INFORMATION SECURITY

MANUAL

ASSOCIATION OF SAVINGS
AND CREDITS

Approval date:
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

QUALITY MANAGEMENT
CHANGE CONTROL

Date Change Detail Responsible Official Responsible area

Cooperative Reserved Use

Page2 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

Content

1. Introduction........................................................................................................................6
2. Scope.....................................................................................................................................7
3. Goals.....................................................................................................................................7
3.1. General objective........................................................................................................7
3.2. Specific objectives......................................................................................................8
4. Definitions...........................................................................................................................8
5. Regulatory Context...........................................................................................................10
6. Risk Management Policies..............................................................................................11
6.1. Information Security Policy....................................................................................11
6.2. Risk Management Policy.........................................................................................12
6.3. Security Policy in Contracts and Agreements with Third Parties....................13
6.4. Information Classification.......................................................................................13
6.4.1. Inventoried Information.....................................................................................14
6.4.2. Destruction of Information.................................................................................14
6.4.3. Configuration of computer equipment.............................................................14
6.5. Physical Security Policy in Facilities.....................................................................15
6.5.1. Access control........................................................................................................15
6.5.2. Planned Maintenance...........................................................................................16
6.5.3. Computer equipment...........................................................................................16
6.6. Access Control Policy...............................................................................................16
6.6.1. User Creation.........................................................................................................17
6.6.2. Disable Users.........................................................................................................17
6.6.3. Logical Access Controls........................................................................................17
6.6.4. User Registration..................................................................................................18
6.6.5. Profile Management.............................................................................................18
6.6.6. Unattended Equipment........................................................................................18
6.6.7. Use of Email............................................................................................................18
6.6.8. Monitoring and Audit...........................................................................................18

Cooperative Reserved Use

Page3 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

6.6.9. Password Administration and Use....................................................................19

6.6.10. Policies for Good Use of User Passwords..........................................................19
6.7. Institutional Software Licensing Policy................................................................20
6.8. Security Policy in Operations.................................................................................21
6.8.1. Operation procedures..........................................................................................21
6.8.2. Change Control in Operations.............................................................................21
6.8.3. Separation of Development, Testing and Production Resources.................22
6.8.4. System Planning and Acceptance.......................................................................22
6.8.5. Protection Against Antimalware Software.......................................................23
6.8.6. Information Backups............................................................................................23
6.8.7. Server Management..............................................................................................24
6.8.8. Network Security Management..........................................................................25
6.8.9. Remote access.............................................................................................................27
6.8.10. Wi-Fi networks.........................................................................................................27
6.8.11. Monitoring................................................................................................................27
6.9. Incident Management Policy..................................................................................27
6.10. Physical Security Policies....................................................................................28
6.11. Handling and Security medium..........................................................................30
a. Removable Media.........................................................................................................30
b. Communications written and voice...........................................................................30
c. Destruction of information.........................................................................................30
6.12. Information and Software Exchange.................................................................30
- Email Business Use.......................................................................................................30
- Transmission by email................................................................................................31
6.13. Monitoring of the Communications...................................................................31
6.14. Internet...................................................................................................................31
6.15. File Transfer..........................................................................................................31
6.16. Operations of Systems.........................................................................................31
6.17. Software Development and.................................................................................32
6.18. Network Connectivities.......................................................................................32
6.19. Incident response.................................................................................................32

Cooperative Reserved Use

Page4 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

7. Structure, Roles and Responsibilities for the Security of the information............32

7.1. Structure....................................................................................................................32
7.2. Management Responsibilities................................................................................33
7.2.1. Senior Management..............................................................................................33
7.2.2. Information Security Committee.......................................................................33
7.2.3. Information Security Manager...........................................................................34
7.2.4. Internal audit.........................................................................................................34
7.2.5. Cooperative Staff...................................................................................................34
7.3. Safeties in the use of electronic transfers............................................................35
7.4. Service level agreements (SLAs)............................................................................36
8. General disposition..........................................................................................................36

Cooperative Reserved Use

Page5 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

THE BOARD OF DIRECTORS OF THE COOPERATIVE OF

SAVINGS AND CREDIT xxxx

CONSIDERING

That, the Organic Law of the Popular and Solidarity Economy and the Popular and Solidarity
Financial Sector, in its Art. 38.- of the Board of Directors says, “It is the governing and policy-
setting body of the Cooperative…”;

That, to make the provisions of the Organic Law of the Popular and Solidarity Economy and
the Popular and Solidarity Financial Sector and its respective Regulations viable, it is
necessary to issue the control standards according to the operational needs and
organizational structure, for the proper development of the Cooperative;

That it is necessary to regulate the INFORMATION SECURITY MANUAL, in a transparent and

effective manner for the benefit of the members of the entity, under the current regulations,
structure and operation of the Cooperative;

RESOLVES:

ISSUING THE INFORMATION SECURITY MANUAL

1. Introduction

Information has become a substantial asset of organizations, since when it is complete,

accurate and updated, it is essential in their decision making. The importance of information
is based on the theory of organization, which is defined as a system made up of people,
material resources and information.

However, as these systems consult, store and generate information, they put its integrity at
risk; risks, which not only come from outside but also from inside the Cooperative. These
constant threats that attack the information of any organization can cause considerable losses
that must be prevented and mitigated. As a consequence, information security is not just a
matter of having usernames and passwords, but requires regulations and various privacy and
data protection policies that impose obligations on organizations.

For all of the Cooperative's business units, information is an essential asset. It is crucial that
all sensitive information is kept confidential, accurate and available in a manner appropriate
to meet business needs. It will be the responsibility of each individual to adequately protect
the information they handle during the performance of their activities.

Cooperative Reserved Use

Page6 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

The information Security Management System (ISMS) basically consists of a set of policies to
define, build, develop and maintain the security of equipment based on hardware, software
resources and document management. The ISMS under the requirements demanded by the
ISO 27001 standard and its derivations, constitute the basis for information security
management; This standard defines an ISMS that guarantees knowledge, appropriation,
management and reduction of information security risks for the organization, in a
documented, systematic, structured, repeatable, efficient and adapted way to changes that
occur in the risks, environment. and technologies.

Each employee of the Cooperative will, consequently, be aware of the responsibility of

securing the information under their charge and will act to preserve it.

This Policy will regulate the behavior that must be observed and complied with by all officials
(regular, outsourced, temporary, interns, etc.) of the Cooperative, to achieve information
security. The third parties involved (suppliers, clients, etc.) will be included in the
requirements of this Policy on a voluntary or contractual basis.

2. Scope

For the xxxx Savings and Credit Cooperative, the SGSI contemplates the management of
information both in digital media and also the physical information that is generated in each
of the institutional processes. The responsibility for information management does not fall
squarely on the Responsible Party. Information Security of the Cooperative, but it is up to each
of the officials to safeguard and ensure the care of the institutional information assets under
their protection and custody.

This Policy provides a framework for all standard processes and their security mechanisms.
Defines security objectives, classifies information, responsibilities and fundamental principles
to secure it in accordance with business objectives. When the policy is affected by national
and/or international laws and/or regulations, it must be updated in order to comply with the
requirements of the Cooperative.

