Information security policy

Scope of Application

This policy defines the strategic principles and objectives for information security at Deix. Its purpose is to protect corporate information assets to ensure business continuity, minimize risks, and maximize growth opportunities. It applies to all information, information systems, personnel, and third parties operating on behalf of the company, with a particular focus on software design and development activities and solutions for decision problems.

Normative References

ISO 27001:2022: Requirements for information security management systems.
ISO 27002:2022: Guidelines for information security controls.
Regulation (EU) 2016/679 (GDPR): Protection of natural persons with regard to the processing of personal data.

Terms and Definitions

Information Security: The preservation of Confidentiality, Integrity, and Availability of information.
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Integrity: The property of safeguarding the accuracy and completeness of information and processing methods.
Availability: The property of being accessible and usable upon demand by an authorized entity.

Roles and Responsibilities

CEO/Top Management: Approves the information security policy, ensures the availability of necessary resources for its implementation, and oversees the effectiveness of the management system, ensuring compliance with regulations and proper risk management.
Integrated Management System Manager (IMSM): Ensures the implementation, communication, and review of this policy. Oversees adherence to the ISO 27001 standard, coordinates the information security risk assessment, and ensures the maintenance of compliance with legal and contractual requirements.
Employees / Collaborators / Third parties:
- Understand and apply this policy and the principles and guidelines contained herein.
- Immediately report any anomaly or violation of this policy.

Information Security Objectives

Deix is committed to protecting its information assets to ensure business continuity, minimize risks, and maximize growth opportunities. The strategic information security objectives are aligned with the organization's context and business direction, with particular reference to the design and development of software and solutions for decision problems. The primary objectives of the Integrated Management System (IMS) are aimed at ensuring:

Confidentiality: ensuring that information, including intellectual property, customer data, and personal data, is accessible only to authorized personnel. Protecting confidential data from unauthorized access is a fundamental objective.
Integrity: safeguarding the accuracy and completeness of information and processing methods, protecting them from unauthorized or accidental modification.
Availability: ensuring that information and associated resources are accessible and usable by authorized personnel when needed, to ensure operational continuity and the provision of services to customers.

Top Management approves and supports these objectives, ensuring the availability of necessary resources for their achievement. The definition, planning, and monitoring of specific and measurable objectives are managed in accordance with the "PRO Objectives and Planning for their Achievement" procedure.

Fundamental Information Security Principles

All Deix personnel and third parties operating on behalf of the company are required to comply with the following fundamental principles for the protection of information assets.

Policy Management and Review This policy is the reference document for information security at Deix. Top Management is responsible for approving it. The Integrated Management System Manager (IMSM) must ensure that it is communicated to all personnel and relevant interested parties, and that it is reviewed at planned intervals, or following significant changes.
Shared Responsibility Information security is the responsibility of all personnel. Every individual is required to protect the information they access in the performance of their duties. Specific roles and responsibilities are defined in the "POL Policy on Information Security Roles and Responsibilities" and integrated into the company job descriptions.
Risk-Based Approach Information security decisions and the implementation of controls are based on a continuous risk assessment process, aimed at identifying, analyzing, and treating threats to information assets.
Compliance Deix is committed to complying with all applicable legal, regulatory, and contractual requirements regarding information security and data protection. The Integrated Management System Manager (IMSM) oversees the maintenance of compliance.
Acceptable Use of Resources Corporate information and resources, including systems, software, and networks, must be used exclusively for authorized work purposes.
Reporting Security Events All personnel have the obligation to promptly report any observed or suspected information security event, as well as any potential vulnerability. The channels and methods for reporting are established in the "PRO Information Security Incident Management Procedure".
Clear Desk and Clear Screen Principle Personnel must adopt the "clear desk" and "clear screen" principle to reduce the risk of unauthorized access, loss, or damage to information during and outside working hours. This includes the secure storage of paper documents and removable storage media and the activation of automatic screen lock on unattended computing devices.
Security of Off-Site Assets The protection of information assets must also be ensured when they are used outside company premises, such as in the case of remote work. The same security policies and procedures apply to all assets, regardless of their location, as specified in the "POL Operational Security Policy".

Archiving and Updating

This document is managed in a controlled format within the corporate document management system. It is reviewed at least annually and whenever significant organizational, technological, or regulatory changes occur that impact its content. Revisions are carried out by the Integrated Management System Manager (IMSM) and approved by Top Management.

Reference Documents

Code of Conduct
POL Policy on Information Security Roles and Responsibilities
POL Management System Policy
POL Information Classification and Labeling Policy
POL Operational Security Policy