INFORMATION SECURITY POLICY

    1. PURPOSE and OBJECTIVES

      The Information Security Policy of BAUFEST establishes a set of measures aimed at preserving the confidentiality, integrity, and availability of information — the three fundamental pillars of information security. Its purpose is to define the necessary requirements to protect information, equipment, and technology services that support the organization’s business processes, in compliance with best industry practices and applicable regulations, including ISO Standard 27001:2022.

      Baufest's Information Security objectives are defined to:

      • Protect the confidentiality of client information and intellectual property, ensuring that information is only accessible to authorized individuals.
      • Ensure data integrity by preserving the accuracy and completeness of information against unauthorized modifications.
      • Ensure the continuous availability of services and critical business applications so that systems and information are available when needed.
      • Comply with laws, regulations, and applicable standards regarding information security.

      These objectives help strengthen Baufest’s security posture and ensure compliance with the regulatory framework adopted by the organization.

    2. ROLES and RESPONSIBILITIES
      • Top Management:
        • Provide leadership and resources to implement and maintain the Information Security Management System (ISMS).
        • Promote awareness and communication of the Information Security Policy among Baufest employees.
        • Enforce compliance with the Policy, applicable legislation, and information security requirements.
        • Consider information security risks in decision-making processes.
      • Information Security Officer:
        • Oversee the implementation and enforcement of this policy.
        • Lead the coordination of ISMS activities.
        • Identify, assess, and mitigate information security risks within the organization.
      • Information Asset Owners:
        • Identify and protect information assets under their custody.
        • Ensure those assets have proper controls according to their classification and criticality.
      • End Users:
        • Comply with the information security policies and procedures established by Baufest.
        • Participate in security awareness and training activities.

  1. BAUFEST INFORMATION SECURITY POLICY

    The BAUFEST Management acknowledges that information is a key asset to the organization and therefore must be adequately protected. It promotes and commits to continuous improvement of the Information Security Management System and to meeting its requirements by establishing and maintaining an appropriate policy that provides a framework for setting information security objectives and controls aligned with the organization's business goals.

    This document is approved by BAUFEST Management, which commits to publishing, communicating, and enforcing it with all employees, as well as with third parties who interact regularly or occasionally and may have access to sensitive information.

    The Baufest Information Security Policy is based on the following strategic pillars:

    • Access Control: managing access to information and systems based on business and security requirements, granting access according to need-to-know principles and preventing unauthorized access through appropriate technical controls.
    • Risk Management: maintaining a controlled environment by minimizing risks to acceptable levels and implementing adequate security controls to mitigate them, prioritizing those with the greatest impact and likelihood.
    • Incident Management: minimizing the impact of incidents by enabling monitoring, timely response, and development of a knowledge base for detection, containment, and mitigation.
    • Hierarchical Structure and Roles: defining and maintaining a role structure through Security Groups that determines who can access, share, and manage different types of information.
    • Information Classification: defining general guidelines to ensure proper classification, handling, and control of information based on confidentiality, integrity, and availability.
    • Communications and Operations Management: ensuring proper operation of information processing facilities, application integrity, and communication confidentiality through established technical controls and procedures.
    • Physical and Environmental Security: ensuring effective physical protection measures for facilities and equipment, mitigating physical, logical, or environmental threats that could compromise information security.
    • Security Awareness and Commitment: informing employees and third parties about the content of this policy and the disciplinary processes for non-compliance, encouraging responsible use of the organization’s IT resources.
    • Business Continuity Management: developing disaster recovery and continuity plans to ensure the organization can continue to operate during and after a disruption.