3. Goals

3.1. General objective

Cooperative Reserved Use

Page7 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

Establish the standards and guidelines for the Information Security Management System, so
as to satisfy the needs of the Cooperative and safeguard the information, through the
determination of processes focused on information security that lead to maintaining the
confidentiality, availability and integrity of its information assets, thus ensuring the continuity
of operations and minimizing the risk of losses that require allocating computer, human and
economic resources to recover the information.

3.2. Specific objectives

- Define a common language on information security within the Cooperative.

- Specify the requirements within the national and international legal framework to
establish, implement, maintain and continually improve an information security
management system.
- Define information security policies, addressing each point within this approach, that
helps maintain the integrity, accuracy, availability and protection of data.
- Establish and determine the structure, roles and responsibilities that each actor must
fulfill within the administration of information security.
- Apply a methodology for analyzing the risks to which the information is exposed.
- Determine the requirements for the assessment and treatment of information security
risks.
- Ensure that the software (information systems) is adequate and secure since most of the
Cooperative's information assets will be generated and managed there.
- Have an information technology contingency plan related to security administration to
maintain operation in the event of an incident.
- Define procedures that allow you to easily visualize how to apply information security
policies.
- Create a culture of information security within the institution that engages the
Cooperative's officials and thus ensures adequate use of information.

4. Definitions

- Activity: It is the set of tasks executed by the controlled entities;

- Business continuity management: It is a permanent process that guarantees the
continuity of the Cooperative's operations, through the effective maintenance of the
business continuity plan;
- Information management: It is the process by which information is captured, processed,
stored and transmitted by any means.
- Computer application: Refers to the procedures programmed through some
technological tool, which allow the administration of information and timely decision-
making;

Cooperative Reserved Use

Page8 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Database: System formed by a set of data stored on disks or any other magnetic medium
that allows direct access to them, structured in a reliable and homogeneous manner,
organized independently, accessible in real time.
- Automated Teller Machines (ATM): These are machines computer-connected to a
controlled entity that allows the client to carry out certain transactions;
- Electronic channels: Refers to all the ways or forms through which clients and/or users
can carry out transactions with controlled entities, through the use of electronic or
technological elements or devices, whether or not using cards. They are mainly electronic
channels: automated teller machines (ATM), point-of-sale devices (POS and PIN Pad),
audio response systems (IVR), electronic banking, mobile banking, or other similar
electronic mechanisms;
- Data processing center: It is the infrastructure that allows hosting the resources related
to the technology that supports the processing, storage and transmission of information;
- Cloud computing: It is the provision of computer services accessible through the
Internet, these can be infrastructure, platform and/or software;
- Reliability: It is the attribute that the information is appropriate for the administration of
the entity, the execution of transactions and the fulfillment of its obligations;
- Confidentiality: It is the attribute that only authorized personnel access pre-established
information;
- Compliance: Refers to the observance of laws, regulations and contractual agreements to
which the processes of the controlled entities are subject;
- Data: It is any form of electronic, optical, magnetic, printed or other media record, capable
of being captured, stored, processed and distributed.
- Availability: It is the attribute that authorized users have access to information whenever
they require it through the means that satisfy their needs;
- Information: It is any form of electronic, optical, magnetic or other media record,
previously processed from data, that can be stored, distributed and used for analysis,
studies, decision making, execution of a transaction or delivery.
- Critical information: It is considered essential for business continuity and for proper
decision making.
- Information security incident: It is the event associated with possible failures in
information security, or a situation that is likely to compromise business operations and
threaten the security of information;
- Facilities: It is the infrastructure that allows the physical resources related to information
technology to be hosted.
- Input: It is the set of materials, data or information that serves as input to a process;
- Integrity: It is the attribute of maintaining the completeness and accuracy of the
information and processing methods;
- Electronic media: These are elements of technology that have digital, magnetic, wireless,
optical, electromagnetic or other similar characteristics;

Cooperative Reserved Use

Page9 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Audit trail: It is the record of logical data of the actions or events that occurred in the
application systems, databases, operating systems and other technological elements, with
the purpose of maintaining historical information for control, supervision and audit
purposes;
- Contingency plan: It is the set of alternative procedures for the normal functioning of
critical processes and those defined by the entity that allow their operation, in order to
minimize the operational and financial impact that any specific unexpected event may
cause. The contingency plan is executed at the time the event occurs.
- Business continuity plan: It is the set of processes and procedures aimed at maintaining
the operation of the entity in the event of unexpected events.
- Information technology disaster recovery plan: It is a recovery process that covers
critical data, hardware and software, so that an entity can begin its operations again in the
event of a fortuitous event or force majeure.
- Technological platform: Set of interconnected equipment, applications and systems
intended to offer products and services through the use of available technological
resources to partners, clients and/or users.
- Owner of the information: This is the person in charge of taking care of the integrity,
confidentiality and availability of the information; must have the authority to specify and
require the security measures necessary to fulfill its responsibilities;
- Recovery Point Objective (RPO): It is the maximum acceptable amount of data loss
measured over time;
- Operational risk: It is the possibility of losses occurring for the entity, due to failures or
insufficiencies originating in processes, people, information technology and external
events. Operational risk does not include those caused by the political, economic and
social environment, systemic, strategic and reputational risk.
- Information security: These are the mechanisms that guarantee the confidentiality,
integrity and availability of information and resources related to it.
- Logical security: These are the protection mechanisms in the use of software, data,
processes and programs, which allow authorized user access to information;
- Information technology: It is the set of tools and methods used to carry out information
management. It includes hardware, software, operating systems, database management
systems, networks and communications, among others;
- Electronic transfer of information: It is the way to send, receive or transfer
electronically data, information, files, messages, among others;
- Recovery time objective (RTO): It is the period of time elapsed after an incident, to
resume an activity or recover resources before the controlled entity generates significant
losses.

5. Regulatory Context

Cooperative Reserved Use

Page10 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

All provisions established for the information security management system have been
prepared considering the following legal aspects:

- Reference in international standards:

- ISO/IEC 27000 and its derivations. The Information Security Management System
(ISMS) based on the ISO 27001 standard. Key aspects and relationship with ISO 22301
and ISO/IEC 20000 standards.
- PCI. DSS 3.2. Data Security Standard, Security Assessment Requirements and
Procedures
- OWASP 2017. Application Security Verification Standard 3.0.1
- NIST 800-53r4. Security and Privacy Controls for Federal Information Systems and
Organizations
- Superintendency of Popular and Solidarity Economy: RESOLUTION No. SEPS-IGT-IR-IGJ-
2018-0279, Control Standard for the Management of Operational Risk and Legal Risk

6. Risk Management Policies

The Savings and Credit Cooperative values information and according to this point of view,
establishes the policies that will govern the information security system, which supports
adequate risk management.

The policies cover all aspects in order to guarantee adequate administration of the
information generated in the Cooperative since it and all computer resources demand priority
and very particular attention that helps mitigate the risks to which it is exposed. his, her
nature.
With the definition of computer security policies and standards, the aim is to establish a
culture of quality operating in a reliable manner within the institution.

