integrity and availability of the companies' assets in which they are used in
the operational part and shared with their clients.

1.4 Scope

This policy is applicable to Datalatina's solutions, software and training business lines, ensuring
the three key pillars for Information Security, as well as to its officials (managers, consultants
and teachers), suppliers, contractors and anyone who Due to its exercise, it has access to the
information assets of the company and/or its clients.

1.5 Responsible

• Senior management team are responsible for ensuring that the information security
policy is managed within the organization, as well as establishing the priorities for
securing the assets managed in the company.

• Collaborators must adhere to the parameters indicated in the information security policy
implemented in the company, avoiding disclosure of unauthorized or unauthorized
materials, protecting the information of the company and its clients that they are given
access to. work areas, report failures within the policy and violations that occur in your
work environment.

• Security officer will be in charge of providing appropriate advice for the continuous
improvement of the information security policy, as well as the availability of reports that
must be carried out continuously.

• Clients must not distribute any confidential information of the company except with the
authorization of the company, as well as comply with the
 Security of the information

policies that are managed in the company to be able to proceed with the availability,
integrity and confidentiality of the information in which each one interacts

1.6 Beginning

• All employees, suppliers and customers must report security violations.

• The respective sanctions will be taken for any person who violates the proposed and
implemented security policy.

• Any risk that does not affect business continuity and is within the margin accepted by
the company will be accepted.

• Defined monitoring will be carried out to verify the implementation of the security
policy.

• Each area in charge of the assets will be ready to respond to the materialization of a risk.

• Information security reports and reports must be available.

• Continuous evaluation must be carried out to new risks that may arise in the course of
the implementation of information security, updating the policies to comply with the
policy objectives.

1.7 Key results

• Better management is evident in the handling of information for the company and
clients, managing to better apply its services.

• Continuous controls and improvements are carried out in the risk assessment for each of
the assets, preserving availability, integrity and confidentiality.

• Effectiveness is evident in controlling incidents, keeping them within acceptable margins.

 Security of the information

• Approval and peace of mind from customers for the security that will be implemented in the
company's business lines

1.8 Related policies

• Mobile Device Policy

• Policyof Telecommuting
• Policyof access control
• Policy on the use of cryptographic controls and key management
• Policyof Desktop and Screen clean
• Policyof Safe areas
• Policyof Backup Copies
• Policyof Transfer of information
• Policyof Secure Development
• Security policy for contractors and/or suppliers
• Privacy policy and personal data

2. Propose a policy development and implementation plan that contains the following:

a. ISMS Objectives
b. High-level definition of the scope and reference framework for the ISMS
c. Procedures and controls that support the policy
d. Definition of roles and responsibilities
e. Indication of high level of scope and limit at the physical level of ICT and organization.
 Security of the information

to. ISMS objectives.

ISMS OBJECTIVES INDICATOR NAME FORMULA

Effectiveness in
Identify, control, prevent and/or
the # of risk plans executed in the
mitigate information security risks, in
1 execution of plans quarter/ # of plans proposed
order to avoid incidents that may affect
mitigation of in the quarter
reputation, applicable legal and
risks
regulatory requirements.
Establish and implement policies, Effectiveness in
the # of incidents closed on the
regulations and procedures that allow
proposed date/ # of incidents
2 safeguarding and protecting the management of
incidents of selected
information of Datalatina and its
security of by the end of the quarter
clients. the
Develop activities of
awareness and training that allows Compliance of # of training
the
3 disseminating the guidelines, policies carried out/#scheduled
program of
and hello good practices training trainings
associated with information security.

Evaluate, maintain and improve the

Information Security Management
Degree of
System (ISMS), in order to achieve # of penalized controls /# of
4 compliance in ISMS
efficiency, continuous improvement evaluated controls
management
and compliance with the requirements
of current regulations or laws.

b. High-level definition of the scope and reference framework for the ISMS

This policy is applicable to Datalatina's solutions, software and training business lines, ensuring the
three key pillars for Information Security, as well as its officials (managers, consultants and
teachers), suppliers, contractors and all
 Security of the information

anyone who, due to their exercise, has access to the information assets of the company and/or its
clients.

