Information Security Policy

Objective

The objective of this Policy is to establish the guidelines and necessary measures to ensure proper governance of Information Security.

Scope

All Information Systems owned by the organization and those of third parties through which UVE is responsible for their governance in matters of Information Security. The Information System includes, in addition to the information itself, all assets that support it (facilities, infrastructure, hardware, software, personnel, etc.)

UVE’s Mission

The main mission of UVE is the achievement of the expectations and requirements of interested parties (Clients, Shareholders, Users, etc.), including legal, contractual and/or internal requirements related to Information Security.

Guiding Principles

• Security by default: If there is no explicit authorization, the system opts for the most secure state, denying any access or functionality.
• Security by design: Consider Information Security in all life cycles of the Information System, starting from the design phase.
• Segregation of duties: Separate the execution of process tasks in two to avoid fraud. Generally applies to development and production; execution and supervision.
• Need to know: Only users who need to access information or perform an action should have access.
• Defense in depth: Implement multiple layers of security, one within another.

Objectives

• Comply with the Information Security requirements of interested parties, such as legislation, regulation, contracts, and other internal requirements.
• Protect information, applying the guiding principles and safeguarding its dimensions:
  • Confidentiality: No disclosure to unauthorized individuals and/or entities.
  • Integrity: No unauthorized modification.
  • Availability: Access to information as expected.
• Continuously improve the ISMS.

Measures

UVE is committed to achieving the objectives, and for that purpose establishes and implements the necessary technical and organizational measures. Among these measures are, but are not limited to:

• Defining and assigning roles, responsibilities, and training in Information Security for each user of the Information System, especially for personnel responsible for implementing and maintaining the ISMS and the measures defined by it.
• Training staff in Information Security through the necessary awareness and education.
• Managing (identifying, assessing, analyzing, evaluating, reporting, approving, and treating) Information Security risks.
• Managing (defining, identifying, recording, reporting, analyzing, resolving, and applying the lessons learned) Information Security events and incidents.
• Managing nonconformities, breaches, exceptions to internal regulations and requirements, and expectations of interested parties.
• Monitoring the Information System and auditing the ISMS to detect risks, incidents, threats, nonconformities, breaches, and opportunities for improvement.
• Ensuring that UVE employees are informed and comply with the security and acceptable use policies of UVE Group clients.
• Ensuring compliance with the objectives within the supply chain or among suppliers.
• Establishing physical and logical protection measures when required.
• Periodically reviewing the documentary framework to verify alignment with requirements.

Review

Periodically, and when there are relevant changes, UVE Management will review this Policy to ensure it is aligned with:

• The business strategy, mission, vision, and values.
• The current context (external and internal factors, expectations and requirements of interested parties, risks, and threats).
• The requirements and expectations of interested parties.