Information Security Policy

The reliability and security of network and information systems is of strategic importance for the Company (IS S.A.), so that it can achieve its short- and long-term objectives, ensure data confidentiality for customers receiving its services and, at the same time, contribute to the orderly functioning of economic and social activities at national level.

Acknowledging the importance of information and systems in carrying out its operational functions, the Company has made the attainment of a high level of Information Security a key priority and implements relevant Policies and Procedures with a view to:

• maintaining the confidentiality, integrity and availability of its information, systems and services in the face of intentional or unintentional threats;
• protecting the data of customers that have put their trust in the Company and are receiving its services;
• safeguarding its own interests, as well as the interests of those doing business with it;
• ensuring the proper and uninterrupted functioning of the network systems and information that support the provision of its core services;
• ensuring Business Continuity in the face of cyber-attacks;
• preventing cyber-security incidents that may damage or disrupt its systems, impede the conduct of economic activity, cause significant financial loss and undermine user trust;
• making sure that Information Security incidents and breaches that may jeopardize its business functions are dealt with immediately and effectively;
• ensuring full compliance with current legal and regulatory requirements relating to the security and continuity of its core services and the protection of the data it processes;
• making sure that the level of Information Security is improved at all times.

To that end, IS S.A.:

• has defined a governance scheme and organizational structures aimed at addressing Information Security issues;
• has drawn up a network system and information risk management strategy, carries out information security risk assessments at regular intervals, and implements appropriate, adequate and proportional technical and organizational measures to address those risks;
• has implemented a framework to evaluate and constantly enhance the effectiveness of the Information Security Procedures through periodic measurement and review of specific performance indicators against defined objectives;
• makes sure that all employees and other third parties involved are kept up-to-date on, and aware of, matters relating to Information Security and to the continuity of its core services;
• has adopted a system for classifying information on the basis of how critical and valuable each piece of information is;
• has defined the actions necessary to protect information, in accordance with the relevant classification level, when processing, storing, transferring and destroying information;
• has implemented technical measures to control access to information and systems, archive data, prevent viruses and external intrusions, prevent and address unexpected incidents, and attain a high level of availability of its core services and critical infrastructure;
• has identified methods for the early detection of Information Security incidents and occurrences, and implements measures to mitigate their impact;
• has described how to ensure safe continuation and restoration of its operational functions at an acceptable and predetermined level in cases of system failures, disasters or crises.

The Information Security Officer (ISO) supervises and coordinates the implementation of Information Security Policies and Procedures through the use of internationally recognized standards and practices, and acts as a point of contact with the competent bodies. He/she is responsible for taking initiatives as appropriate to eliminate all those factors that may jeopardize the confidentiality, integrity and availability of Company information and systems.

All employees and partners with access to Company information, systems and infrastructure are aware of, and have accepted, the obligations to comply with the Company’s Information Security Rules.

IS S.A. Management and staff are committed to uninterruptedly monitoring and complying with the regulatory and legislative framework and to continuously implementing and streamlining the Information Security Policies, Procedures and Measures.