6.1. Information Security Policy.

It contemplates the necessary guidelines to safeguard institutional information and

technological resources related to their management and consumption.

- Define a management framework to initiate and control the implementation of

information security, as well as the distribution of functions and responsibilities.
- The management of computer assets so that they receive an appropriate level of
protection.
- Ensure at a reasonable level that all means of processing and/or conservation of
information have physical and logical protection measures that prevent access and/or
improper use by unauthorized personnel, as well as allow the continuity of operations.

Cooperative Reserved Use

Page11 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- The correct and safe operation of information processing and communications facilities.
- Ensure at a reasonable level that information and manual and automatic processing
capacity are available when necessary to authorized users. Considering the continuity of
the technological operation that supports the institutional processes.
- Ensure that data and/or transactions comply with the corresponding authorization levels
for their use and disclosure.
- The registration and unequivocal identification of system users.
- Avoid cases of identity theft through technological resources.
- Maintain audit records of the events that occurred, as well as the person responsible for
their execution.
- Maintain reasonable operating levels in strategic systems and infrastructure.
- The identification of risks related to the technological environment that do not allow the
Cooperative to support its achievement of objectives.
- The Cooperative will define a periodic information backup procedure, in accordance with
the business continuity requirements that includes the frequency of verification, the
conditions of preservation, elimination and safe transportation to an alternate site, which
should not be exposed to the same risks. of the main site and maintain the physical and
environmental conditions necessary for its preservation and subsequent recovery.
- Information backups between storage centers must be carried out with adequate security
controls (seals, exit and entry logs, authorized personnel, among other aspects) that
minimize remote location, which should not be exposed to the risks of the main site. The
information must be protected for a period of no less than that indicated by current
regulations, under conditions and in formats established for the case by the control
entities.

There are highly privileged or sensitive functions within the Organization, which will be
separated from other similar functions, to minimize the risk of abuse of privilege and to
maximize the ability of those who have the responsibility to control the functions of others.

Respecting the principle of segregation of functions, some roles will be performed by different
officials or profiles, such as: administration of access control to operating systems, business
applications, normal use of systems and applications, auditing and security administration.

6.2. Risk Management Policy

- All members of the Cooperative, officers and employees are obliged to inform the Head of
Information Security of the existence of weaknesses or threats that may affect the
interests of the entity regarding information management.

Cooperative Reserved Use

Page12 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- The Information Security Manager, with the support of the Risk Unit, has the obligation to
detect and suggest controls to mitigate the identified risks based on an action plan
approved by the Information Technology Committee.
- If there are critical risks or those that significantly affect the Cooperative's processes, the
action plan to mitigate the critical event must be approved by the Information Technology
Committee.
- The critical risks that will be reported to the Risk Unit and Information Technology
Committee must present indicators such as cost, value and return on investment, in order
to facilitate decision-making for management levels.
- Risk appetite will not be quantitatively defined in economic terms. The risk appetite limits
will depend on each activity, function or project and all risks that affect the Institutional
operation or the fulfillment of the main objectives of the Institution or a project must be
mitigated.
- Any general guidelines or changes in risk mitigation prioritization must be approved by
the Information Technology Committee and the Risk Unit.
- In the service portfolio, a report of the most important risks identified must be presented
to the Committee or direct managers, promoters of the projects.

6.3. Security Policy in Contracts and Agreements with Third Parties

Contracts or agreements with third parties that are made must take into account:

- Compliance with the Cooperative's Information Security Policy.

- Review and monitoring of the effectiveness and compliance of agreements.
- Monitoring and measuring supplier performance.
- Identification and mitigation of supplier risks.
- Definition of roles, responsibilities and expectations with third-party services.
- Protection of the Institution's assets, including:
- Procedures to protect the assets of the Institution, covering physical assets,
information and software.
- Controls to ensure the recovery or destruction of information and assets upon
termination of the contract or agreement, or during the term thereof.
- Meet the business requirement in expected service levels and acceptable service level.
- Access control agreements that contemplate:
- Allowed access methods, and control use of unique identifiers
- Authorization processes and user access profiles.

Cooperative Reserved Use

Page13 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Requirement to maintain an updated list of individuals authorized to use the

services to be implemented and their rights and privileges with respect to such
use.
- Clear and detailed processes for change management
- Controls to ensure protection against malicious software
- Confidentiality agreements in contracts.

6.4. Information Classification

The Cooperative defines the confidentiality of its information based on the concepts of the ISO
27001 standard, which indicates that the determination of the level of confidentiality must be
the responsibility of the owner of the information, since he is the appropriate person to define
who should have free access. to her. This task must be carried out jointly with the person
responsible for information security. The information will be classified according to the
following terms:

- PUBLIC: Information that can be known and used without authorization by any person,
even if they are not an employee of the Cooperative.
- SECRET: Information that can only be known and used by a group of employees, who need
it to do their work, and whose unauthorized disclosure or use could cause significant
losses to the Cooperative.
- CONFIDENTIAL: Information that can only be known and used by a very small group of
employees, usually the senior management of the Cooperative, and whose unauthorized
disclosure or use could cause serious losses.
- CRITICISM: Essential information for the operation of the Cooperative.
- SENSITIVE: Information that should only be known by authorized people in the
Cooperative.

6.4.1. Inventoried Information.

- The Administrative Assistant must keep an inventory of the technological assets that the
Cooperative has.
- All active information technology and communications equipment must be labeled for
identification and inventory control. This labeling will be carried out by the person
responsible for Fixed Assets.
- The Administrative Assistant must periodically control and update the inventory of their
respective equipment whenever there is a mobilization and/or new acquisition.
- The Systems Area must identify the information that is processed by the computer
systems and classify them, to then carry out an inventory of this information and keep it
updated.

Cooperative Reserved Use

Page14 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Likewise, each official must provide the Security unit with an inventory of the information
they handle and its level of confidentiality, whether physical or digital.
- The Information Security Manager will be in charge of informing the format to be used by
officials to fill out the inventory of information they manage.

6.4.2. Destruction of Information.

The Systems Area must establish procedures for the mobilization and decommissioning
(technically) of the equipment in its charge.

The destruction of documentation will be the responsibility of the Information Security

Manager and will be carried out through a document shredding machine. The destruction will
be carried out with the support of a destruction certificate.

6.4.3. Configuration of computer equipment.

The basic configuration of a computer must include:

- Installing the operating system.

- Installation of audio, video and network drives
- Antivirus installation and update.
- Basic software installation: Microsoft Office, Adobe Professional, Winzip, Winrar, TCP/IP
Activation, Computer name and domain name configuration.
- Configuration and time zone (Bogotá -Lima-Quito GT+5)
- Proxy configuration if necessary
- Computer name configuration.

6.5. Physical Security Policy in Facilities.

The following guidelines are intended to maintain adequate physical protection of the
equipment, processing media, transmission and conservation of information.

