Contact
Contact

Cybersecurity policy

Autonomic SAS adheres to security policy guidelines by creating various controls to ensure the confidentiality, integrity, and availability of all data within the company.

Confidentiality:

  • Role-based access control for data access:
    • Administrator: Access to all platform features except deleting information.
    • Operator (Recruiter, Salesperson, Telemarketer): Limited access to user information. This role cannot delete, export, or import information without authorization.
  • Access controls for the company’s various applications. Only the administrator can access all applications and will decide who can access them.
  • Access control for databases.

Integrity:

  • Periodic update of update for the data.
  • Permission control for data modification.

Availability:

  • Creating database backups.
  • Use of SaaS technologies for data access.

Acceptable Use Policy:

Regulation of Use:

  • Acceptable Use:
    • Perform assigned responsibilities using devices assigned by the organization.
    • Access organizational systems with assigned devices.
    • Using messaging and email applications for communication.
    • Participate in training programs and access educational resources provided by the company.
    • Use of the browser authorized by the company for the execution of responsibilities.
    • Use of professional platforms such as LinkedIn to develop networking and work-related activities.
    • Management of authorized applications (Google Workspace, Zoho, Linkedin Suite, Canva and Apollo) under authorized business devices and work environments.
    • Use of applications that enable organizational security.
    • Use secure authentication methods, such as strong passwords and two-factor authentication.
  • Unacceptable Use:
    • Using corporate devices for personal activities that are not work-related.
    • Visiting websites with inappropriate, offensive, or illegal content.
    • Do not use the organization’s default browser.
    • Use of personal social networks during work hours on corporate devices.
    • Installing applications, programs, or software that have not been approved by the IT department and/or are not licensed.
    • Execute organizational responsibilities under unauthorized software.
    • Download and use games or entertainment applications that are not for work purposes.
    • Sharing passwords or login credentials with unauthorized persons.
    • Sharing equipment provided by the organization with unauthorized persons.
    • Disabling or attempting to circumvent security measures implemented on devices.
    • Disclose confidential or sensitive information to unauthorized persons.
    • Allowing unauthorized persons access to organizational systems.
    • Storing corporate information on devices or services not approved by the company, such as personal computers.
    • Sending emails or messages with offensive, discriminatory or harassing content.
    • Using company-owned devices for any illegal activity, including downloading copyrighted content.

Privacy Policy:

Purpose: AUTONOMIC SAS will implement all actions within its reach to comply with the protection and processing of personal data for which it is responsible or in charge, especially to protect the rights to privacy, confidentiality, and good name, as well as the rights to know, update, and rectify the data of data subjects collected in its own databases or processed on behalf of third parties. Therefore, this manual applies both to the protection of personal data currently processed and any data that may be processed in the future, as well as to the processing of data of employees, clients, suppliers, and contractors.

Information Collected:

  • Name
  • Cellular
  • Email
  • City – Location
  • Linkedin Profile
  • Employment information
  • Salary information
  • Academic information

Collection methods: Information is collected through forms  that connect directly to AUTONOMIC SASdatabases.

Purposes of Use: Maintain labor relations with its employees, draft employment contracts, link to the social security system, and pay salaries and social benefits. Likewise, to keep staff constantly trained on different issues related to their activity, preparing them for the performance of their duties; ii) carry out the development of its corporate purpose; iii) make payment of its financial, labor, and contractual obligations; iv) provide information to clients and users regarding the services it provides in the development of its corporate purpose, for which it may send information electronically or make telephone or personal contact with the owners; v) present commercial proposals for the sale of products and services to individuals or legal entities; vi) process requests, complaints, or claims made by users or clients; vii) attend to the administrative requirements of district, departmental, or national entities; viii) respond to requests made by judges of the Republic, conciliators, arbitrators and other entities with judicial functions, arising from legal actions that are promoted by or against AUTONOMIC SAS, for which it has obtained the prior, informed and express consent of the data owners and those responsible for the processing of personal data, thus guaranteeing the rights to data protection.

Legal Basis for Processing: In the processing of personal data carried out by AUTONOMIC SAS, all the principles enshrined in Title II, Article 4 of the General Regime for the Protection of Personal Data, Law 1581 of 2012 and the regulations that develop and complement it, apply.

Sharing with third parties: CONFIDENTIALITY AND SECURITY OF DATABASES. AUTONOMIC SAS uses all human, technical, and technological resources at its disposal, making every effort to ensure the security and confidentiality of the personal data for which it is responsible or in charge. Regarding confidentiality, AUTONOMIC SAS undertakes to sign confidentiality agreements with third parties in the event that agreements are entered into to share personal data for the provision of value-added legal, commercial, and service-related services.

  1. Physical Security

Physical Controls: AUTONOMIC SAS defines the following controls for the protection of its physical assets:

  • USB blocking for mobile and laptop devices. Data transfer is blocked.
  • Blocking unauthorized software installation through physical media.
  • Logging of all entries and exits, as well as unauthorized access attempts.

