Information Security Policy

INFORMATION SECURITY POLICY

GRUPO PRIMAFRIO considers information an essential asset for the activities it conducts and, therefore this information must be protected. It is for this reason that the guidelines and basic principles of information security are established through this policy, understanding therefore all those factors associated with the protection of the same, such as the systems that process and store it, the support infrastructure that provides service, the facilities where they are located and the people who carry out a treatment of them, with respect to any threat that may affect the integrity, availability and/or confidentiality of the information.

Information Security Objectives

To promote information security in all areas of the organization, GRUPO PRIMAFRIO establishes the following general aims:

• Establish and keep an efficient and effective Information Security Management System, aligned with current legislation and international standards of security.
• Minimize the risks to which the organization and information assets are exposed, to which it is responsible, up to acceptable risk levels.
• Comply, and enforce, in relations with third parties, with the requirements and obligations of security by the legal, regulatory, and contractual framework proved.
• Promote safety through training and awareness processes, ensuring that the employees of the organization have the necessary skills.
• Guarantee the protection of information and the continuity of the critical processes of the organization in the provision of services to our clients.

To achieve these aims, GRUPO PRIMAFRIO will promote initiatives adapted and updated, within a framework of continuous improvement, to the legal, strategic, and contractual needs of the organization, the expectations of the interested parties, and the results of the assessment and treatment of the risk in terms of information security.

Likewise, the Directorate undertakes to promote theses initiatives, granting the necessary resources and conducting the due follow-up for their achievement.

Regulatory framework

GRUPO PRIMAFRIO gets a firm commitment to the legal frameworks that regulate the activity of the organization about information security, both, nationally and internationally.

The security document system of GRUPO PRIMAFRIO will develop this policy, being this accessible and mandatory for all members of the organization and third parties with access or potential access to information, who supplies services to it, to the extent that their work requires it.

Organization and Security Management

The maintenance and management of information security requires the establishment of a committed and capable organization structure, through the definition of activities and responsibilities in the field of information security management.

To form this structure, the Management of GRUPO PRIMAFRIO, as the ultimate responsible for information, appoints and Information Security Committee responsible for aligning all the strategic activities of the organization in terms of internal security. Its main activities will deal with the protection of assets of the organization, the management and acceptance of risks, and the supervision and approval of the documentary body that develops the security processes that emanate from this policy.

Likewise, this committee will oversee promoting security in the organization, dealing with any deviation and exception that occurs, encouraging the participation of all users, and proposing the assignment of roles and responsibilities in the matter.

The Security Officer will lead the Security Committee, as a representative of the Information Security Committee, guarantor that the management of information security is per the applicable requirements and to inform the Management about the aspects that concern the security on the information.

Safety Principles

As much management as the maintenance of the information security of GRUPO PRIMAFRIO, is based on the following basic principles, which make up the core of the strategies for correct decision-making in terms of information security:

• We understand security as an integral process where all the technical, human, material and organizational elements related to the protection of information intervene.
• For the proper development of the Management System, we promote the training and awareness of the people involved, by their functions and responsibilities in information security.
• Risks analysis and management is an essential part of the security process, and this security process must be kept permanently updated, to have a controlled environment, minimizing risks to acceptable levels.
• To reduce the probability of occurrence and the effects of the materialization of threats on the security of the system, we contemplate measures aimed at their prevention, detection, and correction.
• The protection strategy is based on multiple lines of defense, consisting of measures of an organizational, physical, and logical nature, set up in a framework of continuous improvement where they these lines of defense are evaluated and updated periodically to adapt their effectiveness.
• We promote security as a differentiated function, separating coordination and supervision attribution from the operation of the information system.

D. José Esteban (CEO)