The Organization's Information Security Policy:
- Protects the confidentiality of customer and employee information to ensure the privacy of personal information.
- Implements the infrastructure and controls necessary to protect the integrity of information and guarantee its continuous availability.
- Ensures authorization in accordance with the principle of separation of duties in design, development, testing, and implementation processes, and establishes an approval mechanism for critical operations.
- Ensures the physical and logical separation of Development, Testing, and Production environments.
- Ensures the minimum necessary authorization principle is applied when authorizing users and that authorizations are regularly reviewed.
- Establishes network security against threats that may come from external networks.
- Establishes a layered security architecture and ensures its continuous monitoring.
- Ensures that security measures such as encryption and masking are taken when transmitting and storing sensitive payment data and personal information.
- Ensures the reliability of the encryption keys used.
- Establishes an information security organization to manage and coordinate information security activities.
- Creates an inventory of information assets, determines ownership, and manages risks to information assets.
- Performs information security incident management activities, including detecting, reporting, and preventing recurrence of information security incidents.
- Implements an adequate awareness program for all personnel and ensures the participation of all employees in meeting information security requirements.
- Takes the necessary physical and environmental security measures to ensure the security of information in areas where information is processed.
- Determines and implements security requirements for the acquisition, development, and maintenance of information systems.
- Ensures that employees comply with defined information security policies, processes, and legal and regulatory requirements by obtaining their written commitment.
- Performs business continuity activities to prevent interruptions in business activities and ensure continuous access to information.
- Implements the necessary security controls in all relevant areas to control access to information and prevent unauthorized access.
- Applies the necessary security controls in the operation of information systems activities and defines the roles and responsibilities for this purpose.
- Commits to the continuous improvement of the information security management system as an organization.