Proeza Information Security Management for Supplier Relationships Policy (PDF)

INFORMATION SECURITY MANAGEMENT FOR SUPPLIER RELATIONSHIPS POLICY POL-GPZ-INS-IT-08 Issue date: January 2023 Version: 03 Last update: Jan-31-2023 1 OBJECTIVE 1.1 Establish the guidelines to follow to maintain an appropriate level of Information Security of the services contracted to third parties to maintain Confidentiality, Integrity and Availability in the information systems of the companies in Grupo Proeza, S.A.P.I de C.V. (Proeza). 2 SCOPE 2.1 Global: Applies to all suppliers that offer IT services and technological platforms that maintain a relationship with Proeza companies. 3 GUIDELINES GENERAL 3.1 All contracts with service suppliers related to Information Technology must be channeled through the IT Coordinators of the Proeza companies before they are contracted. 3.2 IT Coordinators must ensure that the products or services provided by suppliers comply with the Information Security controls based on corporate policies. 3.3 All economic proposals must be requested by the Purchasing area from the supplier, Purchasing being responsible for the commercial negotiation with suppliers in accordance with the internal policy of each company. 3.4 IT Coordinators must define the scope of the service and technical or functional requirements that the service provider must meet and have meetings with the Purchasing area. 3.5 All operations contracted with third parties that handle information from Proeza companies must have the appropriate contract or an NDA for its acronym in English (non-disclosure agreements), which must consider the proper handling of the information that has been agreed by both parties, said contract must be authorized and signed in accordance with the internal process of each company. 3.6 The Coordinators or project leaders are responsible for requesting and following up with the person in charge of generating the requisition, who will have its status, in accordance with the internal procedure of each company. EVALUATION AND SELECTION OF IT SERVICE SUPPLIERS 3.7 For any evaluation or Proof of Concept (PoC) of products with third parties, the Coordinators or project leaders must: ▪ ▪ ▪ ▪ Classify IT services provided by third parties based on the sensitivity of the information, such classification can range from requisition. Ensure that the Confidentiality Agreement (NDA) is signed, prior to the exchange of information with third parties during the selection or evaluation process of the supplier, as applicable. Prior to the negotiation, involve the Information Security Specialist so that they jointly verify that the IT service provider complies with the appropriate Information Security controls that help minimize the impact of a possible security event. Adhere to the internal processes and procedures defined in each Proeza company. Approved by: IT and Cybersecurity Committee Page 1 of 4 Area: Information Security Information for internal use INFORMATION SECURITY MANAGEMENT FOR SUPPLIER RELATIONSHIPS POLICY POL-GPZ-INS-IT-08 Issue date: January 2023 Version: 03 Last update: Jan-31-2023 3.8 The Coordinators or leaders of the project together with the Purchasing area must carry out a market analysis to verify references with clients in relation to the service provider to be contracted, including their certifications. RECRUITMENT OF IT SERVICE SUPPLIERS 3.9 During the contracting process, the Purchasing area must ensure that the selected supplier meets the following requirements for the provision of the service: ▪ Training plan for personnel under your responsibility that provides services to Proeza companies is included in the service proposal. 3.10 Applies only to platforms and software that is managed from the infrastructure of the service provider, which must have the following Information Security controls, being the responsibility of the Project Coordinator and Leaders to ensure compliance: ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ Data backup. Response plan for information security incidents and risk management including its recovery and notification. Protection of information during transfer and at rest through encryption mechanisms. Formal process for the authorization and secure elimination of information from processing companies in case of termination of service. Platform update. Monitoring mechanisms necessary to supervise compliance with information security requirements. Relevant contacts for information security issues. Ideally, it should be certified by an international standard, such as ISO27002. 3.11 It must be established by contract that any affectation to the Proeza companies related to any vulnerability of the service offered, of the contracted product, or negligence, will be the responsibility of the Supplier, who must cover the compensation and repair of the damage caused, after negotiation with the Purchasing area. 3.12 The Information Security Specialists must define the pertinent Information Security requirements and agreements with the Service Suppliers according to the contracted service. 