Legal

Information Security Policies

Introduction

Information is a valuable asset for Axiacore, enabling effective decision-making and operations. Axiacore is committed to ensuring:

  • Availability of information
  • Security of information
  • Integrity of information
  • Confidentiality of information
  • Authentication of information

By implementing these policies, Axiacore demonstrates its commitment to managing and using information responsibly.

Objectives

  • Inform end-users of the guidelines they must follow for the proper use of information.

  • Define the policies and guidelines that the company must follow regarding:

    • Information backup
    • Security
    • Business continuity
    • Use of information

Scope

Axiacore's information security policies apply globally across all operations and are mandatory for every team member, regardless of contractual status or job responsibilities.

Document review and update

This document will be reviewed annually by the technology direction, following the change control process.

User responsibility policy

Guidelines for responsible, secure, and efficient use of technological resources:

  • Ethical and Legal Use: Users commit to using the organization's technological resources ethically and legally, respecting intellectual property rights and avoiding any illegal or harmful activities.
  • Access Credential Security: Each user is responsible for maintaining the security of their access credentials by not sharing passwords and promptly reporting any suspicious activity to the technology direction.
  • Security Awareness and Training: Users will participate in cybersecurity awareness and training programs provided by the organization, improving their understanding of threats and secure practices.
  • Incident and Problem Reporting: Users must report any problems, malfunctions, or security incidents they detect, enabling a rapid and effective response from the technology direction.
  • Data Backup and Recovery: Users are responsible for regularly backing up their critical data and collaborating with established procedures to ensure efficient recovery in case of information loss.
  • Support Collaboration: Users will cooperate with the technical support team, providing accurate and detailed information about problems or assistance requests to facilitate prompt resolution.

User administration policy

Guidelines for managing user accounts, including creation, modification, deactivation, and removal:

User creation

the technology direction is responsible for developing and maintaining standardized procedures for user creation, defining roles, privileges, and security requirements.

  • All user creation requests require prior authorization and identity validation to ensure changes are made only by authorized personnel.
  • Identity verification measures will be implemented to ensure the legitimacy of users during the account creation process, minimizing impersonation risks.
  • New user creation must follow the onboarding procedure.
  • Username structure will follow the 'first_name.last_name' convention, with the option to change in case of homonymy.
  • Password security policies will include complexity requirements, expiration periods, and measures to prevent weak passwords.
  • Initial passwords must be assigned, and users will be required to change them upon first successful login.
  • Users must configure multi-factor authentication (MFA) when logging in for the first time.
  • Users are responsible for maintaining the confidentiality of their credentials.
  • Access to applications (email, GitHub, Sentry, Linear, Slack, etc.) will be granted based on the user's role.
  • Personnel responsible for user creations will receive regular training on policies and procedures to ensure proper understanding and application.

User modification

the technology direction has defined a procedure to ensure secure and efficient modifications to user profiles, maintaining information integrity, consistent access management, and compliance with security standards.

  • All user modifications require prior authorization and identity validation to ensure changes are made only by authorized personnel.
  • For modifications to existing users, the same procedure must be followed, indicating the relevant changes.
  • Personnel responsible for user modifications will receive regular training on policies and procedures to ensure proper understanding and application.

User deactivation

Clear and secure procedures are established for user deactivation when an account is compromised, ensuring information security and compliance with standards.

  • Criteria are defined to determine when a user will be considered inactive, which may include inactivity periods, changes in employment status, and disciplinary actions.
  • All user deactivations require prior authorization and identity validation to ensure actions are taken only by authorized personnel.
  • Relevant departments will be promptly and clearly notified of user deactivations.

User removal

Secure and efficient procedures are established and maintained for the removal of user accounts, with the purpose of preserving information.

The criterion for user removal is when the employment relationship concludes:

  • All user removals require prior authorization and identity validation to ensure actions are taken only by authorized personnel.
  • Relevant departments will be promptly and clearly notified of user removals.
  • Secure removal of the user's access and privileges will be guaranteed to prevent potential security breaches.
  • The corresponding department must return the user's assigned technology tools to the technology direction.
  • Backup of the user's Google Workspace data (Drive, email) may be required before removal.

User permissions

Guidelines for assigning and managing permissions:

Principle of Least Privilege

  • Before assigning permissions, the specific needs of each user will be validated, ensuring that the granted access is relevant to their functions and responsibilities.
  • The assignment of permissions will follow the principle of least privilege, ensuring that users only have access to the resources and data necessary to perform their responsibilities.
  • All user creation requests require prior authorization and identity validation to ensure changes are made only by authorized personnel.

Periodic Review and Adjustment

  • the technology direction will regularly review user permissions to identify and address any excessive, unnecessary, or outdated access rights.
  • When a user's role or responsibilities change, their permissions will be promptly reviewed and adjusted to align with the new requirements.
  • User access rights will be revoked or modified when an individual's employment is terminated or their relationship with the organization changes.

Application Access

Establishes guidelines for managing user access to applications, with the goal of safeguarding the confidentiality, integrity, and availability of information. This is supported by compliance with regulations and security standards, creating an efficient and secure access environment where users have the minimum necessary privileges to carry out their responsibilities, mitigating security risks. User Roles and Access:

User:

  • This user does not have administrative responsibilities.
  • Accesses and utilizes shared resources and folders to which they have authorized access, facilitating collaboration and file sharing with other users.
  • Accesses and uses Google Workspace applications online, such as Docs, Sheets, Slides, and Gmail, for creating, editing, and collaborating on documents, spreadsheets, presentations, and email.
  • Uses Google Drive to store and share files securely, enabling secure access to documents from any location and facilitating collaboration with other corporate domain users.
  • Uses Gmail to manage email, calendars, and contacts, as well as Slack for team communication and collaboration, participating in virtual meetings and chats.

Developer:

  • Inherits the permissions of a standard user.
  • Utilizes GitHub for managing the repositories to which they have access.

Designer:

  • Inherits the permissions of a standard user.
  • Uses Figma for design project management.

Administrator:

  • Inherits the permissions of a standard user.
  • Has additional administrative responsibilities.

Backup Policy

Establish a framework for planning, implementing, and managing backup procedures that ensure the integrity, availability, and efficient recovery of the organization's critical data.

  • Design, implement, and maintain a centralized and efficient backup system.
  • Regularly schedule and supervise backups.
  • Conduct periodic restoration tests to ensure the effectiveness of the backup system.
  • All servers, databases, and important systems will have scheduled backups according to defined frequency and retention.
  • Use a combination of full and incremental backups based on the needs of each system and storage efficiency.
  • Backup data will be stored in a secure system off the main site.
  • Establish a retention policy to manage long-term storage and comply with requirements.
  • Control and limit access to backup data to ensure security.
  • Conduct periodic restoration tests to verify the integrity of the backups.
  • Perform regular audits to assess and improve the effectiveness of the backup policy.
  • Maintain detailed records of all activities related to backups, including dates, responsible parties, and results of restoration tests.
  • Establish clear consequences for non-compliance with backup policies, which may include warnings to disciplinary actions depending on the severity.

Database and Server Backups

Establish processes and procedures for backing up data stored on the organization's servers to ensure the integrity, availability, and efficient recovery of information. The backup process is governed by the following guidelines:

Type of Backup

Full Backup: A full backup is a complete copy of all selected data from a server at a specific time. According to the internal classification of the servers, the full backup structure is as follows:

  • Server: Conducted on Mondays from 7 to 9 am.
  • Application: Conducted daily at 8 am.

Frequency

Daily and weekly backups are scheduled.

Retention

Establishes the duration for which backups are retained before being deleted or overwritten. Backup retention is crucial to ensure the availability of historical data and comply with legal or regulatory requirements. According to the internal classification of the servers, the retention structure is as follows:

  • Server: Retained for 30 days.
  • Application: Retained for 30 days.

