SECURITY

Policy

1.  ORGANIZATIONAND IMPLEMENTATION OF THE SECURITY PROCESS (ART.13)

Information is a critical andvaluable asset for ALPINE SECURITY S.L. (hereinafter, ALPINE SECURITY) as it isessential for the development of its activity. ALPINE SECURITY strives tomanage this information accurately, comprehensively and to ensure its availability.

Information security refers toprotecting information against a wide range of threats, with the aim ofensuring business continuity, minimizing risks, and maximizing the return oninvestments and opportunities.

Therefore, the importance ofimplementing security measures that safeguard information from both internaland external threats is recognized. These threats can include human error,malicious actions (such as fraud, embezzlement, sabotage, or privacy breaches),technical errors, and force majeure events, such as natural disasters.

The management of ALPINESECURITY is responsible for establishing security policies. The adoption ofthese directives by the Company will minimize the possible risks it faces inthe development of its commercial activities.

2.  SCOPE

This Information SecurityPolicy is applicable to all those individuals who have or may access ALPINESECURITY's information, either directly or through information systems, duringthe performance of their functions.

Accordingly,the scope of this Information Security Policy includes:

All ALPINE SECURITY employees,regardless of their status as permanent or temporary employees, as well as anyperson external to ALPINE SECURITY who has access to the information managed orowned by the organization.

All information and information systems owned or managed byALPINE SECURITY.

3.  REGULATORYFRAMEWORK

The regulatory framework inthe field of information security in which ALPINE SECURITY carries out itsactivity, essentially, is the following:

•      Organic Law 3/2018, of 5 December, on theProtection of Personal Data and guarantee of digital rights.  

•      RD 311/2022, of 3 May, which regulates theNational Security Scheme in the field of Electronic Administration.  

•       ENS.Article 12. Organization and implementation of the security process.

•      REGULATION (EU) 2016/679 OF THE EUROPEANPARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of naturalpersons with regard to the processing of personal data and on the free movementof such data (General Data Protection Regulation), applicable to the fully orpartially automated processing of personal data,  as well as the non-automated processing ofpersonal data contained in or intended to be included in a file.

•       Law34/2002, of 11 July, on Electronic Commerce Information Services, LSSICE.

•       ICTSecurity Guide CCN-STIC 805 ENS. Information Security Policy.

•       ICTSecurity Guide CCN-STIC 801 ENS. Responsibilities and functions.

•       Theapplicable collective agreement, corresponding to "Consultancy companies,and market and public opinion studies".

•      Law 34/2002, of 11 July, on Information SocietyServices and Electronic Commerce (LSSI-CE).

•       UNE-EN-ISO 9001, UNE-ISO-IEC_27001,  

4.  OBJECTIVES

The purpose of this Information Security Policy is toestablish guidelines for the formulation of security regulations, in order tosafeguard and guarantee the fundamental principles of information security:confidentiality, integrity, availability and traceability.

In the preparation of thisdocument and the achievement of the established objectives, the following keyaspects have been considered:

•      The Company's information and informationsystems are critical assets that require protection and assurance of theiravailability.

•      ALPINE SECURITY information must be protected inaccordance with legal requirements, its value, its degree of criticality andits level of sensitivity.

•      The responsibility for protecting these assetslies with all employees and external collaborators who have access to theinformation.

•       Thesecurity measures applied to the information must be established consideringits classification, which will determine its level of confidentiality,integrity, availability and traceability. These measures should be determinedthrough continuous risk assessment.

5.  DECLARATIONOF PRINCIPLES

The principlesthat underpin the Information Security Regulations are the following:

•      Information is protected throughout its lifecycle, from its creation or reception, through its processing, communication,transport, storage, dissemination to third parties and eventual destruction.

•      ALPINE SECURITY is responsible for protectinginformation against unauthorized access, improper disclosure or loss.

•      Each employee has the responsibility and duty toadequately protect the information in accordance with the established securityregulations.

•       Allpersonnel, including external personnel or third parties who have access to ATinformation, are subject to ALPINE SECURITY's security regulations.

6.  INFORMATIONSECURITY POLICY CONSIDERATIONS.

•       TheInformation Security Policy has been approved by the Management of ALPINESECURITY.

•       Boththe content of this policy and the Information Security Regulations aremandatory for all ALPINE SECURITY personnel, including external contractors.

•       Compliancewith the Information Security Policy is essential to protect ALPINE SECURITY'slegal rights. Any individual who breaches this policy will be subject to suchdisciplinary and legal action as ALPINE SECURITY Management deems appropriate.