3.13 The agreements with the Service Suppliers must consider that there is a clear understanding regarding the obligations of both parties and must cover at least the following, being the responsibility of the Coordinators or project leaders that are included in the contract, with the support of the Purchasing area and accompanied by the Information Security Specialist. ▪ ▪ ▪ ▪ Description of the type of information to which you will have access or must be provided to the service provider. Clauses of confidentiality of the information for the protection of the data that will be exchanged during the provision of the service including and in case of applying the personally identifiable information (PII), intellectual property rights and copyright. Agreements and service levels "SLA of its acronym in English Service Level Agreement" necessary to guarantee the availability of the delivery of the contracted or acquired service with the provider. Termination clauses at the conclusion of the service agreement, including the return of technological assets or information, if applicable. Approved by: IT and Cybersecurity Committee Page 2 of 4 Area: Information Security Information for internal use INFORMATION SECURITY MANAGEMENT FOR SUPPLIER RELATIONSHIPS POLICY POL-GPZ-INS-IT-08 Issue date: January 2023 Version: 03 Last update: Jan-31-2023 3.14 The process of evaluation and contracting of information technology services from suppliers will be in accordance with the internal policies and processes of each Proeza company. SECURITY RISK MANAGEMENT WITH IT SERVICE SUPPLIERS 3.15 All personnel who contract IT services must request at their discretion the IT Service Supplier to provide an updated risk analysis to the infrastructure or service provided to Proeza companies. RESPONSIBILITIES 3.16 The IT Coordinators of each Proeza company are responsible for requesting the following from service suppliers: ▪ ▪ ▪ ▪ A semi-annual report on the effectiveness of information security controls and an action plan with the timely correction according to the results of the report, if applicable. Have a change management process in accordance with best practices that ensures advance notification to the company in question and the possibility that the company accepts or rejects the changes. Make a delivery of the service in accordance with the provisions of the service contract. A monitoring of compliance with the SLA performance levels of the service agreed by contract is carried out. 3.17 IT Coordinators must request the Purchasing area to include in the negotiation a training plan for the personnel that will oversee the platform contracted to Service Suppliers, indicating the type of training required. 3.18 If the platform is managed through the service provider, the Purchasing area must consider including by contract the continuous training of the service provider's personnel, including a response plan to information security incidents, risk management, to name some of them. 3.19 Information Security Specialists are responsible for: ▪ Carry out a random review of at least 10% of supplier service contracts to validate their compliance with information security controls. ▪ Identify information security risks and vulnerabilities in relationships with suppliers. POLICY VIOLATIONS 3.20 Any violation or non-compliance with this policy will be referred to the Proeza Cybersecurity Expertise Center (EC), which will involve the Labor area if required and will jointly define the disciplinary processes to be followed. Approved by: IT and Cybersecurity Committee Page 3 of 4 Area: Information Security Information for internal use INFORMATION SECURITY MANAGEMENT FOR SUPPLIER RELATIONSHIPS POLICY POL-GPZ-INS-IT-08 Issue date: January 2023 Version: 03 Last update: Jan-31-2023 4 REVIEW AND APPROVAL Version Issue Date Elaborated by Reviewed by Internal Control Authorized by Israel Leal Magaña Metalsa Internal Control Co. Hernan Macias Cybersecurity and IT Center of Expertise (EC) Co. Carlos Guillen Digitization and Cybersecurity Ana Santacruz Zano IT Coordinator Jan-31-2023 1 Ma. Reyes Mora IT Security & Compliance Sp. Antonio Medina Astrum IT Coordinator Edna Melissa Garza Cantu Global Procurement Process Development Coordinator Metalsa Signatures 5 RELATED DOCUMENTS 5.1 POL-GPZ-INS-IT-14 Information Classification and Management References: - ISO 27002:2022 5.19 Information Security in Supplier Relationships - ISO 27002:2022 5.20 Addressing Information Security Within Supplier Agreements - ISO 27002:2022 5.22 Monitoring, Review & Change Management of Supplier Services 6 ANNEXES 7 RECORD OF CHANGES Version Date Change Description 3 January 2023 Policy creation in accordance with the ISO27002:2022 reference framework Approved by: IT and Cybersecurity Committee Page 4 of 4 Area: Information Security Information for internal use Registro del consentimiento Sellos de tiempo Israel Leal Magana ([email protected]) creó el documento - con dirección IP 189.218.6.200 Feb 02, 2023, 09:33:08 CST Israel Leal Magana ([email protected]) firmó el documento - con dirección IP 189.218.6.200 Feb 02, 2023, 09:33:08 CST Solicitud de firma enviada a Ma Reyes Mora ([email protected]) Feb 02, 2023, 09:39:30 CST Solicitud de firma enviada a Carlos Guillen ([email protected]) Feb 02, 2023, 09:39:30 CST Solicitud de firma enviada a Ana Santacruz ([email protected]) Feb 02, 2023, 09:39:30 CST Solicitud de firma enviada a Antonio Medina ([email protected]) Feb 02, 2023, 09:39:30 CST Solicitud de firma enviada a Edna Garza ([email protected]) Feb 02, 2023, 09:39:30 CST Solicitud de firma enviada a Hernan Macias ([email protected]) Feb 02, 2023, 09:39:30 CST Ma Reyes Mora ([email protected]) firmó el documento - con dirección IP 187.161.242.171 Feb 02, 2023, 10:01:36 CST Carlos Guillen ([email protected]) firmó el documento - con dirección IP 38.65.147.81 Feb 02, 2023, 10:07:27 CST Hernan Macias ([email protected]) firmó el documento - con dirección IP 189.159.164.246 Feb 02, 2023, 16:05:25 CST Ana Santacruz ([email protected]) firmó el documento - con dirección IP 207.248.244.98 Feb 03, 2023, 09:59:48 CST Antonio Medina ([email protected]) firmó el documento - con dirección IP 187.192.27.170 Feb 09, 2023, 16:20:17 CST Edna Garza ([email protected]) firmó el documento - con dirección IP 201.173.64.222 Feb 09, 2023, 23:45:15 CST Documento certificado por Advantage Security, S de RL de CV como Prestador de Servicios de Certificación autorizado por la Secretaría de Economía en cumplimiento a la NOM 151 Feb 09, 2023, 23:45:16 CST Documento encriptado e integrado a Blockchain privada para integridad de documento garantizada en: https://app.weetrust.mx/validation Feb 09, 2023, 23:45:16 CST ID DOCUMENTO: NjNkYmQ3NzkxMTg5MDMwMDM0N2UzZWMw

Proeza Information Security Management for Supplier Relationships Policy (PDF)

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue