POLICY ON INFORMATION SECURITY AND PRIVACY
1. INFORMATION SECURITY
1.1. BACKGROUND
The evolution of technology and cyber threats has led to the creation and formalization of security policies to protect the confidentiality, integrity, and availability of information within organizations.
1.2. OBJECTIVES
To ensure the strategic direction of the company, OpenAtlas S.A.S. establishes the compatibility of its information security policy with its information security objectives. These objectives are as follows:
▪ Minimize risk in the company’s mission-critical processes.
▪ Comply with information security principles.
▪ Maintain the trust of employees, contractors, and clients.
▪ Support technological innovation.
▪ Implement the information security management system (ISMS).
▪ Protect information assets.
▪ Establish policies, procedures, and guidelines regarding information security.
▪ Strengthen the information security culture among employees, third parties, trainees, interns, and clients of OpenAtlas S.A.S.
▪ Ensure business continuity in the event of security incidents.
1.3. SCOPE
This policy covers all information assets of OpenAtlas S.A.S., including data, systems, networks, devices, and any other resource that handles sensitive information. It applies to all employees, contractors, suppliers, and any other stakeholders with access to the organization’s information.
1.4. RESPONSIBILITIES
In the information security policy, responsibilities are clearly defined to ensure effective management.
● Leadership, support, promotion, and resource allocation are the responsibility of Top Management.
● Monitoring compliance, implementation, and maintenance of this policy is the responsibility of the Information Security Leader.
● Compliance with this policy is the responsibility of all personnel, including employees and contractors.
1.5. CHECKLIST
Below is a series of controls to review compliance with the security policy regarding cybersecurity incident response.
Controls are classified into two complexity levels:
● Basic (B): the effort and resources required for implementation are manageable. These can be applied using simple features already integrated into common applications. Attacks are prevented through the installation of basic security tools.
● Advanced (A): the effort and resources required for implementation are considerable. Programs with complex configurations are needed. Recovery mechanisms may be required.
Controls may have the following scope:
● Processes (PRO): applies to management or administrative staff.
● Technology (TEC): applies to specialized technical staff.
● People (PER): applies to all personnel.
| Level | Scope | Control | Status |
|---|---|---|---|
| B | PRO | Management Commitment – Top management must demonstrate its commitment to information security by ensuring the necessary resources are available and security objectives are met. | ☐ |
| B | PRO | Asset Management – Identification and classification of information assets, ensuring appropriate protection. | ☐ |
| B | PRO | Access Control – Definition of policies for information access, ensuring access only for authorized individuals. | ☐ |
| B | PRO | Information Protection – Implementation of measures to protect information against human-related risks. | ☐ |
| B | PRO | Security Incident Management – Establishment of procedures for identifying, reporting, and handling security incidents. | ☐ |
| B | PRO | Legal and Contractual Compliance – Ensuring the organization complies with applicable laws, regulations, and contractual requirements. | ☐ |
| B | PRO | Physical and Technological Resource Security – Protection of processing facilities and data networks that support critical processes. | ☐ |
| B | PRO | Business Continuity – Ensure continuity of critical business processes during security events. | ☐ |
| B | PRO | Training and Awareness – Ensure security training and awareness for employees, contractors, and third parties. | ☐ |
| B | PRO | Passwords – Establish, disseminate, and verify best practices for password usage. | ☐ |
| B | PRO | Policy Review and Creation – Policies must be reviewed and updated at least once a year to maintain effectiveness and relevance. | ☐ |
1.6. KEY POINTS
Key points of this policy include:
1.6.1. Management Commitment
● Top management must demonstrate its commitment to information security by ensuring that necessary resources are allocated and security objectives are achieved.
● Evidence of resource allocation should be provided through budgeting and a master ISMS plan.
1.6.2. Asset Management
● Identify and classify information assets to ensure appropriate protection.
● A detailed inventory of the company’s information assets should be created, clearly indicating the owner and the party responsible for the associated risk.
1.6.3. Access Control
● Define access policies to ensure that only authorized individuals can access sensitive data.
● Each asset owner must approve and assign access privileges to each person, with appropriate documentation.
1.6.4. Information Protection
● Implement measures to protect information from human-induced risks.
● Raise security awareness among all stakeholders, as people represent a critical point in security.
1.6.5. Security Incident Management
● Establish procedures for identifying, reporting, and handling security incidents.
1.6.6. Legal and Contractual Compliance
● Ensure that the organization meets all applicable laws, regulations, and contractual requirements.
1.6.7. Physical and Technological Resource Security
● Protect processing facilities, technological infrastructure, and data networks that support critical processes.
1.6.8. Ensure Availability
● Ensure the availability of business processes and operational continuity, based on the potential impact of security events.
1.6.9. Training and Awareness
● Ensure that all employees, contractors, and third parties understand the importance of information security and are trained to protect the organization’s information assets.
1.6.10. Passwords
● Establish, promote, and verify compliance with best practices for password usage and/or secure access through zero trust architecture (ZTA).
1.6.11. Policy Review and Creation
● Policies should be reviewed, updated, and created according to the company’s needs. Each policy must be updated at least annually to ensure its effectiveness and alignment with changes in the organization’s environment.