- The systems infrastructure area must have a standard for the Server Area, taking into
account:
- An adequate air conditioning system for the proper functioning of the equipment.
- Smoke detection systems
- Protection against unauthorized access
- Access system through the use of security keys.
- Network and electrical wiring (Example: organization and labeling).

Cooperative Reserved Use

Page15 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Electrical system (Example: redundant power, UPS's (Interruptible, Power Supply,

generators, etc.)
- Chemical powder extinguisher (That does not allow damage to equipment)
- All servers of the Institution must be located in the server area and place them in the
location designated for this purpose. If the administrator will not place the server in such
a location, the administrator must present the reasons and justification for this in writing
to the Information Security Officer.
- Periodic reviews should be carried out, at least once a year, on the state of the network
cabling and its organization.

6.5.1. Access control.

- The Head of the Systems Department must establish the work team that will be
responsible for ensuring the good condition, operation and good presentation of the
server room.
- The Head of Systems and the Head of Information Security must prepare a list of the
personnel authorized to enter the server room (Restricted Information Technology Area)
and the Systems Department. Strictly, you should target people who, due to their duties,
have to enter on a daily basis. This list must be in charge of those responsible for the
Systems Area, Server Area and the Head of Information Security.
- New requests for access to the Systems Department and the server area must be
evaluated by the Information Security Manager.
- The Head of the Systems Area must give authorized personnel a unique password, which
will allow them to enter only the Systems Area and be registered in the access control log;
It is strictly prohibited for all staff to enter the server area with the exception of
administrators.
- The Head of the Systems Area and the Head of Information Security must implement
controls to ensure that access to the Systems Area and the server area is effectively
carried out by authorized personnel, for example with the use of the Access Record Log. .
- The personnel of the Systems Department must always carry their identification card to
carry out software or equipment maintenance in the different facilities and offices of the
Institution.
- Tours of visits to the Systems Department and the server area must be carried out with
the presence of at least one person from the Systems Area.

6.5.2. Planned Maintenance.

The Administrators of the Server Area must manage periodic maintenance to:

- UPS's

Cooperative Reserved Use

Page16 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Server room air conditioning

- Facility electrical generator
- Servers
- surveillance cameras
- Electrical installations
- Workstations and equipment that are considered vital in the Institution must be
connected to a UPS and the generator.

6.5.3. Computer equipment.

- Formal guidelines and procedures for mobilizing equipment must be followed.

- For the acquisition of computer equipment, the procedures established for this purpose
must be followed.
- The mobilizations of computer equipment must be reported to the Systems Area,
Responsible for Information Security, in addition to being authorized by the immediate
boss.
- The surveillance personnel must record the order of departure of the equipment for its
mobilization outside the facilities of the Cooperative offices.
- Portable equipment used by Cooperative staff must be the property of the Cooperative,
that is, equipment that is the property of the employee cannot be used.
- Staff cannot carry sensitive information of the Cooperative on removable media outside
the institution, unless explicitly authorized by management.

6.6. Access Control Policy.

Through these policies, institutional information is protected, regulating access to computer

systems, and assigning profiles, accounts, passwords and screen savers.

- The Head of Information Security, Processes, and Human Talent, together with the
immediate boss of each job, have the responsibility of creating formal processes for the
management of users of computer systems, which must consider:
- The role is defined by the function that a user fulfills within a system.
- The profile is defined by the position held by the official.
- The profile is the detailed description of the transactions that a user can perform in a
system.
- Computer systems must be configured in such a way that the user session expires when
there is an inactivity time of 10 minutes, except in the checkout area where the time limit
is 5 minutes. This is mandatory for systems defined as critical and for system
administration users.

Cooperative Reserved Use

Page17 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- The management of user accounts and passwords is personal and non-transferable;

therefore, operations that put the interests of the institution at risk will be the sole
responsibility of the user or official.

6.6.1. User Creation.

Each user and official are responsible for the access control mechanisms provided to them;
that is, your user login “ID” and password necessary to access the different computer systems
and technological infrastructure, so it must be kept confidential.

6.6.2. Disable Users.

The Information Security Manager is responsible, in coordination with Human Talent, in the
event of: Employee departure from the institution, vacations and permits, disabling users and
carrying out the necessary procedures so that said absence is controlled.
6.6.3. Logical Access Controls.

- All users of information services are responsible for the username and password they
receive for the use and access of the resources.
- All users must authenticate themselves through the access control mechanisms provided
by the Information Technology Department before being able to use the Cooperative's
technological infrastructure.
- Users should not provide information to external personnel regarding access control
mechanisms to facilities and technological infrastructure, unless they have the approval of
the owner of the information, the Information Technology Department and the
authorization of their Immediate boss.
- Each user who accesses the technological infrastructure must have a unique and
personalized user identifier (ID). Therefore, the use of the same ID by multiple users is not
allowed.
- Users and officials are responsible for all activities carried out with their user identifier
(ID). Users must not disclose or allow others to use their user IDs, nor are users
prohibited from using the IDs of other users.

6.6.4. User Registration.

- The Information Security Manager, together with the service owner, must define the
authorization flow for access and the level of privileges in the systems.
- The granting of user roles and profiles must be defined according to the principle of least
privilege.

Cooperative Reserved Use

Page18 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- All staff will be assigned a unique username and password to access the computer systems
allowed according to their profile. If there is any exception, it must be authorized by the
corresponding Headquarters and the Information Security Manager.
- Administrators of each service must keep their user records updated. As well as a log
related to their logical accesses. Automatic options and reports should be maintained to
obtain the necessary lists of user accounts and privileges in the systems.

6.6.5. Profile Management.

- All personnel must be associated with a role/profile in the computer systems according to
the activities they perform.
- It is the responsibility of server and service administrators to correctly manage access
accounts and grant profiles according to the authorizations specified.
- Any changes in the roles and responsibilities of users must be notified to the Information
Security Manager.

6.6.6. Unattended Equipment.

- Users must keep their computer equipment with access controls such as passwords and
screensavers previously installed and authorized by the Information Technology
Department when they are not at their workplace, and they are also required to Lock your
equipment unattended.
- When users are going to leave their workspace, they must block their session in the
Operating System so that when they return they authenticate their username and
password to be able to continue with their work, in this way the information is
safeguarded.

6.6.7. Use of Email.

- Users must use the institutional email only to maintain work communication.
- Users are also not authorized to subscribe to commercial or entertainment newsletters
using institutional email, the only subscriptions will be those that are clearly relevant to
their work.

6.6.8. Monitoring and Audit.

- IT services will be audited by the Audit, Risk and Security area.

- Audit logs that are stored for review purposes must be deleted quarterly so that they do
not affect the performance of the services.

