PSRH, hereinafter «the Organization» or «the business,» whose mission is to provide excellence in the optimal and efficient resolution of complex and high-impact problems for the clients it represents, both nationally and internationally.
As a result, it follows that the core activity of the Organization is the collection and processing of highly sensitive client information, as well as information from complementary external sources, with the aim of providing comprehensive advice in these matters, meeting the expectations and requirements of its clients, both in terms of service level and professionalism during the process.
In this way, PSRH declares that its most valuable assets are its corporate image and reputation, which primarily rest on the fundamental principle of confidentiality of the information handled with each of its clients, thereby forming a healthy and trust-based relationship with each of them.
As a consequence, the Organization recognizes that information is also a highly relevant asset, categorizing it as a critical and valuable element for fulfilling its mission. Proper management of this information is an essential catalyst for preserving its prestige, trust, and professionalism, which contribute to the Organization’s image.
For this reason, PSRH will establish an integral and transversal process throughout the organization for the construction of information security and cybersecurity. This process will operate through the implementation of an Information Security and Cybersecurity Management System, hereinafter referred to as the ISCMS, which will ensure compliance and operation of mechanisms focusing on the identification, protection, detection, response, and recovery from possible incidents that could negatively affect key areas such as transparency, reputation, image, and the operation of PSRH.
In this context, through its ISCMS, PSRH will continuously strengthen and improve its control environment, ensuring the implementation of effective measures and improvements that, in a consistent manner, will raise the Organization’s maturity level in information security and cybersecurity. In this way, the goal is to maintain the value of the information over time, preserving aspects such as confidentiality, integrity, availability, authenticity, and privacy of institutional information assets that are relevant or critical to the operation and prestige of the Organization.
Finally, based on all that has been outlined above, it is part of PSRH’s institutional declaration to consider the process of building information security and cybersecurity directly as a strategic catalyst for achieving the business objectives.
The objective of this policy is to formalize PSRH’s institutional declaration regarding information security and cybersecurity, thereby outlining the general guidelines that the Organization must follow for the implementation, maintenance, and improvement of the information security and cybersecurity building process at the organizational level, considering processes, technology, and the people involved.
This document represents the institutional declaration that establishes the Information Security and Cybersecurity Management System (ISCMS), as well as the general guidelines supporting the process of building information security and cybersecurity at PSRH. As a result, this document applies to all other documents derived from this policy, as well as any control measures aimed at preserving the confidentiality, availability, integrity, authenticity, and privacy of information assets.
In addition to the above, this policy must be applied by all individuals who are part of PSRH, whether they are in operational or administrative areas, employees or third parties, who, due to the fulfillment of their responsibilities, have partial or full access to the Organization’s information.
Thus, in accordance with the provisions of NCh ISO 27001:2012, this document applies to the following controls:
Information Security Officer: This role will be responsible for ensuring the application and compliance with the provisions outlined in this policy, as well as for conducting the necessary reviews and modifications to maintain its coherence and suitability in relation to the business and its constant changes.
Information Security Committee: This will be the body where all changes and modifications to this policy will be approved and formalized.
Users: These roles will be responsible for internalizing and executing the guidelines set forth in this policy, as well as reporting any non-compliance or potential risks that may violate what is stated in this document.
Regarding Confidentiality
PSRH must verify the implementation of necessary controls to safeguard information assets from unauthorized access, accidental disclosures, espionage, and other similar actions, whether accidental or deliberate.
Regarding Integrity
PSRH must verify the implementation of necessary controls to protect information assets from any degradation caused by internal or external agents, environmental factors, or manipulation that could affect their accuracy and completeness.
Regarding Availability
PSRH must verify the implementation of necessary controls to protect information assets from any partial or total disruption, ensuring that they remain accessible and usable by authorized users, so as not to affect operational continuity.
Regarding Authenticity
PSRH must verify the implementation of necessary controls to safeguard information assets, ensuring they do not lose their validity and usability. This includes ensuring non-repudiation, i.e., the ability to prove that a user or application is truly who they claim to be.
Regarding Privacy
PSRH must ensure the implementation of necessary controls to protect information assets and maintain their privacy characteristics, in compliance with constitutional guarantees, establishing requirements for the handling and use of information in accordance with current legislation. Therefore, the Organization must not only address regulatory requirements regarding personal information but also develop mechanisms and strategies to ensure its proper management, including aspects such as its collection, use, processing, storage, and disclosure.
