Approval of the Information Security Policy of the General Secretariat of the Presidency

Through Resolution No. 549/2022, the General Secretariat of the Presidency, complying with Administrative Decision No. 641/2021, approved its Information Security Policy, which will be mandatory within the Secretariat.

The policy includes 14 guidelines with different measures, among others:

• Security Policy and information security regulations, promoting the drafting of the Policy for the Acceptable Use of Information Technology Resources.
• Organizational policy, appointing the Head of the Information Security Directorate as Information Security Officer.
• Human Resources Policy, stating the possibility of sanctioning those breaching the security policies, regulations, and procedures in force.
• Asset management policy, implementing an updated inventory of information, physical and human resources assets, under the responsibility of asset owners.
• Access control policy, regulating the management of users and access permissions to the Secretariat’s information and technological resources, whereby only those with express permission will be allowed access.
• Cryptography policy, establishing the use of cryptography to ensure the security of information and communications both inside and outside the Secretariat.
• Physical and environmental policy, adopting measures for physical and environmental control of the Secretariat's facilities.
• Operations security policy, establishing measures to control and ensure the security of operations, such as defining different environments in software development processes, protecting technological systems against all types of threats to their security, keeping back-up copies, and periodically assessing vulnerabilities, among others.
• Communications management policy, restricting the use of the Internet and work e-mail to prevent misuse.
• Systems acquisition, development, and maintenance policy, including security requirements for all computer system acquisitions and software development projects.
• Supplier policy, monitoring supplier contracts to ensure they comply with the agreed security requirements.
• Security Incident Management Policy, introducing responsibilities and procedures to manage security incidents, including the obligation to notify the National Cybersecurity Directorate if a security incident occurs, within 48 hours of noticing it.
• Continuity management policy, developing contingency plans to ensure the continuity of the Secretariat's processes.
• Compliance policy, promoting training on intellectual property, personal data protection, digital signature, electronic crimes, and all the information regarding the security internal regulatory framework, as well as compliance reviews and audits of information systems, technological infrastructure, and existing processes.

Finally, the annual review of the policy will be carried out by the Directorate of Information Security within the General Directorate of Information Technology and Telecommunications in the Secretariat.