Política de Seguridad de la Información

1. MANAGEMENT COMMITMENT

The senior management of TNO GROUP S.A. DE C.V. is committed to implementing an ISMS to establish a framework of trust in the services offered to our clients and suppliers, adhering to the guidelines of the ISO-IEC-27001:2013 standard, and providing the necessary human and financial resources.

• Promote continuous improvement in information security across all relevant organizational operations.
• Ensure compliance with the requirements of authorities, clients, and stakeholders in information security matters.
• Oversee adherence to internal Information Security Policies and related policies or guidelines.

2. GENERAL INFORMATION SECURITY POLICY

Information security at TNO GROUP S.A. DE C.V. is a fundamental part of the business to deliver trust to our clients and users regarding the IT systems we operate. Data, based on our information classification, is managed using the highest standards and best practices available in the market, serving as the foundation for our organizational growth and sustainability.

Information security at TNO GROUP S.A. DE C.V. is achievable thanks to the senior management's commitment to promoting a culture of continuous improvement and facilitating the necessary resources and tools.

Senior management recognizes and addresses the importance and benefits of complying not only with ISO 27001 requirements and best security practices but also with other relevant legal, contractual, and governmental obligations within the organization’s context.

At TNO GROUP S.A. DE C.V., our information security policies and procedures are communicated to employees, where applicable. Whenever possible, and based on the defined ISMS Communication Plan, our key stakeholders will be informed of our guidelines and best practices.

3. INFORMATION SECURITY POLICY

3.1 ISMS Objective

The senior management of TNO GROUP S.A. DE C.V., understanding the importance of proper information management, is committed to implementing an Information Security Management System (ISMS) to establish a framework of trust in delivering its services to clients and suppliers, all within the bounds of applicable laws and in alignment with the entity's mission and vision.

This document aims to establish the internal policies, practices, and guidelines applicable to the Information Security Management System (hereinafter ISMS) for TNO GROUP S.A. DE C.V.

3.2 General Statement

The organization will implement, maintain, and continuously improve an Information Security Management System based on the ISO-27001:2013 standard. This system will ensure appropriate controls to mitigate information security risks, thereby protecting confidentiality, integrity, and availability of information across all internal services and various business units.

3.3 Dissemination

All documents, policies, procedures, relevant records, and activities related to the ISMS will be disseminated among all organization employees and other stakeholders (clients, suppliers, board of directors) based on their level of involvement in the system.

3.4 Risks to Consider

• We apply proactive risk management to identify, evaluate, and address risks related to information security.
• The organization will systematically manage identified moderate, high, and critical information security risks.

3.5 Responsibilities

The Information Security Committee is responsible for:

• The organization's information security.
• Defining strategic information security objectives.
• Managing and administering information security processes.
• Supplementary policies and guidelines related to this policy.
• Developing strategies and concepts for information security.

Senior management is responsible for:

• Reviewing and approving information security objectives, strategies, and policies at the organization level.

Employees are responsible for:

• Complying with information security guidelines and any related regulations.
• Reporting any identified information security risks or incidents.

Suppliers are responsible for:

• Complying with this policy and any related regulations.

3.6 Service Management Systems

All service management systems in the organization’s business units or internal departments will align with this policy.

4. INFORMATION SECURITY OBJECTIVES

We are committed to maintaining compliance with all applicable laws and regulations regarding information security. The organization plans, establishes, and issues information security objectives relevant to specific functions and levels.

4.1 Standards and Laws:

• Comply with data protection laws.
• Achieve and maintain ISO 27001:2013 certification.

4.2 Roles and Permissions:

• Effectively manage user identity, roles, and permissions in critical applications and development environments.
• Ensure sensitive information, both internal and from our clients, is handled confidentially.

4.3 Availability:

• Ensure service level compliance regarding availability.
• Minimize critical availability incidents to the greatest extent possible.

4.4 Dissemination:

• Effectively disseminate information security policies and basic concepts.

5. INFORMATION SECURITY ORGANIZATION STRUCTURE

5.1 ISMS Scope: This document applies to processes and controls relevant to the Information Security Management System, as defined by the organization’s established scope.

5.2 Roles and Responsibilities: Detailed roles and responsibilities within the ISMS are outlined in document POL-SI-V2 “Role and Responsibility Description.”

5.3 Information Security Objectives: Our objectives include ensuring and maintaining the confidentiality, integrity, and availability of corporate information, as well as establishing an effective incident response plan.

5.4 Awareness and Training: We foster a culture of security by continuously raising awareness and training our personnel in information security topics.

5.5 Information Security Contact Point: For inquiries or reports related to information security, please contact us at: seguridad@tecnetone.com