Cooperative Reserved Use

Page19 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

6.6.9. Password Administration and Use.

- Password assignment must be done individually, so the use of shared passwords is

prohibited.
- When a user forgets, blocks or loses their password, they must ask the Information
Security Manager to provide them with a new password if applicable or unlock their
existing password.
- A standard for creating secure passwords must be applied for user access to different
systems.
- Access keys to the systems must be protected through cryptographic controls.
- The systems must be configured in accordance with the new regulations, in such a way
that they allow the user to change their password when they enter the system for the first
time.
- A user management system must be used that allows:
- Block the user in the application after 3 failed attempts.
- Change the password at least every 30 days for users with the exception of the virtual
banking system which must be changed every 3 months.
- Verify the strength of passwords according to the standard established by the
Information Security Manager.
- The password must be changed immediately when you suspect or detect that it has been
viewed by third parties.
- All personnel in the systems area must keep their daily work equipment with a secure
access password when they are not working on them.
- All staff must keep their daily work equipment with a secure access password when they
are not working on them.

6.6.10. Policies for Good Use of User Passwords.

- Receive the key generated by the System from the Information Security Unit.
- Modify the password generated by the system with a personal one when entering the
system for the first time.
- Carefully safeguard the access code to both the system and any other system to which
login privileges have been assigned.
- It is the duty of each user not to hand over and/or report their personal access code to
computer systems.
- It is prohibited that passwords be found in legible form on any printed media and left in a
place where unauthorized persons can discover them.
- Regardless of the circumstances, passwords should never be shared or revealed. Doing
this makes the user who provided their password responsible for all actions taken with it.

Cooperative Reserved Use

Page20 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Any user who suspects that their password is known to another person must change it
immediately.
- Users should not store passwords in any program or system that provides this facility.

6.7. Institutional Software Licensing Policy.

- The Offices, departments, units and positions, with the help of the systems area, must
identify the software profiles necessary to support the operation of the Institution.
- The systems area will implement a base software standard for the user, which is
considered the platform (operating system) and basic programs to carry out general tasks
for each user.
- If there is a need to install software on the Institution's equipment, the end user or
custodian must request the installation of it from the systems area with prior
authorization from a superior.
- The acquisition of software will be subject to internal purchasing policies.
- The applicant for the acquisition, renewal or change of software will be responsible for
the purchase management that this entails.
- If there are software programs that are not licensed, not regularized or do not belong to
the profile approved by the Systems Unit on a computer of the Institution, the final
responsibility will fall on the custodian of the equipment.
- The systems area will only provide software that has been legally acquired, in order to
satisfy all needs. The use of programs obtained from other sources may imply threats to
the security of the Institution's information, so such use is strictly prohibited.
- The systems area will carry out permanent reviews of each of the computers assigned to
the Cooperative's officials and will verify that there are no software and/or applications
unrelated to the work of the Institution. If this information is found on any computer, said
information will be deleted. computer information and will be reported to the Information
Security Manager for registration and corresponding monitoring; as well as to Human
Talent for the application of the established sanctions.
- The systems area will not be authorized to install software acquired by the Cooperative on
equipment that does not belong to the institution's Fixed Assets inventory.
- The systems area will carry out review processes of the software installed on institutional
equipment and if non-regularized software is detected, the authorities will be informed of
this non-compliance.
- The systems area will be responsible for communicating with due advance notice the
expiration of the inventoried licenses to the leaders of each area.
- The systems area will be in charge of configuring Internet access for users, being the only
profiles with full access:
- General management
- Agency Head

Cooperative Reserved Use

Page21 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Server Administrators
- Boss of the area.
- Other officials must have access only to pages that they need to access due to their
duties.
- The systems area will be in charge of verifying that no official enters unauthorized pages
or the different existing social networks because they are considered high-risk
mechanisms for information leakage. If unauthorized access exists, the Security Manager
of the Company must be informed. Information to proceed with the respective procedure
for sanctioning the official.
- The systems department is not responsible for support or training of specialized software
and/or non-core software.
- The Institution's computer equipment must only have installed software regulated by its
Office, department, unit or position and the systems area, based on its profile.
- All computer equipment assigned to the Cooperative's employees must be used by the end
user or custodian in compliance with licensing regulations and policies.
- The Cooperative is not responsible under any circumstances for unlicensed or regularized
software that is installed on institutional equipment, considering that the existence of this
type of software on institutional equipment represents a violation of this policy.

6.8. Security Policy in Operations.

6.8.1. Operation procedures.

- The procedures will specify instructions for the detailed execution of each task, including:
- Network and server monitoring.
- Administration of security equipment (Firewall etc.).
- Server Management.
- Administration of computer services.
- Registration and cancellation of user accounts in all systems.
- Access verification.
- Backups.
- Maintenance of computer equipment and network equipment
- Management of security incidents.
- Recover of information.
- Secure configuration standards must be established for different base platforms such as:
servers (Windows and/or Linux), network communication equipment and databases.

6.8.2. Change Control in Operations.

Cooperative Reserved Use

Page22 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- To control changes in operational and communication environments. All changes must be

evaluated in technical and security aspects.
- The Information Security Manager will control that changes in the operational and
communication components do not affect their information and security.
- Each leader has the responsibility of evaluating the operational impact of their area due to
the planned changes and will verify their correct implementation.
- Change control procedures must consider the following:
- Identification and registration of significant changes.
- Evaluation of possible impact.
- Risk assessment.
- Formal approval of proposed changes.
- Planning the change process.
- Tests of the new scenario.
- Communication of changes to all those involved.

6.8.3. Separation of Development, Testing and Production Resources.

- The development, test and production environments, whenever possible, will preferably
be physically separated, and the rules for the transfer of software from the development
state to the production state will be defined and documented. To do this, the following
controls will be taken into account:
- Run development and production software, in different production environments,
teams or directories.
- Separate development and testing activities, in different environments.
- Prevent access to compilers, editors and other system utilities in the production
environment, when they are not essential for its operation.
- Use independent authentication and authorization systems for different
environments, as well as system access profiles.
- Prohibit users from sharing passwords on these systems. The systems interfaces will
clearly identify which instance the connection is being made to.
- Define information owners for each of the existing processing environments.
- Development staff will not have access to the production environment. If said need is
extreme, an emergency procedure will be established for the authorization,
documentation and registration of said accesses.
- Every service must be tested and its operation verified in a testing environment.
- Services being tested for operation will also need to pass security tests.

Cooperative Reserved Use

Page23 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

6.8.4. System Planning and Acceptance.

- The Systems Department will monitor the capacity needs of the services in production
(systems) and will project new needs, in order to guarantee adequate processing and
storage. To do this, it will take into account the new requirements of the services, as well
as the current trends in the processing of the Cooperative's information for the stipulated
period of useful life of each component.
- Leaders will report detected needs to relevant superiors so that they can identify and
avoid potential bottlenecks, which could pose a threat to security or continuity of
processing, and can plan appropriate corrective action.
- The Systems Department must specify the acceptance criteria for a new system or
technological service to be implemented in the Cooperative. You should consider the
following points based on COBIT:
- Verify the impact on performance and capacity requirements in IT equipment.
- Ensure recovery from errors.
- Guarantee implementation in accordance with established security standards.
- It will ensure that the new implementation will not negatively affect existing systems.
- Consider the effect on security with the new implementation.
- Regression testing and integration testing.
- Validation tests against requirements.
- Scalability
- Approval of key points based on approval criteria agreed between the parties.

