Information security and privacy

An IT management methodology is defined that allows guiding in the way of managing and executing the various technology projects in the company.

The main objective is to define the guidelines and directives that must be followed by collaborators and third parties, in order to guarantee the availability, integrity and confidentiality of the information.

Introduction to information security

The specific objectives corresponding to:

• Minimize the risk of the company’s mission processes.
• Comply with the principles of information security.
• Maintain the trust of officials, contractors and third parties.
• Implement the information security management system.
• Protect information assets.
• Establish the policies, procedures and instructions on information security and privacy.
• Strengthen the culture of information security among employees, third parties and clients.
• Guarantee business continuity in the event of incidents.

Aspects

Different aspects are evaluated that allow control over the security and privacy of the different products:

• Inventory of assets: the inventory of assets forms the first element of the chain in a system of management of the security of a system. An inventory of assets is defined as a list of all those resources (physical, software, documents, services, people, facilities, etc.) that have value for the organization and therefore need to be protected from potential risks.
• Security Configuration – Determines how the security configuration of laptops, servers, and workstations is handled using a rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and configurations.
• Vulnerability Assessment: Shows how the company continually acts on information to identify vulnerabilities, remediate problems, and minimize the window of opportunity for attackers.
• Malware Protection – This is how malicious software designed to attack systems, devices, or data, including viruses, Trojan horses, malware, worms, and other fast-moving and rapidly changing cyber threats, is controlled. number of points such as end-user devices, email attachments, web pages, cloud services, user actions, and removable media.
• Application Security: Shows how you manage the security lifecycle of internally developed and purchased software to prevent, detect, and correct security weaknesses.
• Network Security – Explains how ALTO protects network access and isolates systems from untrusted networks.
• Data Recovery – Tells how ALTO has established processes and leveraged tools to properly back up critical information and systems with a proven methodology for timely recovery.
• Identity, Password, and Access Management – Explains how ALTO manages the lifecycle of system and end-user accounts to minimize opportunities for attackers to exploit them.
• Audit Log – Reports how ALTO actively collects, manages, and analyzes audit logs of events that could help detect, understand, or recover from an attack.
• Data Protection: Shows ALTO’s organizational approach to preventing data leakage and ensuring the privacy, confidentiality, and integrity of data that resides both internally and externally to your organization, including cloud providers that may store data from system.
• Penetration Test: Reports how ALTO performs network-based and/or application-based penetration tests to determine the overall strength/weakness of your defenses.
• Facilities and physical security. shows how ALTO implements physical security measures at all facilities to protect assets, including people, property, and application-related information.
• Data deletion: shows how ALTO guarantees the deletion of data in case of customer request or in case of contract termination.
• Boundary Defense – Determines how assaults against critical infrastructure networks are prevented by perimeter defense.
• Incident response
• Information Security Program
• Skills and Training
• Data Protection
• Data transfer
• Monitoring
• Business continuity, DRP
• Domain management

Documentation

Different documents containing the information are handled to guarantee security in the different systems:

This information is in Spanish, if you require translation you must submit the request at the following link: https://soporte-ti.atlassian.net/servicedesk/customer/portal/14/group/83/create/868

1. General Information Security Manual
2. DRP – High Group
3. Business Continuity Plan – BCP
4. Privacy Policy
5. Retention and Destruction Procedure
6. Information security policies
7. Password policy
8. Privacy Policy
9. Control against malware
10. High Group Network Diagram
11. Online SSL Certificate Checker
12. Opinion Letter re Privacy Practices
13. Data update flow

Questionnaires

Based on the needs of the clients, there is a basic questionnaire that has the frequently asked questions and answers about security, in addition, we keep a history of the questionnaires personalized by clients.

More information

Security audits

Security audits are periodically carried out on the different products in order to detect and solve possible vulnerabilities

More information

Availability audits

Audits are periodically carried out to detect and record falls to the different products.

More information

This information is in Spanish, if you require translation you must submit the request at the following link: https://soporte-ti.atlassian.net/servicedesk/customer/portal/14/group/83/create/868