Data Protection Authority Approves Its Own Information Security Policy

Within the framework of Administrative Decision 641/2021, the Data Protection Authority approved through Resolution 211/23 its Information Security Policy, which seeks to strengthen the security of the information it receives, produces, and manages. It was drafted with the assistance of the Office of Information Technology and Innovation, considering the Minimum Information Security Requirements for Agencies of the Federal Public Sector (established in the abovementioned administrative decision), and it applies to all its internal areas.

The Policy sets the necessary guidelines and measures to ensure the Authority's data and resources are protected and to prevent and mitigate information security risks. It also includes detailed information on general aspects, organization, asset classification, human resources security, physical and environmental security, access management, and security incident management.

The Policy also describes how the responsibilities and functions of the different levels of the Authority's internal structure are established and creates an Information Security Control Committee in charge of monitoring, reviewing, disclosing, and promoting changes regarding information security. Further, it includes provisions on the implementation of confidentiality commitments, third-party access to information, and information exchange with external groups or third parties.

As any other information security policy, classifies information assets, defining them as “all elements that have or process information relevant to the agency, or whose loss or degradation could in some way affect the continuity of services, including software, physical assets, physical facilities, services, and intangible assets.” The heads of each area act as owners of the information related to their functions and are responsible for classifying information by its grade of sensibility and criticality, considering confidentiality, integrity, criticality, and availability.

Regarding human resources, the Policy applies to all members of the Authority. The goal is to mitigate risks related to human mistakes, wrongdoing, inappropriate use of facilities and resources, and unauthorized handling of information.

The Policy also contemplates physical and environmental security, and access management, to create a reference framework to protect physical accesses where critical computer equipment and infrastructure are stored. It also seeks to avoid and reduce environmental risks and manage permissions and credentials to access systems, databases, and information services, which commonly involves the systems and information security teams, as it requires complying with an access control policy, user registration procedures, permissions management, among others.

The management of security incidents involves distributing roles and responsibilities, and creating a specific section for reporting events, vulnerabilities, and communication of anomalies. This section aims at regulating the actions to be taken upon detection. Incident management is the responsibility of the information security area, which must consider the types of potential incidents, the communication channels, the definition of contingency plans, and the recording of audit trails and evidence, among others.

The software development and the IT security areas will oversee the control of the acquisition, development, and maintenance of systems. These areas must establish the security requirements prior developing and/or implementing the systems, as well as the input and output of data to the system, together with the cryptographic techniques that ensure the confidentiality and integrity of the information. The Policy also has specific sections for managing operations and the continuity of services in those processes in which information systems fail.

Finally, the Policy dedicates an entire section to compliance with the regulations governing access, availability, and protection of the information stored and processed within the scope of the Authority. It establishes the obligation to comply with them, the periodic review of information security policies, the determination of deadlines for storing information and the collection of evidence, among others.