6.8.5. Protection Against Antimalware Software.

- The Systems, Audit, Risk and Security areas must define and implement controls that
allow having anti-malware software in all electronic channels that is permanently
updated, which allows protecting the installed software, timely detecting any attempt or
alteration in its code, configuration and/or functionality, and issue the corresponding
alarms to block the electronic channel, its inactivation and timely review by the systems
area personnel.
- The Audit, Risk and Security team will develop appropriate procedures to raise user
awareness regarding security and access control to the systems.
- These controls must consider the following actions:
- Prohibit the use of software not authorized by the Institution.
- Install and periodically update virus detection and repair software, examining
computers and computer media, as a precautionary and routine measure.
- Keep systems up to date with the latest available security updates.

Cooperative Reserved Use

Page24 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Periodically review the software and data content of the processing equipment that
supports critical processes of the Institution, formally investigating the presence of
unapproved files or unauthorized modifications.
- Before use, check for the presence of viruses in electronic media files of uncertain
origin, or in files received through untrusted networks.

6.8.6. Information Backups.

- The Administrators of the services and their backups must maintain updated policies and
manuals for backup administration, configuration and management of the software
installed on the servers and end users for their proper administration. These documents
must specify:
- Creation date.
- Document version.
- Changes made.
- Informative data of the person who prepared them.
- Approval.
- The IT infrastructure must provide service administrators with a backup system on
reliable magnetic media.
- Service administrators must backup the code, data, database, configurations before
applying any changes.
- There must be an alternate location to physically store the backups; this location must be
outside the Cooperative's facilities.
- The alternate backup location must have the infrastructure, security and environmental
measures necessary to maintain adequate organization and classification of backup
copies.
- The administrator must prioritize the information according to its level of importance,
and its behavior to determine the frequency of backups.
- If the backup copy is excessively used, it must be replaced periodically, before the
magnetic storage medium that contains it deteriorates.
- When backup media must be discarded, they must be securely destroyed to prevent
copies or recovery of the stored information.
- Administrators of the services and their backups must verify the operation of the storage
media before performing the backup.
- Backup copies should be kept in restricted access cabinets.
- The main administrator and his backup must carry out periodic tests to verify their
validity and functionality.
- All supported information will be classified and labeled. Your storage medium must
include: file name, version, application or system to which the information belongs,
backup date, person who made the backup, physical location for storage.

Cooperative Reserved Use

Page25 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Service administrators must keep a record of the information supported for easy location.
- Policies and procedures for administration and generation of information backups must
be managed.
- You must store all backups executed in a safe place.
- It will establish automated configurations so that users save all their information on
network drives and backup copies can be facilitated.

6.8.7. Server Management.

- The person responsible for the systems area must assign a main server and backup
administrator for the equipment.
- Administrators are responsible for establishing the administration and configuration
manual for their services, requesting and documenting the permissions that are necessary
for the operation of the service.
- When a new service is implemented in production, the administrator has the
responsibility of requesting a report on equipment vulnerabilities from the Audit, Risk
and Security area.
- The Audit, Risk and Security area must perform a vulnerability scan on the servers and
must deliver the respective report to each official.
- The official and his backup must respond to this report with a report of the security holes
fixed.
- A baseline of the behavior of servers and communication equipment must be established
for monitoring.
- Everyone Communication equipment must be monitored by the network administrator in
order to verify if the system is Up or Down.
- All computers and servers must be monitored by the network administrator. At a
minimum, the following should be monitored: Disk, Processor, Memory.
- Monitoring reports must be sent to the service administrator every month or when an
abnormal situation occurs in the service.
- The network administrator, together with the administrator of each server, must plan a
purge of network permissions for both the intranet and the internet for the servers they
manage every 6 months.
- The server administrator must report the presence of malicious code that is not detected
by the Cooperative's antivirus. This should be reported as mentioned above to the
antivirus provider and an action plan given.
- Internal servers cannot be accessed from an external network such as the Internet. If this
access is strictly necessary, it will be done through a secure mechanism such as a virtual
private network or a dedicated channel.
- The administrator should periodically review the audit logs of his server.

Cooperative Reserved Use

Page26 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- When there is a change of administrators, the respective training must be carried out for
the new administrator and administration and configuration manuals must be delivered.
In addition, the new administrator must proceed to change the passwords of the
administration users, delete the previous administrator's personal users, and debug
permissions.
- All of the previous points in this section must be implemented on test servers.

6.8.8. Network Security Management.

- The IT infrastructure area must establish standards for labeling and structured cabling of
voice and data.
- The infrastructure area must establish configuration standards for network devices
(firewall, router, switch) with the security levels defined for each service.
- The systems area must configure the new computer equipment under the established
standard.
- The use of modems on computers that also have a connection to the local network (LAN)
is not permitted, unless duly authorized. All data communications must be carried out
through the Institution's LAN and authorizations by the administrator, in order to prevent
intrusion by hackers.
- Every workstation must be associated with a LAN network depending on its functions.
- If an end user needs to access external services that are restricted (such as ftp, vpn's,
remote desktop, etc.), they must make the request by email to the Information Security
Manager with a copy to the Head of Systems. The Information Security Manager will
analyze the request and, together with the systems personnel, will be in charge of: first,
validating the need for the request and assigning the permit.
- The Information Security Manager must review the documentation of assigned Public IPs
and their associated permissions every three months.

Cooperative Reserved Use

Page27 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

6.8.9. Remote access.

- Remote access to computer systems for internal use must be duly authorized by the
system administrator and the Information Security Manager.
- Remote access (from the external network) to the servers must be allowed, only to
authorized personnel identified by a force majeure event.
- Secure protocols must be used for remote access to servers.
- Remote external connections must be authorized by the Information Security Manager.

6.8.10. Wi-Fi networks.

- The keys of protected wireless networks will be changed at the request of a

representative of the department to which the network belongs.
- The wireless network administrator must change the network access codes every 3
months and inform each department.
- Perform periodic physical inspections and employ network management tools to
routinely review the network for the presence of unauthorized access points.

6.8.11. Monitoring.

- The network administrator must monitor active network equipment and Internet links
and data channels.
- Monitoring must be enabled 24 hours a day and every day for links, active equipment and
servers.
- The network administrator must evaluate the capacity of the links every six months, with
the administrators of the applications involved.
- The network administrator must immediately contact the service provider when there is a
loss of link.

6.9. Incident Management Policy.

- Any event that is directly related to the Cooperative's systems and services has been
classified as an incident according to the following categories:
- Viruses of all kinds
- Attacks
- Harassment
- Social engineering
- Identity fraud
- Vulnerability detection
- Exploitation of known vulnerabilities

Cooperative Reserved Use

Page28 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Attempts to access a system.