•       TheInformation Security Policy is a dynamic document that must be updated andmodified as necessary.

•       TheManagement of ALPINE SECURITY undertakes to promote the necessary actions sothat both the internal staff of ALPINE SECURITY and the external personnel andthird parties are aware of and apply all the aspects included in this policy.

7.  INFORMATIONSECURITY REGULATIONS.

In order to achieve theobjectives and principles set out in this policy, a series of regulations havebeen created that establish the general rules of information security and areorganized into specific domains.

These regulations serve as thebasis for the development of concrete security measures, which are formalizedthrough the implementation of procedures.

The regulations have beendefined following the CIS Critical Security Controls (CIS Controls) standard,which provides an internationally recognized framework of reference forsecurity. CIS Controls reflect the combined knowledge of experts from all partsof the ecosystem (enterprises, governments, individuals), across all roles(threat responders and analysts, technologists, IT operators and advocates,vulnerability discoverers, tool makers, solution providers, users,policymakers, auditors, etc.), and across many sectors (government,  Energy, Defense, Finance, Transportation,Academia, Consulting, Security, IT, etc.), which have come together to create,adopt, and support CIS Controls. CIS controls are grouped according to thefollowing domains:

7.1.                   CIS01 - Inventory and Control of BusinessAssets.  

Control for actively managing all company assets,including end-user devices, network devices, non-computing/Internet of Things(IoT) devices, and servers, in both physical and virtual infrastructure, aswell as remote and cloud environments. This will allow for an accurateinventory of all assets that need to be monitored and protected within thecompany. In addition, it will help identify and remove unauthorized orunmanaged assets.

7.2.                   CIS02 - Software Asset Inventory and Control

Control for the management of all software (operatingsystems and applications) in the company's network by carrying out inventories,monitoring and correction. Only authorized software must be allowed to installand run, while unauthorized or unmanaged software that is found must beprevented from installing and/or running. This control will ensure that onlyapproved software is used and reduce the risks associated with the use ofunauthorized or potentially malicious software.

7.3.                   CIS03 - Data Protection

Control for the development of processes and technicalcontrols to securely identify, classify, handle, retain and delete data.

7.4.                   CIS04 - Secure Configuration of EnterpriseAssets and Software

Control to establish andmaintain secure configuration of enterprise assets (User devices, includinglaptops and mobiles; network devices; non-computing/IoT devices; and servers)and software (Operating Systems and Applications).

7.5.                   CIS05 - Account Management  

Control to define processes and tools for assigning andmanaging the authorization of user account credentials, including administratoraccounts, as well as service accounts, for enterprise assets and software.  

7.6.                   CIS06 - Access Control Management  

Control to define processes and tools for creating,assigning, managing, and revoking credentials and access privileges for user,administrator, and service accounts for enterprise assets and software.  

7.7.                   CIS07 - Continuous Vulnerability Management  

Control to develop a plan to assess and continuously trackvulnerabilities across all assets within the company's infrastructure, in orderto remediate and reduce the window of opportunity for attackers. Monitor publicand private industry sources for new information on threats andvulnerabilities.  

7.8.                   CIS08 - Audit Log Management

Define procedures for collecting, alerting, reviewing, andretaining event audit logs that could help detect, understand, or recover froman attack.  

7.9.                   CIS09 - Email and Web Browser Protection  

Control for improved protection and threat detection ofemail and web vectors, as these are opportunities for attackers to manipulatehuman behavior through their compromise.

7.10.             CIS10 - Malware Defenses  

Control to prevent or controlthe installation, propagation, and execution of malicious applications, code,or scripts on enterprise assets.  

7.11.             CIS11 - Data Recovery  

Control to establish and maintain data recovery practicessufficient to restore in-scope business assets to a pre-incident state oftrust.  

7.12.             CIS12 - Network Infrastructure Management  

Control to actively establish, deploy, and manage (track,report, remediate) network devices, in order to prevent attackers fromexploiting vulnerable network services and access points  

7.13.             CIS13 - Network Monitoring and Defense  

Control to operate processes and tools to establish andmaintain comprehensive network monitoring and defense against security threatsacross the enterprise's network infrastructure and user base.

7.14.              CIS14 - Security Awareness and Skills Training

Control to establish and maintain a security awarenessprogram to influence workforce behavior so that they are security-conscious andproperly trained to reduce cybersecurity risks to the company

7.15.             CIS15 - Service Provider Management

Control to develop a process to evaluate service providersthat hold sensitive data or are responsible for a company's critical ITplatforms or processes, to ensure that these providers protect those platformsand data appropriately

7.16.             CIS16 - Application Software Security

Control to manage the securitylifecycle of software developed, hosted, or acquired internally to prevent,detect, and fix security weaknesses before they can impact the business.