For the construction of Datalatina's Information Security Management System, the following has
been taken as a reference:

o COLOMBIAN TECHNICAL STANDARD NTC-ISO/IEC Colombian 27001:20013. 2013-12-11.

Information technology. Security Techniques. Information Security Management Systems.
Requirements and its annex A.
o COLOMBIAN TECHNICAL STANDARD NTC-ISO/IEC Colombian 31000:2009 Risk
Management, Principles and Guidelines
o COLOMBIAN TECHNICAL STANDARD NTC-ISO/IEC Colombian 9001:2015 Quality
Management System
o List of legal and contractual requirements. See Normogram
o Information Security Model MinTic Guides 4,7.8, 21

c. Procedures and controls that support the policy.

PROCEDURE AIM
Carry out risk management activities for the different
processes and information assets, aimed at protecting the
company from possible adverse events, in such a way that
Risk Evaluation and Treatment Methodology
the probability of occurrence of the event and its impact is
reduced based on the evaluation, treatment and risk
control.

Establish the guidelines and criteria under which the

identification and classification of assets associated with
Information Asset Management Methodology
information and information processing facilities in the
company must be carried out.

Normogram Control and monitor laws, regulations and other contracts

that are strictly complied with by the organization.

Establish guidelines for the management of Information

Security incidents, in order to guarantee the ideal
Incident Management Procedure treatment of information and efficient recovery in the event
of an Information Security incident that occurs in the
company.
 Security of the information

PROCEDURE AIM
Achieve a physical work environment in accordance with
the requirements of Confidentiality, Integrity
and
Procedure for working in safe areas
Availability of the company's information assets, in
accordance with what is required by the Information
Security Management System.

Present the levels, criteria, forms and guidelines that must

Information Classification and Labeling be be used by the Owner/Leaders
Procedure responsible for the company's information, to classify, label
and process the information ensuring its confidentiality,
integrity and availability

Establish activities and responsibilities for the secure

exchange of information, seeking to ensure that the means
Information Transfer Procedure by which these exchanges are carried out have optimal
security levels, preventing the integrity and confidentiality
of the information from being violated.

Design a procedure for monitoring the infrastructure, which

allows it to be efficiently managed and at the same time
Infrastructure Monitoring Procedure allows having a real-time vision and generating reports that
allow obtaining information on the status of the company's
network nodes and servers.

Establish the criteria and guidelines to carry out the secure

Destruction and secure erasure procedure deletion and/or destruction of information contained in
digital and/or physical media.

Describe the activities to follow for the management of

Removable media management and media removable media, in order to guarantee the confidentiality,
disposal integrity and availability of the information, in accordance
with the classification levels established by the company.

Establish guidelines that guarantee the protection of the

Information Backup Procedure company's critical and non-critical information, maintaining
easy-to-recover backup copies when necessary.
 (COP
K POLYTECHNIC
Security of the information
UNIVERSITY INSTITUTION

PROCEDURE AIM

Create, control and sustain separate environments at a

physical and logical level for the development and
implementation of software applications, in development,
testing and production environments, whose main
Procedure Construction and principles of objective is that the software development cycle is
secure systems independent. between environments, preventing them from
putting the integrity of the information at risk; also
confirming that internal or external developers have limited
and controlled access to the data and files found in the
production environment.

Respond to requests for the creation, modification, or

withdrawal of user accounts for the availability and use of
User Management Procedure
resources technological as files, directories,
applications, among others.

Password Management Procedure Determine the guidelines to store the

critical passwords of the company, thus guaranteeing the
confidentiality and availability of this information

Control changes in the company's processes, facilities and

Change Management Procedure information processing systems that may affect information
security.

Establish strategies that ensure the continuity of the

company's business and that also respond to emergency
Information Security Continuity Procedure response, disaster recovery and impact mitigation, in the
event of partial or total interruption of the organization's
critical services.