- Policy violation
- Unauthorized access
- Information theft
- Deletion of Information
- Information Alteration
- All personnel must know the procedures for reporting incidents, events and information
security vulnerabilities that may have an impact on the security of the systems they
manage.
- All staff must report any computer security incident or event.
- Server administrators must report computer security incidents and events directly to the
Audit, Risk, Security and Systems area.
- The Risk, Information Security and Systems area must make staff aware of the contacts
they can contact to report computer security incidents.
- It is the responsibility of the Risk and Information Security area to make the Institution's
staff aware of the existence of the computer security incident response team that
constitutes the systems area.
- Computer security incidents can be reported by the following means: Email, in person or
using the HelpDesk.
- Once the incident report has been received in the security and systems area, an
acknowledgment of receipt is sent to the user stating that the report was received and will
be attended to in the shortest possible time.
- Incident and vulnerability reports and executive reports are confidential.
- Statistics of incidents and vulnerabilities addressed by the Systems area must be sent
monthly to the Information Security Manager.
- The Risk area must prepare and publish statistical data on security incidents that occur on
a quarterly basis.
- For no reason should illegal methods be used to resolve an incident.
- It is important to take into account legal advice for the actions to be taken in incidents
related to: identity theft, access to confidential information and incidents related to social
engineering.
- All information related to reported incidents must be handled with total confidentiality,
the classification of information is carried out in accordance with the Information Asset
Management Policy.
- Mechanisms for collecting evidence must be taken into account during the incident
response process, which will serve as a necessary resource, in the case of legal instances.

6.10. Physical Security Policies.

Cooperative Reserved Use

Page29 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

All physical areas of the business must have the level of security in accordance with the value
of the information that is processed and managed in them. Confidential and restricted
information must be kept in places with restricted access when it is not used.

- Physical Security of Restricted Access areas: There must be strict controls for entry to the
Central Archive, the Call Center, data centers, wiring centers and other areas that contain
critical information assets. There must be a record of the personnel who enter.
- Backup for energy supply: The customer service areas, computer center, wiring centers,
critical information processing centers and in general those essential for the operation of
the Cooperative's business must have a backup energy supply with autonomy. minimum
of 8 hours.
- Visitor access to restricted access areas: For restricted areas, only formally authorized
entity personnel will be able to access them based on the activities they carry out. In the
event that collaborators from other areas and/or entities external to the entity require
entry, they must obtain the corresponding authorization and always be accompanied by
an authorized official.
- Civil Works in restricted access areas: All structural changes within restricted access
places such as storage of Information Technology resources must be supported by a risk
analysis in order to evaluate, before the execution of the works, the possible consequences
on physical and information security.
- Smoking and consuming food are prohibited in restricted access areas that contain critical
Information Technology resources of the entity.
- Any information system or computer equipment that is decommissioned or reused must
have a secure erasure process. The secure erase process will consist of the destruction of
the information that resides on the computer; the validation of the process and the testing
of the process, ensuring that no data is left on the equipment.

Cooperative Reserved Use

Page30 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

6.11. Handling and Security medium

a. Removable Media
- When removable media (disk, tape, CD, etc.) are used to store or transport information,
they will be appropriately labeled to indicate the level of sensitivity of their content
(Confidential, Strictly Confidential, etc.).
- Information with a confidential classification level or higher will be stored in encrypted
form.
- The removable media will be maintained, physically, respecting the level of protection in
accordance with the security classification of the information stored there.

b. Communications written and voice

- All information in physical, written or printed format will be classified according to its
security requirements. This information includes paper records and communications
(email, documents).
- When written information is transferred and stored, the security classification of the
information will be clearly indicated.
- All fax communications will be made taking the necessary measures to ensure that the
transmission so made reaches only the correct recipient.
- Strictly confidential classification information will not be transmitted via conventional
telephone or fax.

c. Destruction of information
- The elimination of physical media containing information requires treatment in
accordance with its security classification level.
- In the case of confidential and strictly confidential information, the medium will be
physically destroyed or duly erased if it is intended to be reused.

6.12. Information and Software Exchange

- Email Business Use

- The Cooperative's email systems will be primarily used for business purposes.
- Personal use will be permitted to the extent that:
- Do not consume significant resources,
- Do not hinder any business activity.

- Employees are prohibited from using any non-Cooperative email system to send or
receive information related to the Cooperative's business.
- The use of unapproved instant messaging systems is not permitted.

Cooperative Reserved Use

Page31 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- All messages sent

- The Cooperative will comply with current legal regulations and the Institution's
standards regarding its content.
- Email messagesc7_6_0p2-, including attachments, will be in accordance with this
Policy, based on the sensitivity of the information contained. Consequently, they will
be insured according to this classification.

- Transmission by email
- Confidential or strictly confidential information will not be sent by email, unless it is
encrypted according to the Cooperative's standards.

6.13. Monitoring of the Communications

- The Cooperative reserves the right to monitor any electronic traffic as part of its normal
operational activities, within the framework of current legislation.

6.14. Internet
- Cooperative officials may access the Internet if their Business functionality warrants it.
- Personal use of the Internet will be permitted within reasonable limits and provided that
the web sites accessed are not illegal or inappropriate for a well-controlled work
environment.
- The Internet will not be used to violate intellectual property rights of any kind.
- Access to resources other than Internet pages is reserved for authorized users.
- The Cooperative reserves the right to block access to Internet sites considered
inappropriate.
- Downloading electronic files from the Internet – by end users – is not permitted.
- Attempting to breach or violate any computer system or networks on the Internet is
strictly prohibited.

6.15. File Transfer

- Information classified as confidential will not be sent via any file transfer mechanism
unless it is encrypted according to the Cooperative's standards.

6.16. Operations of Systems

- The software will be put into production in a controlled manner. For all systems in
production, a complete version and change control will be maintained.
- Key tasks and responsibilities in the production environment will be segregated to ensure
due opposition of interests and minimize abuse of privileged functions.
- The continuity of the systems operation will be ensured through an adequate Contingency
Plan.

Cooperative Reserved Use

Page32 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- The effectiveness of the security mechanisms designed in the systems will be controlled
through formal security testing, before being put into production and verified regularly.
- Whenever relevant security incidents occur, they will be investigated and resolved. The
Information Security Manager will document what happened and take measures to avoid
similar situations.
- All third-party software will be obtained from trusted sources and used strictly in
accordance with the license terms. The intellectual property rights of the Software will be
respected and observed in all cases.

6.17. Software Development and

- The development and maintenance of the software used in La Cooperativa will follow the
current policies, rules, procedures and standards.
- The security requirements and design will be compatible and integrated with the existing
security design for networks and systems.
- Development, QA and production environments will be segregated. Software developers
will not have access to production systems and information under normal circumstances.
The exception to this point must be requested exclusively by the Process Owner in
exceptional circumstances and for a specific period of time. It will be mandatory to
maintain a log of this type of requirements for at least a period equal to one year.
- Employees involved in software development must be trained in the security aspects
related to the evaluation, installation and maintenance of systems.

6.18. Network Connectivities

- The Cooperative's networks will be protected against unauthorized access.
- All Cooperative networks c10_3p2- will be classified as reliable and unreliable according
to the level of security they have.
- All communications between internal and external networks (eg Internet) or between
network areas with variable security classification, will be safeguarded through security
devices.
- The different network segments used in La Cooperativa will be under control and will be
able to operate with a variety of security mechanisms. By their nature, when these
networks are connected, the security of the resulting entire network drops to the level of
the most insecure network segment.
- Appropriate security mechanisms will be applied at the point of connection when
connecting to a third-party network, a public network or an untrusted internal network
segment.

