UNIQFINANCIAL S.A.
Information Security Policy
- Purpose
The purpose of this Information Security Policy is to protect the confidentiality, integrity, and availability of information assets managed by UNIQFINANCIAL S.A.. This policy establishes guidelines for safeguarding the company’s information resources against unauthorized access, disclosure, alteration, and destruction.
- Scope
This policy applies to all employees, contractors, consultants, temporary staff, and other workers at UNIQFINANCIAL S.A., including all personnel affiliated with third parties. It covers all information assets owned, leased, or managed by UNIQFINANCIAL S.A., including but not limited to data, systems, networks, and physical devices.
- Information Security Objectives
UNIQFINANCIAL S.A. is committed to the following objectives:
- Confidentiality: Ensuring that sensitive information is accessible only to those authorized to have access.
- Integrity: Protecting the accuracy and completeness of information and processing methods.
- Availability: Ensuring that authorized users have access to information and associated assets when required.
- Information Classification
Information at UNIQFINANCIAL S.A. is classified into the following categories:
- Public: Information that may be disclosed to the public without any restrictions.
- Internal: Information intended for use within UNIQFINANCIAL S.A. that is not intended for public disclosure.
- Confidential: Sensitive information that, if disclosed, could have adverse consequences for UNIQFINANCIAL S.A. or its clients. Access is restricted to authorized personnel.
- Highly Confidential: Critical information that requires the highest level of protection due to its sensitivity or regulatory requirements. Access is tightly controlled and monitored.
- Roles and Responsibilities
- Information Security Officer (ISO): The ISO is responsible for overseeing the implementation of this policy, conducting regular security assessments, and ensuring compliance with relevant laws and regulations.
- Employees and Contractors: All personnel are responsible for adhering to this policy and reporting any security incidents or potential risks to the ISO.
- IT Department: Responsible for implementing technical controls to protect information assets, such as firewalls, encryption, and access controls.
- Access Control
- User Access Management: Access to information systems and data is granted on a need-to-know basis, with the principle of least privilege applied. Access rights must be reviewed periodically.
- Authentication: Strong passwords, multi-factor authentication, and secure login procedures must be used to prevent unauthorized access.
- Physical Security: Physical access to sensitive areas and information systems must be restricted to authorized personnel only.
- Data Protection
- Data Encryption: Confidential and highly confidential data must be encrypted both in transit and at rest using industry-standard encryption protocols.
- Data Backup: Regular backups of critical data must be performed, stored securely, and tested periodically for data integrity and recoverability.
- Data Retention: Information must be retained only for as long as necessary to fulfill business or legal requirements. Secure disposal methods must be used to permanently delete sensitive information when no longer needed.
- Incident Management
- Incident Reporting: All employees and contractors must report any information security incidents or suspected breaches immediately to the ISO.
- Incident Response: The ISO, in collaboration with the IT department, will lead the incident response process, including containment, eradication, and recovery efforts. All incidents must be documented and reviewed to improve future responses.
- Training and Awareness
- Security Awareness Training: All employees and contractors must receive regular training on information security best practices, including recognizing phishing attacks, securing mobile devices, and handling sensitive data.
- Policy Acknowledgment: All personnel must acknowledge receipt and understanding of this policy and agree to comply with it.
- Compliance
UNIQFINANCIAL S.A. is committed to complying with all applicable laws, regulations, and contractual obligations related to information security, including but not limited to data protection regulations (e.g., GDPR), financial regulations, and industry standards.
- Monitoring and Review
- Monitoring: Continuous monitoring of information systems and network activities must be conducted to detect unauthorized access or suspicious activities.
- Policy Review: This policy will be reviewed at least annually, or more frequently if required, to ensure its relevance and effectiveness. Updates will be made as necessary to address new risks, regulatory changes, or technological advancements.
- Violations and Disciplinary Actions
Any violation of this policy may result in disciplinary action, up to and including termination of employment or contract. Legal actions may also be pursued where applicable.