Present the result of the vulnerability analysis in the

external scenario, in order to indicate measures and
Management of technical vulnerabilities activities that achieve the mitigation of the identified
findings and increase the security of the systems and/or
devices.
 Security of the information

d. Definition of roles and responsibilities

Information Security Authorities

• Strategic Direction Process

The Strategic Management Process headed by the Manager actively supports information
security within the organization, defining the guidelines and guidelines under which the ISMS
must operate; Among its responsibilities are:

• Maintain within the staff, an employee who responds to the role of ISMS Leader,
who will be in charge of managing everything related to information security in the
organization.
• Establish the ISMS guidelines and policies, ensuring their integration with the other
processes of the organization and the Strategic Plan.
• Ensure compliance with information security policies, committing to ensure that
employees and contractors, under their charge, and interested parties know and
apply the established security controls.
• Assign the responsibilities associated with information security to other areas and
processes.
• Ensure that the internal audit program is executed, at least once a year, and that
corresponding improvements are made.
• Define the level of risk tolerance.
• Allocate the necessary resources for the effectiveness of the ISMS.

• Information Security Committee

To establish, implement, operate, supervise, review, maintain and improve the ISMS, the
Committee must include the following actions within its functions:

• Evaluate the performance of the SGSI on a semi-annual basis.

• Evaluate and approve the information security strategies and policies required by the
organization in accordance with its dynamics and conditions.
• Establish institutional guidelines for the application of information security
protection mechanisms.
 Security of the information

• Evaluate and approve basic and specific information security policies; guaranteeing
its dissemination and application in the organization.
• Participate in decisions about information security architectures and solutions and its
continuity.
• Evaluate and approve Continuity Plans for the security of information that, in the
event of a critical situation, may be partially or totally threatened.
• Support the identification of the organization's critical processes, as well as analyze
and propose technological solutions that it requires.
• Generate and support socialization, awareness and knowledge transfer plans on
issues related to the ISMS.

Roles of the information security organization

Role design can be a group of areas that is basically how people organize themselves to achieve
better information security results. Each person understands their role in supporting the
process, as well as their responsibilities towards other team members to achieve common
objectives, encouraging the development of skills in an environment of continuous learning.

• Information Security Officer

Serves as Leader of the Information Security Management System and is responsible for
planning, developing, controlling and managing the implementation and correct functioning of
the Information security model in line with the objectives and needs of DATALATINA and under
the guidelines of the Management Committee. It is also responsible for applying and
maintaining security standards in the computer resources under its responsibility, in accordance
with the DATALATINA information security model and under the authorization of the person
responsible for the corresponding information.

In effect, the Information Security Officer responds to the role of the ISMS Leader who is at a
high level to ensure compliance with security policies, therefore, he or she reports directly to
General Management.
 Security of the information

Management
Committee (
Director )

ISMS Leader (
Executes )

ISMS
Operator
( Executes )

• The ISMS Operator

The Information Security Management System Operator is responsible for executing the
Operation Administration procedures in the security elements of security incidents and
vulnerabilities that occur in DATALATINA's information resources. Their function must be
aligned with the operation management process and for this company the Role is assigned to
the IT Engineer.

It is also responsible for executing operational procedures for identification, authentication and
access control in order to protect information assets, as well as updating systems in accordance
with the DATALATINA information security model.

Among the responsibilities and functions of the ISMS Leader and Operator, in light of the PHVA
cycle, are:

PHVA ISMS Leader ISMS Operator

-
1. Plan, design and implement the
organization's ISMS, its policies,
guidelines and controls in accordance
Q
with the guidelines of the Management
Committee , legal requirements and
good practices of technical standards.
 Security of the information

PHVA ISMS Leader ISMS Operator

2. Develop all Information Security and IT security coordination activities of the
organization.

3. Set rules and controls Implement appropriate standards and

appropriate, and lead in he controls, and ensure that policies
policy establishment and applications and procedures
h and procedures related to Information Security and
related to Information Security and the Security
the Security IT, are executed as planned in each
Computing. process of the organization.

4. Safeguard the organization's information assets, property intellectual

and he
normative compliance.

5. Carry out, together with the Process Leaders, the identification, assessment
and classification of information assets.

Ensure the insurance and

p g and
6. Establish, review, approve and
appropriation of the Policy to keep
updated, along with on
the
Primary Committee Information Policy and Security, within each process.
general responsibilities regarding Information Security.
Support awareness and sensitization
7. Design and execute awareness and
plans for employees, contractors and
sensitization plans for employees,
third parties regarding the
contractors and third parties regarding
information security culture
the information security culture
throughout the organization.
throughout the organization.

Execute the update of policies,

8. Formulate, define and update policies,
standards, procedures
norms, procedures and standards
and
defined in the ISMS.
standards defined in the ISMS.
9. Keep the analysis and risk assessment and treatment updated
 Security of the information

PHVA ISMS Leader ISMS Operator

about the organization's information assets.

10. Carry out, together with process

leaders, the evaluation and treatment
of risk on company assets.
h Organization information.
11. Evaluate, support and approve Issue technical concepts, regarding
technical concepts, regarding new new solutions or technological
technological solutions or platforms. platforms.

12. Advise processes in the application of

the methodology for maintaining Support processes in execution of
contingency and continuity plans for evidence of
information security. contingency and continuity of
information security.
13. Evaluate, select and implement tools
that facilitate the work of managing
the ISMS. Feed the tools that are adopted to
manage the ISMS.
14. Provide guidelines to control access to
the organization's information to
external and internal personnel, Establish access controls to the
maintaining the fundamental pillars of organization's information, to
information security. external and internal personnel,
maintaining the pillars
15. Ensure compliance with requirements fundamentals of information security.
security of the
information at the levels of its Support or supervise work plans
operation, development (change control) that impact
and implementation of information security.
information systems and computer
communications systems.

16. Coordinate the actions necessary to Follow up on the reporting of

identify, control, reduce and evaluate information security events and
information security incidents. incidents, investigate, record, collect
evidence and document
 Security of the information
PHVA ISMS Leader ISMS Operator
the lessons learned from the incidents.
Ensure that vulnerability remediation
17. Evaluate and prepare status reports of
plans are fully executed and
safety of the
developed.
information and the effectiveness of
security controls to perform the
Report reports on the status of the
periodic review of the system status
activities under your charge.
and accompany to
the
Organization in its evaluation to ensure
that the ISMS remains in accordance
with the needs of the Organization and
improvements are identified.

18. Propose, design and promote the continuous improvement of the information security
controls and tools necessary to strengthen information security in the organization and
the appropriate treatment of information security incidents detected.

19. Monitor the execution of action plans related to information security.

• The person responsible for the information

The person responsible for the Information is defined as any employee, contractor or third party in
charge of clearly identifying the value of the information, knowing the risks to which it could be
exposed and ensuring that the necessary mechanisms are provided so that these risks are mitigated
to acceptable levels considering the cost-benefit ratio for your area.
 Security of the information

Information security responsibilities in other agencies

o IT Management

1. You must apply the necessary controls that guarantee the availability, confidentiality and
integrity of the information of technological information assets and computer resources.
2. You must avoid unauthorized disclosure, modification, removal, destruction of information
stored on peripheral devices.
3. Must carry out the survey, update and maintenance of technology information assets.
4. You must authorize the creation or modification of DATALATINA access accounts or
resources.
5. You must make and maintain backup copies of the information in digital media.
6. You should ensure that antivirus software is installed that provides protection against
malicious code on all computing resources.
7. You must authorize the use of software licensed by DATALATINA.
8. IT personnel are the only ones authorized to make modifications or updates to technological
elements and resources, such as uncovering, adding, disconnecting, removing, reviewing
and/or repairing their components.
9. You must establish an authorization procedure and controls to protect access to data
networks and network resources.
10. You must establish a procedure that ensures the deactivation or blocking of access
privileges on technological resources, network services and information systems, when the
employee or user has been separated or has terminated the contract with DATALATINA.
11. You must establish a procedure that ensures the management of normal changes and
emergency at the level of infrastructure, applications and technological services.
 Security of the information