7.17.             CIS17 - Incident Response Management  

Control to establish a program to develop and maintain anincident response capability (e.g., policies, plans, procedures, defined roles,training, and communications) to quickly prepare, detect, and respond to anattack.  

7.18.             CIS18 - Penetration Testing  

Controlto test the effectiveness and resilience of enterprise assets by identifyingand exploiting weaknesses in controls (people, processes, and technology) andsimulating an attacker's goals and actions.

8.  SAFETYFEATURES

ALPINE SECURITYhas appointed a Security COMMITTEE with its Roles and Responsibilities.  

The establishment of thiscommittee, as well as the designation of the different roles are recorded inthe Committee's Articles of Constitution: AS_Actaof the Constitution Committee of Seguridad_v1 and in the Minutes ofthe  Constitution.

Appointments:AS_Roles and Functions of ENS_v1 Managers The ENS Information Security Committee is made up of:  

•       SecurityManager  

•       SystemsManager

•       InformationController  

•       ServiceManager

•       DataProtection Officer (DPO)

•       Internal Auditor

And this Security Committeewill have Alternates for each of the Heads of the Security Committee, that is,5 alternates.

Clear responsible parties must be identified to ensurecompliance and be known by all members of the organization. Theresponsibilities of each person in charge will be detailed in theorganisation's security policy.

Appointments are establishedby the organization's management and are reviewed every 2 years or when aposition becomes vacant. Differences in criteria that could lead to a conflictwill be dealt with within the Security Committee and the criteria of theExecutive Directorate will prevail in all cases.

The differentroles along with their respective roles and responsibilities:

•       Thefunctions of the Information Officershall be:

o   Acceptthe residual risks with respect to the information, calculated in the riskanalysis.

o   Althoughthe formal approval of the levels corresponds to the person responsible for theInformation, a proposal can be obtained from the person responsible forSecurity and it is advisable that the opinion of the System Manager is heard.

o   Determinethe requirements of the information processed.

o   Ensurethe security of information in its different aspects: physical protection,protection of services and respect for privacy.

o   Beaware of policy changes (laws, regulations or sectoral practices) that affectthe Organization

o   Adoptthe necessary technical and organisational measures to guarantee the securityof personal data and prevent their alteration, loss, processing or unauthorisedaccess, taking into account the state of technology, the nature of the datastored and the risks to which they are exposed, whether they come from humanaction or from the physical or natural environment

•       TheService Manager will have the followingfunctions:

o   Determinethe security requirements of the services provided to the Clients. o Reviewand approve the security levels of the services.

o   Includesafety specifications in the life cycle of services and systems, accompanied bythe corresponding control procedures.

o   Itwill assess the consequences of a negative impact on the security of services,which will be carried out taking into account its impact on the organisation'sability to achieve its objectives, the protection of its assets, the fulfilmentof its service obligations, respect for the law and the rights of Clients.

o   Assumeownership of the risks on the services.

•       TheSystems Manager will have the followingfunctions:

o   Develop,operate and maintain the System throughout its life cycle, its specifications,installation and verification of its correct operation.

o   Definethe topology and management policy of the System, establishing the criteria foruse and the services available in it.

o   Definethe policy for connecting or disconnecting new computers and users in theSystem.

o   Implementand control the specific security measures of the System and ensure that theseare properly integrated within the general security framework.

o   Determinethe authorized hardware and software configuration to be used in the System.

o   Approveany substantial modification of the configuration of any element of the System.

o   Carryout the risk analysis and management process in the System.

o   Determinethe category of the system and determine the security measures to be appliedPrepare and approve the security documentation of the System.

o   Investigatesecurity incidents that affect the System, and, where appropriate, report it tothe Security Manager.

o   Establishcontingency and emergency plans, carrying out frequent exercises for staff tobecome familiar with.

•       TheSecurity Officer will have the followingfunctions:

o   Theperson responsible for Security is the person designated by the Management ofthe Organization.

o   Determinedecisions to meet information and service security requirements. o Workto achieve total security of the company's data, as well as its privacy. o Supervise,control and manage access to the company's information and its workers.

o   Developa set of response measures for information-related security incidents,including disaster recovery.

o   Ensurecompliance with regulations related to information security.

o   Inthe case of outsourced services, the ultimate responsibility always lies withthe organisation receiving the services, even though the immediateresponsibility may correspond (via contract) to the organisation providing theservice.

o   Maintainthe security of the information handled and the services provided by the  information systems in their area ofresponsibility, in accordance with the provisions of the organization'sInformation Security Policy.

o   Promotetraining and awareness in information security.

o   Guaranteethe proper use of computer equipment within their area of responsibility.

o   Superviseand coordinate the team in charge of carrying out the response measures in caseof security breaches.

o   POC(Information Security Contact Person) Will be responsible for security with theCustomers, in which ALPINE SECURITY provides services.

o   Carryout security operations to fight fraud and information theft.

o   Designthe Training Plan, within the scope of the ENS, for ALPINE SECURITY people whoprovide services in Public Administration projects.

•      The DPOshall have the functions or Inform and advise the controller or processor and theemployees dealing with the processing of their obligations under thisRegulation and other data protection provisions of the Union or of the MemberStates.

o   Tomonitor compliance with the provisions of this Regulation, other dataprotection provisions of the Union or of the Member States and the policies ofthe controller or processor on the protection of personal data, including theassignment of responsibilities, awareness raising and training of personnelinvolved in processing operations;  andthe corresponding audits.

o   Providesuch advice as requested on the data protection impact assessment and monitorits implementation in accordance with Article 35.

o   Cooperatewith the supervisory authority.

o   Toact as the supervisory authority's contact point for matters relating toprocessing, including the prior consultation referred to in Article 36, and tocarry out consultations, where appropriate, on any other matter.

o   Itshall perform its functions paying due attention to the risks associated withthe processing operations, taking into account the nature, scope, context andpurposes of the processing.

•      The Internal Auditorshall have the following functions:

o   The Internal InformationSecurity Auditor is appointed by the Organization's Management.

o   It is responsible for evaluatingand ensuring compliance with the security requirements of the information andservices provided.

o   Conduct regular audits to assesscompliance with information security regulations and policies.

o   Determine the effectiveness ofthe security measures implemented and their alignment with applicable standardsand regulations.

o   Review and audit compliance withthe National Security Scheme (ENS) and other relevant regulations

o   Identify and assess risksassociated with information security and propose mitigation measures.

o   Conduct periodic risk analysisand keep risk reports up to date.

o   Review and update informationsecurity policies and procedures to ensure their relevance and effectiveness.

o   It must be ensured that safetypolicies are communicated and understood by all staff.

o   Prepare audit reports andpresent the findings and recommendations to the Management.

o   To be the point of contact interms of information security for both Management and internal and externalteams.

9.  REPORTS

The security administratorreports to the System Manager or the Security Officer, depending on theirfunctional dependency:  

•      System security incidents or configuration,update, or remediation actions.

•      The System Manager informs the InformationManager of functional incidents related to the information for which he or sheis responsible.

•      The System Manager informs the Service Managerof functional incidents related to the service for which he or she isresponsible.

•       TheSystem Manager reports to the Security Manager:

•       securityactions, in particular with regard to system architecture decisions  

•       Consolidatedsummary of security incidents.

10.       RISKANALYSIS AND MANAGEMENT (ART. 14)

A risk analysis will becarried out, assessing the threats and risks to which they are exposed. Thisanalysis will be the basis for determining the security measures to be adopted,in addition to the minimums established as provided for in articles 7 and 14 ofthe BOE, it will be repeated:

•       Regularly,at least once a year.

•       Whenthe information handled changes.

•       Whenthe services provided change.

•       Whena serious security incident occurs.

•       Whenserious vulnerabilities are reported.

•       Whenthere is a security incident related to the LOPDGDD regulations

•       Whenthere is a security breach related to the processed information of a useraccording to the LOPDGDD regulations.  

The risk assessment criteria will be specified in the riskand security incident assessment methodology to be developed by theorganisation, based on standards, recognised best practices and legalnorms.  

At a minimum, all risks thatmay seriously impede the provision of services or the fulfilment of theorganisation's mission must be addressed. Special priority will be given torisks that imply a cessation in the provision of services, or that have an impacton said information processed during the service.  

The risk assessment criteriawill be specified in the risk assessment methodology to be developed by theorganisation, based on recognised standards and good practices. At a minimum,all risks that may seriously impede the provision of services or the fulfilmentof the organisation's mission must be addressed. Special priority will be givento risks that imply a cessation in the provision of ALPINE SECURITY services toClients.

