Information Security Policy
JUMBONLINE Management understands its duty to guarantee information
security as an essential element for its stakeholders and therefore supports the
following objectives and principles:
• Ensure the quality and protection of information.
• Preserve confidentiality, integrity, availability, traceability, and authenticity of information, with the aim of ensuring compliance with legal, regulatory, and contractual requirements relating to information security.
• Adopt a commitment to continuous improvement as the security management framework, using ISO 27001 as a reference for establishing the information security management system.
• JUMBONLINE has implemented the complete set of security controls established in the ISO/IEC 27002:2022 standard, applying all 93 controls and thus ensuring the protection of information and systems.
• Information asset management: JUMBONLINE's information assets will be inventoried and categorized and will be assigned to a responsible party.
• Personnel Security: The necessary mechanisms will be implemented so that anyone who accesses or may access information assets is aware of their responsibilities, thereby reducing the risk of misuse and achieving full user awareness of information security.
• Physical security: Information assets will be located in secure areas, protected by physical access controls appropriate to their level of criticality. The systems and information assets contained in these areas will be adequately protected against physical or environmental threats.
• Security in communications and operations management: The necessary procedures will be established to ensure adequate management of ICT security, operation and updating. Information transmitted via communications networks will be adequately protected, taking into account its level of sensitivity and criticality, by means of mechanisms that guarantee its security.
• Access control: Access to information assets by users, processes, and other information systems will be limited through the implementation of identification, authentication, and authorization mechanisms in accordance with the criticality of each asset. In addition, system usage will be logged to ensure access traceability and audit its proper use, in accordance with the organization’s activity.
• Acquisition, development and maintenance of information systems: Information security aspects will be considered at all stages of the information systems life cycle, ensuring their security by default.
• Security incident management: Appropriate mechanisms will be implemented for the correct identification, recording and resolution of security incidents.
• Ensuring the continuous provision of processes and services: Appropriate mechanisms will be implemented to ensure the availability of information systems and maintain the continuity of their business processes, in accordance with the service level requirements of their users.
• Data protection: The appropriate technical and organizational measures will be adopted to address the risks generated by processing in order to comply with security and privacy legislation.
• Compliance: The necessary technical, organizational and procedural measures will be adopted to comply with current legal regulations on information security.