Given the characteristics of the institution described above, PSRH understands that its core activity is the handling of sensitive information that is highly relevant to the interests of its clients. Any incident involving this information directly harms the trust these clients place in the Organization, and, consequently, affects its image and reputation. Therefore, it is declared that the management of information assets that flow through its processes must be structured and secure throughout their entire lifecycle, with the following general stages being highlighted:
Es así, como PSRH reconoce que cualquier vulneración a la seguridad de los activos de información, en cualquiera de las etapas descritas anteriormente, podría suponer como consecuencia, un cuestionamiento hacia la Organización, tanto a nivel de imagen / reputacional, desde el punto de vista de la confianza del cliente hacia la organización, así como a nivel operacional, desde el punto de vista del servicio de excelencia que debe mantenerse hacia sus representados dada la alta criticidad de los asuntos que manejan. Dado lo anterior, y, con el fin de velar por el cumplimiento de lo establecido en la declaración institucional de este documento, PSRH justifica el establecimiento de un SGSIC.
Para dar cumplimiento a lo estipulado en esta política, PSRH a través de su Sistema de Gestión de Seguridad de Información y Ciberseguridad (SGSIC), deberá implementar y mejorar de forma continua en el tiempo, procesos, procedimientos, y mecanismos que conformen su ambiente de control de seguridad de información y ciberseguridad, y cuyo objetivo principal sea disminuir los niveles de exposición riesgos de este tipo que presente el negocio. Esta implementación, debe realizarse, en primer lugar, de forma consistente con los niveles de riesgo que presente la organización, y, en segundo lugar, debe realizarse de forma coherente con el nivel de madurez en estas temáticas que presente la Organización y su evolución en el tiempo, velando por enfocar los esfuerzos en una primera implementación de controles de tipo higiénicos y basales, para de esta forma generar capacidades de tipo fundamentales que representan los cimientos para de forma posterior, lograr la optimización de los esfuerzos y recursos de PSRH al momento de implementar mecanismos de control que requieren de estas capacidades fundamentales para su implementación eficiente, y apunten directamente a la resiliencia organizacional. De forma general, y, desde un enfoque de alto nivel, los procesos de control que la Organización debe considerar como parte de su ambiente de control son los siguientes:
These correspond to control processes that, although not necessarily related to information security, are of utmost importance in the process of building security, as they represent the foundations upon which more mature organizational control processes can be constructed. These processes focus on identifying the critical components for the organization, among which the following should be considered at a minimum:
These correspond to control processes that represent a higher level of organizational maturity in these areas and focus directly on protective measures for the organization’s critical components, as well as the detection of potential incidents or failures in the aforementioned protections. Some of the key topics to consider at a minimum for these types of processes are:
PSRH recognizes that an essential part of executing the process of building security is the people who make up and are part of the organization. Therefore, it is declared that topics related to awareness, training, education, and culture in these areas are of utmost importance for the business objectives related to information security and cybersecurity.
Thus, the Organization must establish processes, mechanisms, and measures to promote awareness and training in these areas, with the goal of progressively changing the institutional culture and raising the levels of awareness in information security and cybersecurity.
To comply with the provisions in this policy, PSRH must implement governance to manage information security and cybersecurity within the institution and ensure the growth in maturity of corporate security. This governance should be based on the determination and assignment of clearly defined roles for these purposes. Therefore, the Organization will incorporate the functions and responsibilities that each role assumes within the organization into the job profiles, to ensure proper management of information security within the institution.
In addition to the above, PSRH will have a functional structure for the ISCMS, which will include at least the following:
The responsibilities and functions of this structure will be formally described in a document outlining the creation and appointment of the functional structure for the ISCMS.
The General Information Security and Cybersecurity Policy must be evaluated by the Information Security Committee, or the designated body within the organization responsible for monitoring and managing these topics, at least once a year and/or when a significant change or incident occurs that impacts the policy. The purpose of this evaluation is to review and assess its content and direction, ensuring the continuous adequacy, efficiency, and effectiveness of the Information Security and Cybersecurity Management System.
Changes to the General Information Security Policy will be approved by PSRH’s Information Security Committee.
The General Information Security and Cybersecurity Policy of PSRH must be communicated through the official communication channels of the Organization to its staff and anyone who has access to its information assets.
Additionally, access to the policy must be ensured for all collaborators within the organization through its document management system.
Failure to comply with the provisions of this policy will be considered a serious breach of the employment contract obligations and will entitle the employer to terminate the employment relationship without any compensation. The employee will not be able to use as a defense the fact that they have not been previously sanctioned for a similar incident.