Yalutec's Management, through the Information Security Committee (CSI), establishes, promotes and disseminates the following Policy and objectives for information security management at all levels of Yalutec.
The information generated and managed by Yalutec constitutes a key strategic asset to ensure business continuity. In this context, the Information Security Policy is aimed at protecting: the information, the means that allow this cycle and the people who access the information and/or manipulate it. The above, in order to guarantee its integrity, availability and confidentiality.

Management's Statement of Intent
Yalutec will protect information resources and the technology used for their processing from internal or external threats, whether deliberate or accidental, in order to ensure the preservation of the integrity, availability and confidentiality of information. In addition, it will guarantee the continuity of information systems, minimize risks of damage and ensure the efficient fulfillment of its strategic objectives.

Information Security Principles

• Promote an organizational culture oriented towards information security.
• Involve the highest authorities of Yalutec in the dissemination, consolidation and compliance of the policy.
• Implement the committed security measures, identifying the available resources and budget items.
• Maintain policies, regulations and procedures up to date to ensure their validity and level of effectiveness.
• Promote practices that ensure the continuity of Yalutec's functions.
• Comply with legal and regulatory requirements, Yalutec's own requirements and continuous improvement. 

Objectives of Information Security Management

General Objectives
Achieve adequate levels of integrity, confidentiality and availability for all relevant information, in order to ensure operational continuity of the processes and services developed by Yalutec by safeguarding the information assets associated with critical business processes and their support.

Specific Objectives

• Identify, classify and assign owners of information assets: Achieve a 100% identification and assignment of owners for critical information assets on a quarterly basis.
• Control, prevent and/or mitigate information security risks: Reduce the number of critical vulnerabilities identified in the risk assessment in a 60% in the next 12 months.
• Establish within a period of 12 months the 100% the implementation of the policies, regulations and procedures of the SGSI through training in the areas.
• Define, execute and maintain a Dissemination, Awareness and Training Plan: Conduct at least 3 ISMS information sessions with 90% participation, share newsletters per month, conduct a course on Information Security at Yaluniversity with the participation of the company's 90%.
• Compliance with ISMS OKRs: Achieve 90% compliance with established information security OKRs for the team within 12 months, demonstrating effective focus on strategic objectives.

Scope of the Information Security Policy

General Scope

• Yalutec's Information Security Policy is issued in compliance with current legal provisions, with the aim of properly managing information security.
• This policy must be known and complied with by all Yalutec staff (managers, employees, contractors), for which it will be communicated within Yalutec. It will be available as documented information, including for interested parties (when appropriate).
• This Policy applies to the entire scope of Yalutec, to its resources and to all internal and external processes linked to the entity through contracts or agreements with third parties.
• According to the above, the information generated and managed by Yalutec constitutes a key strategic asset to ensure business continuity, so Information Security is a tool to guarantee its integrity, availability and confidentiality.

Definition of Information Assets

These are all assets relevant to the production, emission, storage, processing, communication, visualization and recovery of valuable information for Yalutec, in which three levels are distinguished:

• The Information itself, regardless of its format (paper, digital, text, image, audio, video, etc.)
• The Equipment/Systems/Infrastructure that support this information
• People who treat and/or use this information, and who have knowledge of the institutional processes.

Definition of Information Security
Yalutec understands Information Security as the set of preventive and reactive measures of Yalutec, through the systems that allow safeguarding and protecting its information assets, seeking to maintain confidentiality, availability and integrity of the same and ensure the continuity of operations. In other words, it refers to the protection of information assets, which are essential for the success of our organization.

General Framework of Yalutec Security Policies

General Aspects

• The Information Security Policy has been prepared in accordance with the legislation in force in the country.
• Senior Management undertakes to take all actions within its power to enable operational continuity in order to address interruptions in institutional activities and protect critical processes from the effects of major failures or disasters in information systems and ensure their timely resumption.

Approval of the Policy

• The information security policy will be approved by Senior Management, clearly reflecting its commitment, support and interest in developing an information security culture at Yalutec.

Dissemination of Policy

• It will be the responsibility of the OSI to disseminate relevant security issues.
• Information security policies will be communicated to all Yalutec personnel and to third parties that provide services to Yalutec and to relevant external entities.
• To disseminate the content of information security policies within Yalutec, the dissemination media available to Yalutec must be used, as well as awareness-raising and training sessions carried out for this purpose.
• To this end, the actions and initiatives contained in a Dissemination, Awareness and Training Plan on information security will be defined, implemented and evaluated.

Policy Review

• The Information Security Policy will be reviewed annually in order to keep it up to date. Any necessary modifications will also be made based on possible changes that may affect its definition, such as: technological changes; impact of security incidents; structural changes in Yalutec; changes in legal conditions and/or requirements; or at the request of Management.
• The modification of this document is the responsibility of the Information Security Committee and will be approved by the Management.