en_US EN
en_US EN es_CO ES_CO
Linkedin

INFORMATION SECURITY POLICY

By virtue of BONDS AND CREDIT LTDA's strong commitment to the proper handling of public, private, and sensitive data—ensuring not only the safeguarding and security of information but also the exercise of Habeas Data—the company establishes this Policy applicable to information security within the organization.

1. OBJECTIVE

This Policy sets forth the general guidelines for Information Security within BONDS AND CREDIT LTDA, with the goal of providing the necessary security conditions to prevent the alteration, loss, consultation, unauthorized or fraudulent use, or access to the information processed by BONDS AND CREDIT LTDA.

2. SCOPE

This Information Security Policy shall be applied in all administrative, managerial, logistical, and control aspects established by the company. It must be followed by executives, employees, contractors, third-party service providers, employees of third-party suppliers bound by contractual terms, and in general all individuals who have any kind of relationship involving the handling of information at BONDS AND CREDIT LTDA.

3. SPECIFIC POLICIES FOR THE PROCESSING OF PERSONAL DATA
1. ACTIVITY LOGGING AND MONITORING

Purpose: To log events and generate evidence.

Policy

Regular and careful reviews will be conducted of event logs that record user activities, exceptions, failures, and information security events.

Information logs will be protected against tampering and unauthorized access. System and network administrator activities will be logged.

These logs will be protected and regularly reviewed.

All relevant IT system clocks will be synchronized to a single time reference source.

2. PHYSICAL AND ENVIRONMENTAL SECURITY

Purpose: To prevent unauthorized physical access, damage, or interference to the organization’s information and processing facilities.

Policy

Computing equipment must be located and protected to reduce environmental threats and risks of unauthorized access. Equipment must be protected against power failures and other interruptions caused by utility service failures. Cabling that carries data, power, and telecommunications or information support services must be protected against interception, interference, or damage. Computing equipment must be properly maintained to ensure its continuous availability and integrity.

Equipment, information, or software may not be removed from company premises without prior authorization. Security must be applied to assets taken off-site, considering the different risks of working outside the organization’s facilities.

All equipment containing storage media must be checked to ensure that sensitive data and licensed software are securely removed or overwritten before disposal or reuse.

Users must ensure that unattended equipment is adequately protected.

Workstations must be clear of papers and removable storage, and computer screens must be locked when unattended.

Where appropriate, papers and information media must be stored in secure cabinets, especially outside of regular working hours.

3. ACCESS CONTROL REQUIREMENTS

Purpose: To limit access to information and information processing facilities.

Policy

Workers must ensure that the following security measures are met:

  • Access to secure areas where confidential and restricted information is processed or stored is limited only to authorized individuals.
  • Secure areas require access control mechanisms such as cards, keys, or locks.
  • The person in charge of a secure area must ensure that no cameras, video equipment, or mobile phones with cameras are brought in unless expressly authorized.
  • Physical access is restricted to devices such as wireless access points, network gateways, and terminals located in secure areas.
4. ACCESS TO EMPLOYEE SENSITIVE DATA

Purpose: To ensure that sensitive employee data—such as health, religious beliefs, politics, sexuality, development plans, recognition, and legal and extra-legal benefits—can only be accessed by competent and relevant personnel according to their roles, in line with the principle of Restricted Access.

Policy:

The purposes for which sensitive data are processed by the company are limited and specified in the corresponding consents granted by the data subject.

In general, the processing of sensitive data will be limited to General Management and the Administrative and Financial department, based on the specific purposes authorized by the data subject.

The company will define, within job function manuals, the specific roles that may access sensitive data, without violating the restricted access policy.

Likewise, the previously identified restricted access security mechanisms apply to personal data.