Disaster Protection:

  • Insurance policy through the equipment leasing provider for the protection of electronic devices.
  1. Logical Security

Access control:

  • Location-based access control: Access to corporate systems is only permitted within Colombia.
  • Access control under approval: For access to organizational accounts, the organizational administrator or manager must review all login conditions to authorize entry.
  • Role-segmented access control:
    • Administrator: Access to all platform features except deleting information.
    • Operator: Limited access to user information. This role cannot delete, export, or import information without authorization.
    • Authentication and authorization :
    • Control of maximum 3 sessions.
    • Access control under multi-factor authentication (MFA).
    • Passwords with a minimum of 15 characters.
    • Mixed passwords (alphanumeric, uppercase, lowercase, and special characters).
    • Password age with a maximum of 90 days. Control applied in Zoho One and Google Workspace.
    • Number of unrepeated passwords (10).
    • 4 hour downtime for open sessions.
    • Only 3 login attempts.

User and account management:

  • User creation and management for Google Workspace is handled using Okta Verify technology, which functions as an identity management and MFA tool. The administrator must first create users in Google Workspace and then integrate them with Okta Verify to access security options.
  • In the case of Zoho One, the administrator must access the dashboard and create the user, then grant them permission to the applications required by the role type.

Remote access control:

  • For remote access, all users must use corporate credentials; only company-issued equipment is permitted.
  • The only tool allowed for remote access is Zoho Assist.
  1. Information Security Controls

Classification of information:

  • Public Information : The only information that may be publicly disclosed relates to vacancies for which recruitment is being conducted. Internal guidelines may restrict this information from being disclosed.
  • Internal Information : Internal information includes all databases that store relevant company information: supplier database, shareholder database, board of directors and employee database, and talent database. This information may not be used in AUTONOMIC S.AS media outlets, and may not be shared under any circumstances without prior approval from the data owner and the organizational manager.

Encryption:

  • All data in Zoho One Suite applications is encrypted using the AES (Advanced Encryption Standard) method, which uses keys to encrypt and decrypt.
  • Data within Google Workspace tools is encrypted using the CLC method configured in the tool’s console.

Backup and Recovery: Our backup policy is distributed to the databases where the most relevant information is stored:

  • Zoho One: Two major applications containing the organization’s talent and client data are backed up. Two monthly backups of all data are performed for both applications.

Data Retention and Deletion : The following controls were implemented for data retention and deletion:

  • Only the Super Administrator profile can delete data from Zoho One databases. No other profile can perform this action.
  • Only the super administrator will be able to import external data into the databases.
  • Only the super administrator will be able to create integrations or connections via APIS.
  • Developer roles within databases are only available to the super administrator.
  1. Network Security Controls

Firewalls: All Autonomic SAS domains are protected by Cloudflare technology through the following controls:

  • DDoS protection.
  • Security rules identified in OWASP.
  • SSL/TLS Certificates.
  • Access control.
  • Traffic control.
  • Bot Management.
  • DNS Firewall
  1. Application Security Controls

Secure development : For application development, AUTONOMIC SAS relies on code storage technologies such as GitLab, which contains various features that help ensure secure code, such as MFA for project members. Additionally, the number of people with access to the code is periodically reviewed to prevent unauthorized users. All integrations with third-party applications are also protected through tokens that rotate periodically.

Security Testing and Remediation: AUTONOMIC SAS does not have an active penetration testing plan since its operation mostly works under third-party applications.

  1. Security Incident Management

Incident Response Plan : In the event of cybersecurity incidents, AUTONOMIC SAS has defined a team of administrators who will be able to respond to incidents based on the Organizational Cybersecurity Policy. These administrators have all the necessary permissions within the organizational platforms to mitigate security breaches.

  • Incident Response Team:
  • General manager
  • IT Project Manager

Incident Reporting : To report potential incidents or security breaches, a support channel has been created through the Zoho Desk application. Users can leave all the details of the incident based on a template that ensures all the relevant information is included. This template suggests providing the following information: Date and time, Description of the issue, Location, Name of the affected application, Possible actions taken, and Unusual activity observed.

Lessons learned: All lessons learned will be documented in this document to strengthen the Organizational Cybersecurity Policy. Once updated, a record must be kept of the person who made the change and the date.

  1. Training and Awareness

Training program: For the team’s training and development process regarding the organizational cybersecurity policy and, in turn, good cybersecurity and computer security practices.

  1. Review and Update

Review Procedure: This policy will be reviewed semiannually by the company’s general manager and the project leader. This is to validate potential structural changes for the evolution and improvement of organizational guidelines regarding the proper use of computer security practices and the protection of confidential data.

  1. Audit

Audits: To ensure proper implementation and sustainability of the current policy, random bimonthly audits are conducted .

Additionally, a due diligence process is conducted annually with a partner law firm to ensure the objectivity of the process. This process includes a cross-company audit of the company against national and international legal regulations. A report of findings is generated with an action plan to address any new developments.

Contact
Write to us on WhatsApp

follow us: