Jumbonline > Security Policy

Information Security Policy

Introduction

The purpose of this Information Security Management System (ISMS) Security and Privacy Policy is to establish the management guidelines that Jumbonline has implemented to ensure that access, use, and custody of information assets are carried out in accordance with the business requirements established by Jumbonline. These guidelines are established with respect to the integrity, availability, and confidentiality of information, respecting the current legal framework and faithfully complying with the security guidelines, procedures, and regulations that are determined.

Scope

The ISMS Information Security and Privacy Policy is applicable to those persons who have access to resources identified as "information assets" of the company, within the scope established for the security management system. These protection requirements affect all information in electronic or paper format and the information systems owned or managed by Jumbonline.

Principles

The formulation of the ISMS Information Security and Privacy Policy is based on the following key protection principles:

  • Effectiveness: Ensure that all information used is necessary and useful for the development and dissemination of data.

  • Efficiency: Ensure that the processing of information is carried out through an optimal use of human and material resources.

  • Integrity: Ensure that all necessary and sufficient information for the operation of services and processes in each of the computer systems is processed.

  • Accuracy: Ensure that all information is free of errors and/or irregularities of any kind.

  • Availability: Ensure that information and its manual and automatic processing capacity are safeguarded and recovered when necessary, in such a way that the progress of services is not significantly interrupted.

  • Legality: Ensure that all information and the physical media that contain, process, and/or transport it comply with the current legal regulations in each area.

  • Confidenciality: Ensure that all information is protected against unauthorized use, accidental disclosure, breach of privacy, and other similar actions resulting from access by unauthorized third parties.

  • Privacy: Ensure security regarding the collection, use, retention, disclosure, and disposal of personal information.

  • Authorization: Ensure that all access to data and/or transactions that use them comply with the appropriate levels of authorization for their use and disclosure.

  • Physical protection: Ensure that all information processing and/or storage media have physical protection measures that prevent access and/or misuse by unauthorized personnel.

  • Responsibility: Ensure that interested parties are aware and responsible for safeguarding the security of information systems and the actions that can be carried out to strengthen it.

Objectives of the ISMS

The objectives of the ISMS regarding the established scope are:

  • Embed the value of Information Security and Privacy throughout the Organization.

  • Contribute, on the part of each and every person at Jumbonline, to the protection of Information Security and Privacy.

  • Define the commitment to continuous improvement as a security management framework, using the ISO 27001 standard as a reference to establish the information security management system and the ISO 27002 standard as a set of best practices for information security management.

  • Guarantee Jumbonline's commitment, regarding the processing of personal data and those of a particularly sensitive nature, to comply with the principles of privacy and data protection legislation.

  • Protect Jumbonline's information against all threats, whether internal or external, deliberate or accidental, in order to ensure the continuity of the service offered to customers.

  • Establish an information security and privacy plan that integrates activities to prevent and minimize the risk of security incidents based on the risk management criteria established by Jumbonline.

  • Assume responsibility for awareness and training in information security as a means to ensure compliance with this policy.

  • Extend our commitment to information security to customers and stakeholders.

Policies, rules, and procedures

All employees and collaborators of Jumbonline actively participate in the culture of prevention and protection of assets derived from the ISMS. To do this, they must act in accordance with this policy and with those security rules and procedures prepared and communicated by the entity.

Roles and responsibilities of the ISMS

The assignment and delimitation of responsibilities to ensure that the objectives proposed in this security and privacy policy are implemented and met require the establishment of certain functions responsible for the general aspects of information security management. To this end, Jumbonline has documented the roles and responsibilities regarding information security.

Likewise, Jumbonline has established an Information Security Committee, the highest body responsible for information security at Jumbonline. Its functions are to identify objectives and strategies related to information security, as well as to direct and control security-related processes, among other matters.

Risk management

All information assets within the scope of the ISMS are subject to a risk analysis with the aim of evaluating the threats and risks to which they are exposed.

The Information Security Officer will be responsible for conducting the risk analysis, as well as identifying deficiencies and weaknesses and bringing them to the attention of the Information Security Committee.

The Information Security Committee will promote the availability of resources to meet the security needs of the different systems, driving horizontal investments.

Continuous improvement

Information security management is a process that is subject to constant updating. Changes in the organization, threats, technologies, and legislation are an example of the need for continuous improvement of systems. For this reason, it is necessary to implement a permanent process that will involve, among other actions:

  • a) Review of the Information Security Policy.

  • b) Review of processes, services, and information and their categorization.

  • c) Execution of the risk analysis on an annual basis.

  • d) Conducting internal or, where appropriate, external audits.

  • e) Review of security measures.

  • f) Review and updating of rules and procedures.

Internal audit

The internal audit of the ISMS at Jumbonline will aim to verify:

  • Whether the requirements of the international standard, as well as the legislation and other regulations applicable to the ISMS, are met.

  • Whether the identified security objectives are met.

  • Whether controls have been effectively implemented and maintained.

  • Whether the expected results are being achieved.

Statement of authority on the Policy

The Information Security Committee has the authority to verify compliance with this Security and Privacy Policy, the responsibility to enforce the general guidelines and corresponding actions contained herein, and the independence to propose the corrective and preventive actions necessary to comply with the objectives of the risk treatment plan and the continuous improvement of information security.

It is the responsibility of all persons and departments involved in the processes or services included in the scope to comply with this Security and Privacy Policy. To achieve this purpose, the involvement and participation of all Jumbonline employees is necessary.

The participation of suppliers and third parties may also be required in the application of security measures determined as minimum requirements.

The Security Committee is responsible for this Security and Privacy Policy, and must review this document at least annually to assess the validity of this text or the need to update it based on new risks that have arisen or new needs to ensure information security.

In the event that misuse is detected that threatens the security of the company or the Security Policy in compliance with current regulations on data protection, the company may adopt appropriate corrective measures or disciplinary sanctions, as well as proceed to record the content of the affected equipment, always respecting the content of Article 18 of the Workers' Statute.