12. You must establish a change committee, who will be in charge of evaluating, approving or
denying the implementation of the changes.
13. You must periodically plan activities that involve audits of the systems in production and
must guarantee that the documents, devices, and media used for audits of the Information
Systems are protected and guarded from unauthorized access.
14. You must document the results of the information systems audits.
15. Ensure that a backup copy of the asset information is made prior to its return and before
executing the secure erase procedure.

o Legal Advisor

1. Indicate to the ISMS Leader the statutory, regulatory, and contractual requirements relevant
to Datalatina's approach to information security.

o Human Talent Management

2. You must verify the background of all candidates in accordance with relevant laws,
regulations and ethics, which must be proportionate to the requirements of the business,
the classification of the information to be accessed, and the perceived risks.
3. You must ensure that users who have access to confidential information sign a
confidentiality, copyright and/or data protection agreement, as applicable.
4. You must determine the necessary competencies of employees who perform work that
affects information security performance.
5. You must ensure that employees are competent, based on the required education, training
or experience.
6. It must evaluate employees in relation to information security performance, encourage the
taking of actions to acquire and/or strengthen the necessary competencies, and evaluate
the effectiveness of the actions taken.
 Security of the information

7. You must file and safeguard employment histories, retaining appropriate documented
information as evidence of competency.
8. Must lead induction, re-induction, training and awareness programs focused on
strengthening awareness in relation to information security. 1
9. Must lead the activities required for the termination of contracts, ensuring relevant
information security aspects.
10. You must establish confidentiality or non-disclosure agreements to be applied to all
DATALATINA personnel.
11. You must identify, regularly review and document requirements for confidentiality or non-
disclosure agreements that reflect VALID CCOLOMBIA's needs for the protection of
information.
12. It must detail the activities for which employees can be monitored, in order not to violate
the right to privacy or the rights of the employee.
13. Guarantee that all employees accept and sign the confidentiality agreements determined by
DATALATINA, which express the obligation to protect the information from being revealed.
14. In conjunction with the General Management, apply the disciplinary procedure when cases
of non-compliance or violation of the information security policies are evident.
15. Employees must return all DATALATINA assets that are in their
power upon termination of your employment, contract or agreement.
 Security of the information

and. Indication of high level of scope and limit at the physical level of ICT and
organization.

This policy will cover each of the software created by the company in which they were
contemplated when evaluating the information assets, as well as the license control of
the “Meycor” software in which the related policy processes will be worked on such as
For example, the access policy, in addition, the report established and agreed with senior
management will be carried out to control the infractions that are generated and
definitions of an improvement plan, the availability for the treatment of the information
and its effects will be a priority. assets so that they do not interfere with business
continuity and do not generate repression from clients for non-compliance. For this
reason, constant monitoring will be carried out on each hardware that has high priority
such as servers, clouds, repositories and among others without taking into account that it
is contracted. by a third party.

For employees, senior managers and clients, they will be governed based on what was
contemplated in the policy. If, upon being approved and implemented, it is necessary to
make modifications, these must be presented, analyzed and evaluated for
implementation in the form of an annex, carrying out due diligence. awareness plan or in
the improvement and maintenance of the policy that will be carried out annually

3. Define an awareness plan for the implementation of the security policy.

Sensitization and training of Datalatina staff is determined as a fundamental part of the

implementation of the Information Security Management System, since studies show that one of
the main sources of information loss is human error*, which is why that it is necessary to work
with collaborators from prevention issues such as information protection, incident identification,
risk-based thinking, etc.
 Security of the information

MAIN FACTORS THAT CAUSE A LOSS OF INFORMATION

60

50 49%

Problems Error Problems, Catastrophes

Vr s
Hardware Human Software Natural

Source: Recovery Labs