5. INFORMATION SECURITY IN HUMAN RESOURCES

The processing of personal data before, during, and after employment will follow these rules:

  • BONDS AND CREDIT LTDA will inform applicants about the data processing rules during the selection process, including any data obtained in the process.
  • The processing of applicant data will be limited to what is specified in the authorization provided by the applicant.
  • The company will conduct security checks before hiring new staff.
  • The company will delete résumés of candidates who are no longer under consideration.
  • Upon hiring, the selected candidate will sign an employment contract, confidentiality agreement, and, if applicable, be assigned a user profile aligned with their role to access personal information as needed.
  • The company will store employee data in a folder labeled with the person’s name. Only the Administrative and Financial department will have access, to manage the employment relationship.
  • If third-party services are contracted to process employee data, data may be transferred to a third party (Processor), under strict compliance with data transmission guidelines.
  • Upon contract termination, the company will sign a confidentiality agreement with the former employee and request the return of any assigned credentials and profiles.
  • After the employment relationship ends, the company will store personal data in a general archive, applying appropriate security measures based on the sensitivity of the data.
6. CONFIDENTIALITY WITH THIRD PARTIES

Purpose: To establish confidentiality requirements in relationships with vendors, contractors, and third parties in general.

Policy

In contractual, commercial, and labor relations, third parties must accept the confidentiality agreements defined by the organization. These agreements must establish a commitment to safeguard information, ensure proper use, prevent unauthorized access, and maintain confidentiality. The agreement must also specify which information is protected and for how long.

These agreements must be part of the contracts signed between the organization and third parties or signed independently. Accepting the confidentiality terms is a requirement for granting third-party access to protected information.

7. SELECTION OF DATA PROCESSORS FOR PERSONAL DATA TRANSMISSION

Purpose: To ensure that when personal data transmissions occur, the chosen processor meets the standards of data protection laws.

Policy

Whenever BONDS AND CREDIT LTDA transmits personal data as the data controller, the following must be followed:

  • Define the scope of data processing the processor will be allowed to perform.
  • Evaluate the processor’s competence and capability.
  • Review the processor’s personal data processing policy.
  • Verify that the processor’s security measures comply with BONDS AND CREDIT LTDA’s standards.
  • Sign a data transmission contract.
  • Conduct audits to evaluate the level of data protection during the contract execution.
8. INFORMATION SECURITY REVIEWS

Purpose: To ensure that information security is implemented and applied according to company policies and procedures.

Policy

Information systems are regularly reviewed through audits to ensure compliance with the organization's information security policies and standards.

4. INCIDENT RESPONSE PROCESS

Whenever an information security incident occurs at BONDS AND CREDIT LTDA, the following procedure must be followed:

  1. Incident Reporting: The first person aware of the incident must immediately notify the Administrative and Financial department and the person responsible for information security. A detailed report must be submitted as soon as possible.
  2. Notification to the SIC: Every security incident must be reported to the Superintendence of Industry and Commerce, specifically to the National Database Registry (RNBD). It is the duty of the Administrative and Financial department to report incidents once notified.
  3. Information Security Committee Meeting: The Administrative and Financial department must convene an extraordinary meeting with Management or the highest social authority, as appropriate.
    1. Issuance of Technical Report: After evaluating the case, a technical report must be issued detailing all contingencies.
    2. Identification of Failures: Based on the technical report, the failure that caused the incident must be fully identified.
    3. Corrective Measures: The committee must take the necessary actions to prevent future incidents.
5. POLICY MODIFICATION

BONDS AND CREDIT LTDA reserves the right to modify this Information Security Policy at any time and will promptly notify all relevant individuals involved in handling company information to ensure proper implementation.

6. EFFECTIVE DATE

This Policy is effective as of January 16, 2024.

Our partners
allianz
aseguradora solidaria
berkley
bolivar
cesce
chubb
coface
colpatria
liberty
mapfre
nacional de seguros
previsora
solunion
sura
More than insurance, we are your strategic partner for growing with confidence.

Privacy Policies
© 2025 Bonds & Credit. Powered by Dapmarket.
Scroll to Top