Information Security Policy

Purpose

Information is one of the most critical assets for Global Exchange, which is why it is essential to establish a series of measures in all places where it is stored, transmitted or processed. The purpose of Global Exchange's Information Security Policy is to ensure the confidentiality, integrity and availability of data to comply with obligations and best practices in information security in the development of its activities.

Objective

The main objective of this policy is to define the necessary measures to guarantee the integrity, availability and confidentiality of the information managed by the Global Exchange Group.

This policy will be specified and developed through norms, guides, standards, manuals, plans and procedures, which will be updated when necessary according to new requirements imposed by technological and business advances.

The information security policy has been created taking as reference the main information security frameworks, regulations and rules, both local and international, among which stand out:

• ISO/IEC 27001
• ISO/IEC 22301
• ISO/IEC 31000
• National Security Framework (ENS)
• Digital Operational Resilience Regulation (DORA)
• National and international legislation on Cybersecurity
• National and international legislation on Data Protection (GDPR, LOPDGDD)
• National and international legislation on Intellectual Property
• Legislation on Information Society and Electronic Commerce
• Legislation on Security in Networks and Information Systems

Principles

Global Exchange's information security policy will be developed, in general, according to the following principles:

• Principle of confidentiality: information technology assets should be accessible only to those users, bodies and entities or processes expressly authorized to do so, with respect to obligations of professional secrecy and confidentiality.
• Principle of integrity and quality: the maintenance of the integrity and quality of the information, as well as its processing, must be guaranteed, establishing mechanisms to ensure that the processes of creation, processing, storage and distribution of information contribute to preserving its accuracy and correctness.
• Principle of availability and continuity: a high level of availability in ICT assets will be guaranteed and the necessary plans and measures will be provided to ensure service continuity and recovery in the event of serious contingencies.
• Principle of traceability: measures will be implemented to ensure that at all times it can be determined who did what and when in order to have the capacity to analyze detected security incidents.
• Principle of risk management: a continuous process of risk analysis and treatment should be articulated as a basic mechanism on which the security management of ICT assets must rest.
• Principle of awareness and training: initiatives will be articulated that allow users to know their duties and obligations regarding the secure treatment of information. Similarly, specific training in information security will be promoted for all those who need to be subject to it.
• Principle of prevention: specific plans and lines of work will be developed aimed at preventing fraud, non-compliance or incidents related to information security.
• Principle of continuous improvement: the degree of effectiveness of the implemented information security controls will be reviewed, in order to adapt them to the constant evolution of risks and the technological environment of Global Exchange.
• Principle of least privilege: indicates that, in a particular abstraction layer of a computing environment, each party should be able to access only the information and resources that are necessary for its legitimate purpose.
• Need-to-know principle: its objective is to ensure that only authorized persons access the information or systems necessary to perform their functions.
• Zero Trust principle: the Zero Trust principle establishes a zero trust security model "never trust, always verify", which means that devices should not be trusted by default.