Records

  • Maintain a detailed record of all activities related to backups, including dates, responsible parties, and backup status.
  • Conduct periodic audits to assess and improve the effectiveness of the backup policy.
  • Keep detailed records of all backup operations, including dates, types of data backed up, and results of recovery tests.

Restore Policy

Establish guidelines and procedures for the safe and efficient execution of data restoration processes in case of loss, damage, or disaster, ensuring the rapid recovery and availability of critical information.

Server and Database Restores

Establish processes and procedures for restoring backups of data stored on the organization's servers to ensure the integrity, availability, and efficient recovery of information. The restore process is governed by the following guidelines:

  • Server restoration can only be performed by personnel authorized by the technology direction or those expressly designated in emergency situations.
  • Data restoration will require explicit authorization from the technology direction.
  • Specific procedures are established for the rapid restoration of critical data, minimizing downtime in emergency situations.
  • Periodic recovery tests are conducted to ensure the effectiveness of backup procedures and data integrity.
  • Detailed records of all backup operations must be kept, including dates, types of data backed up, and results of recovery tests.

Type of Restore

  • Full: This is performed when 100% of the server (operating system, applications, information, configuration) needs to be restored.
  • Granular: This is performed when a specific file or files need to be restored without the need to restore 100% of the server.

Hardening Policy

The objective of this policy is to establish the standards and procedures for carrying out the hardening process of the organization's information systems; this is essential to mitigate security risks, protect data integrity and confidentiality, and ensure system availability.

This policy applies to all information and technology systems used by the organization, including servers, workstations, network devices, and any other device connected to the corporate network.

Policy and Procedure Development

The Technology direction is responsible for developing and maintaining clear and up-to-date policies and procedures for the hardening process of systems; these policies and procedures must follow industry best practices and comply with relevant security standards.

  • Provide adequate guidance and resources to carry out the hardening process effectively.
  • Conduct an initial vulnerability analysis to identify possible weak points in the systems.

Hardening Implementation

The Technology direction must ensure the effective implementation of the hardening process on all systems under its responsibility. This includes configuring security parameters, updating patches, removing unnecessary services, and other measures to reduce the attack surface.

System administrators are responsible for implementing hardening according to the standards established by the Technology direction.

External Advisors

  • Collaborate with system administrators to identify potential vulnerabilities and threats that may affect security.
  • Provide specialized advice on best hardening practices and support in assessing security risks.

Monitoring

Continuous monitoring of the systems must be carried out to detect possible security breaches and ensure that hardening measures remain effective.

Additional security controls should be implemented as necessary to address new threats or vulnerabilities.

Evaluation and Audit

The Technology direction must conduct regular evaluations of the systems to ensure that established hardening standards are maintained.

Periodic audits must be performed to verify compliance with hardening policies and procedures.

Training and Awareness

The organization is responsible for providing training and awareness on the importance of system hardening to relevant personnel. This includes training technical staff on best security practices and raising awareness among non-technical staff about the risks associated with the lack of hardening.

Incident Management

The technology direction must actively participate in managing incidents related to system security, including those that could have been prevented through an adequate hardening process. Corrective and preventive measures must be taken to mitigate future risks.

Change Control and Maintenance Window Policy

The technology direction will ensure effective management of change controls by considering all aspects that will affect the service to minimize risks, interruptions, and rollbacks.

Planning

  • A detailed plan will be developed for the implementation of the change, including effective communication to affected teams and stakeholders.
  • Plan and coordinate change controls and maintenance windows in advance, considering their impact on systems and services.
  • Strategically plan maintenance windows, considering operational needs and business requirements.
  • Prioritize change controls based on their criticality and minimize the simultaneous implementation of changes that may affect system stability.
  • Conduct risk assessments before implementing the change and/or executing the window.
  • Users will be notified via email five days before, one day before, and on the day the activity is executed.
  • Clearly communicate the dates and details of change controls and maintenance windows to all stakeholders.

Types of Changes

  • Normal
  • Emergency

Execution

  • Conduct tests before implementing changes.
  • Backups of information and/or configuration must be performed before any activity.
  • Create a maintenance window on status.axiacore.com.
  • Supervise and/or execute change control activities during maintenance windows, following best practices and established procedures.
  • Validate the correct execution.

Completion

  • After each change implementation, a post-implementation review will be conducted to assess success, identify improvement opportunities, and adjust processes as necessary.
  • Once the window is completed, report its success or failure to leaders and involved personnel.
  • Remove the maintenance window on status.axiacore.com.

Update Policy

The technology direction will ensure the timely and secure implementation of software and system updates to maintain the integrity, security, and efficiency of the organization's technological infrastructure.

Evaluation

  • Regularly evaluate the availability of updates for operating systems, applications, and hardware used in the organization.

Planning and Scheduling

  • Plan the implementation of updates during times of low impact on operations.
  • Develop an update schedule that minimizes disruption to normal operations and ensures efficient implementation during periods of low activity.
  • Prioritize updates based on their criticality and urgency, focusing first on addressing critical security vulnerabilities.
  • Plan updates within a maximum of 30 days.

Implementation

  • Conduct tests before implementing updates to ensure system compatibility and stability.
  • Proactively plan and coordinate the implementation of updates, considering potential impacts on operations and security.

Completion

  • Validate the correct execution of updates during and after their implementation.

Business Continuity Policy

Establish guidelines and procedures to ensure the continuity of the organization's essential operations in crisis or disaster situations, minimizing the impact on services and protecting critical assets.

Leadership

  • The Technology Department will take strategic leadership in planning and executing initiatives to ensure business continuity concerning servers, technological services, and communications.
  • Actively participate in identifying and evaluating technological risks that may affect operational continuity.
  • Develop and implement specific business continuity plans for critical functions and technological systems.
  • Collaborate with other departments to integrate technological continuity strategies into the overall business continuity plan.

Prioritization of Critical Operations

  • Identify and prioritize critical operations that must remain functional during interruption situations.

Risk Assessment

  • The Technology Department will conduct regular assessments of technological risks and vulnerabilities that may affect business continuity.
  • Identify and document potential threats that could impact the technological infrastructure and critical systems.
  • Perform an impact assessment for each identified critical operation. Evaluate the potential impact of its interruption in terms of security, reputation, compliance, and financial loss.

Development of Continuity Plans

  • Develop mitigation strategies to protect the integrity and availability of critical systems.
  • Draft, implement, and update business continuity plans that address critical technological aspects.
  • Design redundant strategies that maximize the availability of technological infrastructures and minimize the disruption of critical services.
  • Establish partnerships and agreements with technological service providers to support operational continuity.
  • Develop a crisis communication plan that includes procedures for informing staff, clients, and stakeholders about the operational status and actions taken to ensure business continuity.
  • Establish detailed protocols for the rapid recovery of key operations and critical processes.
  • Develop and maintain documented business continuity plans, specifying roles, responsibilities, necessary resources, and detailed recovery steps.
  • Collaborate with suppliers, partners, and other key parties to ensure the continuity of services and the supply chain.

Testing

  • Conduct tests and simulation exercises to evaluate the effectiveness of continuity plans, identify areas for improvement, and ensure staff preparedness.

Data Backup and Recovery

  • Establish robust procedures for the backup and recovery of critical data in case of loss or corruption.
  • Ensure off-site backups and conduct regular recovery tests to verify the effectiveness of the procedures.

Updates and Improvement

  • Regularly update business continuity plans in response to technological changes, risk assessments, and lessons learned.
  • Promote a culture of continuous improvement by reviewing and adjusting procedures based on lessons learned from previous events.

Post-Event Evaluations

  • Conduct evaluations after real events or drills to identify areas for improvement and optimization.
  • Implement corrective measures and adjust plans as necessary to strengthen technological resilience.

Training

  • Provide training to employees on the plans and procedures that constitute business continuity.
  • Foster awareness of the importance of business continuity at all levels of the organization.