6.19. Incident response

- There will be a “Specialized Incident Response Team” that will act in situations or events
where the security of information is or may be compromised.

Cooperative Reserved Use

Page33 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- The team must have the ability to detect intrusions, perform tracking and identification
tasks and forensic analysis on computer systems in which security incidents have
occurred.

7. Structure, Roles and Responsibilities for the Security of the information

7.1. Structure

The Cooperative has defined its organizational structure and within it we will identify the
areas involved in the information security system.

7.2. Management Responsibilities

7.2.1. Senior Management

The senior management of the Cooperative must commit to the implementation,

establishment, operation, monitoring, maintenance, review and improvement of the
Information Security Management System. With this concept, the board of directors and
general management must provide openness and support for information security
management and their responsibilities include the following:

- Approve an information security policy.

- Guarantee compliance with plans and objectives of the Information Security Management
System.
- Inform all employees of the Cooperative about the importance of achieving information
security objectives and complying with the security policy.
- Designate the resources necessary to carry out the ISMS.
- Determine risk acceptance criteria and their corresponding levels.
- Establish the ISMS within the annual strategic planning.
- Ensure all internal audits are performed.
- Carry out periodic reviews of the ISMS.

7.2.2. Information Security Committee.

The functions and responsibilities of the Committee within the context of information security
are:

- Implement Management guidelines.

- Assign the different roles and functions in terms of security.

Cooperative Reserved Use

Page34 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Present the policies, standards and responsibilities regarding information security to

Management for approval.
- Validate the risk map and the proposed mitigation actions.
- Validate the Security Plan and present it to Senior Management for approval.
- Supervise the development and maintenance of the Business Continuity Plan.
- Ensure compliance with current legislation and regulations.
- Promote employee awareness and training in information security.
- Approve and periodically review the information security dashboard and the evolution of
the ISMS

7.2.3. Information Security Manager

The Information Security Manager is the most important personal figure in the development
of information security since it provides information security services in the institution,
through the planning, coordination and administration of the different processes that They
guarantee information security, and also create a culture of information security.

His responsibilities are:

- Plan, develop, control and manage policies, procedures and actions in order to improve
information security within its fundamental pillars of confidentiality, integrity and
availability
- Provide mechanisms that guarantee logical and physical information security
- Provide permanent and close advice to the different areas of the organization on issues
related to security and lead to correct compliance with the defined security standards.
- Protection of intellectual property
- Assign profiles by users according to the position
- Develop necessary policies to protect the information generated in the technological
environment of applications and services
- Comply with and enforce the policies, procedures and actions determined by all users.
- Security Profile Verification
- Ensure business continuity
- Participate in Audits related to computer security
- Research, regarding issues concerning information security (ISO, COBIT)
- Identification, management and administration of the Information Technology Risk Map
- Preparation of action plans to mitigate identified risks that contain identifiers such as cost,
time, return on investment.

7.2.4. Internal audit

Cooperative Reserved Use

Page35 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

Internal Audit staff is responsible for monitoring compliance with internally defined
standards and guides. The periodic evaluation of the information security controls defined by
the Cooperative must be included in the annual audit plan. Internal audit must collaborate
with the computer security area in the identification of threats and vulnerabilities related to
the information security of the Cooperative.

7.2.5. Cooperative Staff

All employees of the Cooperative who handle information of any type and who use the
company's information systems to carry out their professional activity. This staff has the
following standards and responsibilities:

- Respect and follow the rules and procedures defined in the Cooperative's security policy.
- Maintain the confidentiality of the information they handle.
- Make good use of the organization's assets.
- Respect current legislation and regulations.
- Notify the security manager of security anomalies or incidents, as well as suspicious
situations.
- Do not access data by taking advantage of your privilege without authorization from the
head of the IT Department or the security manager.
- Do not reveal any possible weakness in system security to third parties without prior
authorization from the head of the IT Department or the security manager.

7.3. Safeties in the use of electronic transfers

- Have a technological platform that allows strong encryption

- Have authorization privileges and authentication measures, logical access controls that
consider at least two of three factors: "something that is known, something that is, or
something that is", considering that one of them must be dynamic by each time a
transaction is made and another must be a one-time password (OTP, One Time
Password). Entities may implement, among others, biometric controls for access to the
internet environment.
- Protect the integrity and privacy of the records and information of partners, clients or
users;
- Recognize the validity of the transfers made;
- Set limits for each authorized transfer;
- Make it impossible for the transfer value to exceed the available balance or the limit
established for a period of time;

Cooperative Reserved Use

Page36 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Allow the balance of the client, partner or user's account to be consulted, validated,
credited or debited in real time;
- Allow the partner or client to obtain reports for the reconciliation of their movements
carried out through any electronic terminal, informing the maximum time frame to which
the consultation can be accessed; and,
- Generate proof of the transaction with the details necessary for reconciliation.
- The systems used for electronic transfers must generate files that support the detailed
background of each operation, so that they can be used in certification or audit processes.
- The electronic transfer systems implemented by entities must have security profiles that
guarantee that the authorized person has the use privileges; as well as, non-repudiation to
carry out a transaction.
- Electronic transfer systems must allow, at any time and in real time, the blocking of the
use of the system when unusual events are detected or when fraudulent situations are
noticed or after a maximum number of three failed access attempts. Secure procedures
must be established to lift the block, for which the corresponding notifications must be
provided to the partner, client or user.
- The continuity of operations of the systems used for electronic transfers must cover
fortuitous events or force majeure, considering the use of backup equipment through
contingency procedures, in such a way that it does not interrupt the normal functioning of
the systems.

7.4. Service level agreements (SLAs)

The Cooperative must have:

- Information Technology is responsible for negotiating Service Level Agreements and

ensuring that they are met.
- Act as the main interface between the client and the IT services provided to the
Cooperative, for the definition, negotiation, agreement, monitoring, reporting and review
of service levels.
- You are responsible for maintaining the Service Catalog, ensuring that all information in
the Service Catalog is accurate, correct and up-to-date.
- Monitor the effectiveness of the Service Catalog and make recommendations for
improvement.
- Produce management reports based on the results of the rhythms obtained within the
technological services obtained.
8. General disposition

- All doubts or matters not provided for in these regulations will be known and resolved in
the sole and final instance by the General Manager and the Board of Directors.

Cooperative Reserved Use

Page37 of 38
 Code:
INFORMATION TECHNOLOGY SECURITY MANUAL
MAN-SGSI-V01

Approval date: MACOPROCESS: Information Technology Management

Version 1
Responsible: PROCESS TYPE: Support

- Manuals and internal resolutions that oppose this manual are repealed.

This manual will come into force once the Board of Directors approves it.
Given in …

President of the Council of Secretary of the Council of

Administration

This manual of the xxxx Savings and Credit Cooperative was debated and approved by the
Board of Directors, the

Council Secretary
of administration

Cooperative Reserved Use

Page38 of 38