cedia logo
cedia logo

Information security policy

INFORMATION SECURITY POLICY

The Privacy and Information Security Policy sets out the guidelines and principles established by CEDIAto guarantee the protection of information, as well as compliance with the defined security objectives; thus ensuring the confidentiality, integrity and availability of information systems.

CEDIAis committed to complying with Ecuadorian regulations on the protection of personal data and recognizes the importance of safeguarding the privacy and security of the information of its members, suppliers, and collaborators. In this context, this policy constitutes the framework for the Information Security Management System based on the ISO 27001 standard and the Organic Law on the Protection of Personal Data, as well as the guidelines of the Data Governance Program. The program's set of objectives and planned activities aims to institutionally improve CEDIA 's data management.

CEDIA 's management recognizes the vital importance of information security and compliance with personal data protection regulations in the workplace; therefore, it assumes and establishes
the following commitments in relation to the Information Security Management System and Information Privacy:

  • Establish information security objectives aligned with the corporate strategy, ensuring consistent and proactive management of security-related risks.
  • Integrate security and privacy requirements into all organizational processes, ensuring that it is an essential component in every activity.
  • Allocate and guarantee the physical, human, economic and technological resources necessary to maintain a robust and effective information security management system.
  • Communicate the importance of effective information security and privacy management, ensuring that all members of the organization understand their role and responsibility in protecting confidential and restricted information.
  • Regularly evaluate the performance of the information security management system and take steps to improve and optimize the expected results.
  • To provide direction and support to all employees to foster a culture of information security and protection of personal data, in which each individual contributes to the effectiveness of the ISMS.
  • Promote the continuous improvement of the information security management system through the constant review of processes, policies, and practices.
  • To guarantee the protection of the privacy of data and personal information, complying with applicable privacy regulations and standards.
  • Support relevant roles and areas of responsibility to demonstrate leadership in protecting information privacy.
  • Provide regular training to all CEDIA staff regarding security management, information privacy, and personal data protection, so that they are aligned with best practices and regulatory requirements.
  • Ensure that CEDIA staff comply with all policies, procedures, and instructions related to information security and data privacy.
  • To provide the necessary means to implement processes and projects that contribute to compliance with regulations on the protection of personal data.
  • Promoting a secure work environment where information security and privacy are key priorities. Through the implementation of this policy, we seek to safeguard the confidentiality, integrity, and availability of information systems, as well as respect and protect data privacy. We are committed to continuous improvement and compliance with relevant security and privacy regulations and standards.

1.1.1. On Security:

  • Increase the Information Security competence of employees.
  • To properly manage information security risks.
  • Improve response to Information Security Incidents.
  • Ensure that appropriate levels of integrity, confidentiality, and availability are met.
  • Ensure the continuity of CEDIA 's critical services by implementing a Business Continuity Plan.
  • Measure the level of stakeholder satisfaction regarding information security.

1.1.2. Privacy and Protection of Personal Data:

  • Ensure the confidentiality, integrity, and availability of information.
  • Comply with current and applicable legal requirements.
  • To create a culture of privacy through ongoing training and awareness-raising for all employees regarding the protection of personal data.
  • To meet the expectations and needs regarding the protection of personal data of collaborators, members, suppliers and other interested parties.
  • Properly manage all incidents that occur in accordance with the current internal instruments, which are aligned with industry best practices.
  • Inform all employees about their roles and responsibilities regarding the protection of personal data, and also communicate that this policy is mandatory.
  • Permanently implement the continuous improvement plan for personal data protection within the organization.
  • To establish the principles and rules for compliance with the Data Governance program, Information Security Management System, in strict compliance with current regulations on Personal Data Protection; with the firm will to respect the right to data protection of all natural persons subject to processing at CEDIA, as well as their right to honor and privacy. 
  • To raise awareness of personal data protection regulations among all employees, since respecting the precepts included in the regulations is the responsibility of all members of CEDIA. 
  • Maintain over time the regulatory compliance procedures that have been implemented in the organization. 
  • Disseminate the security standards, measures and safeguards that affect CEDIAstaff, in the performance of their duties involving personal data. 

To ensure the proper functioning of the ISMS and to meet the established objectives and requirements, CEDIA 's management has appointed an ISMS Manager, a Personal Data Protection Officer and an Information Security Committee that will ensure compliance with the guidelines set out in this policy.

The Privacy and Information Security Policy, as well as the Information Security Management System processes and the Internal Personal Data Protection Program, are subject to periodic reviews at planned intervals or when significant changes occur. These reviews are conducted to ensure that the policy and processes remain appropriate, effective, and efficient on an ongoing basis. These reviews are scheduled annually as part of the internal audit process for the ISMS and compliance with personal data protection regulations.

Furthermore, monitoring procedures have been implemented to provide essential information on the proper functioning of the ISMS. These monitoring procedures allow for continuous evaluation and effective oversight of the effectiveness of our information security measures. In this process, management plays a crucial role by leading the ISMS review; through in-depth analysis, potential areas for improvement and deficiencies in the ISMS are identified to implement enhancements and ensure its optimal functionality.

The Privacy and Information Security Policy is communicated internally through the corporate intranet and in the annual staff training plan. A copy of this policy is also available to external stakeholders of CEDIA through the corporate website.

This communication strategy ensures that both employees and external stakeholders can clearly access and understand our privacy and information security commitments. We are committed to transparent and responsible disclosure of our policy, demonstrating our strong commitment to information security and privacy in all aspects of our operations.