The owner of a hazard must beinformed of the risks affecting their property and the residual risk to whichit is subjected. When an information system goes into operation, the residualrisks must have been formally accepted by its respective owner.

11.       PERSONNELMANAGEMENT (ART. 15)

Personnel, own or external,related to the information systems subject to the provisions of this RoyalDecree 311/2022, must be trained and informed of their duties, obligations andresponsibilities in terms of security.

Theiractions must be supervised to verify that the established procedures arefollowed, and they will apply the approved safety standards and operatingprocedures in the performance of their duties.

12.       PROFESSIONALISM(ART. 16)

The security of theinformation systems will be attended to, reviewed and audited by qualified,dedicated and trained personnel in all phases of their life cycle: planning,design, acquisition, deployment, operation, maintenance, incident managementand decommissioning.

The entities within the scope of application of this royaldecree will require, in an objective and non-discriminatory manner, that theorganisations that provide them with security services have qualifiedprofessionals and with suitable levels of management and maturity in theservices provided.

ALPINE SECURITY will determinethe training and experience requirements necessary for the personnel to carryout their job.

13.                  AUTHORISATION AND CONTROL OF ACCESS (ART. 17)

Controlled access to theinformation systems included in the scope of application of this Royal Decreemust be limited to duly authorised users, processes, devices or otherinformation systems, and exclusively to the permitted functions.

The access privileges of aresource (person) to the ALPINE SECURITY information system are restricted bydefault to the minimum necessary for the performance of its functions.

The ALPINE SECURITYinformation system will always be configured in such a way as to prevent aresource (person) from accidentally accessing resources with rights other thanthose authorized.

14.      PROTECTION OF INSTALLATIONS (ART. 18)

The information systems andtheir communications infrastructure associated with ALPINE SECURITY must remainin controlled areas and have adequate and proportional access mechanisms basedon the risk analysis, without prejudice to the provisions of Law 8/2011, of 28April, which establishes measures for the protection of criticalinfrastructures and Royal Decree 704/2011. of 20 May, approving the Regulation on the protection of criticalinfrastructures.

15.                  PROCUREMENT OF SECURITY PRODUCTS AND CONTRACTINGOF SECURITY SERVICES (ART. 19)

In the acquisition of securityproducts or contracting of information and communication technology securityservices that are to be used in the information systems within the scope ofapplication of this Royal Decree, the following shall be used, in proportion tothe category of the system and the level of security determined,  those that have certified the securityfunctionality related to the object of their acquisition.

The Certification Body of theNational Scheme for the Evaluation and Certification of Information TechnologySecurity of the National Cryptologic Centre (hereinafter, CCN), constitutedunder the provisions of Article 2.2.c) of Royal Decree 421/2004, of 12 March,which regulates the National Cryptologic Centre, taking into account thenational and international evaluation criteria and methodologies recognised bythis body and depending on the use of the specific product or service withinits competences, will determine the following aspects:

a)       Thefunctional security and assurance requirements of the certification.

b)      Otheradditional security certifications that are required by regulations.

c)       Exceptionally,the criteria to be followed in cases where there are no certified products orservices.

For the contracting ofsecurity services, the provisions of the previous sections and the provisionsof Article 16 shall be followed.

16.       MINIMUMPRIVILEGE (ART. 20)

Information systems must bedesigned and configured granting the minimum privileges necessary for theircorrect performance, which implies incorporating the following aspects:

a)      The system will provide the essentialfunctionality for the organization to achieve its competence or contractualobjectives.

b)     The functions of operation, administration andregistration of activity will be the minimum necessary, and it will be ensuredthat they are only carried out by authorised persons, from authorised sites orequipment.

c)      Functions that are unnecessary or inappropriatefor the purpose pursued will be eliminated or deactivated by means of theconfiguration control. The ordinary use of the system must be simple and safe,so that unsafe use requires a conscious act on the part of the user.

d)      Securityconfiguration guides will be applied for the different technologies, adapted tothe categorization of the system, in order to eliminate or deactivate thefunctions that are unnecessary or inadequate.

17.       INTEGRITY AND UPDATING OF THE SYSTEM (ART. 21)

The inclusion of any physicalor logical element in the updated catalogue of system assets, or itsmodification, will require formal authorisation from the ALPINE SECURITYSecurity Manager.

Permanent evaluation andmonitoring will allow the security status of the systems to be adapted inaccordance with configuration deficiencies, identified vulnerabilities andupdates that affect them, as well as the early detection of any incident thattakes place on them. The responsibility will be borne by the ALPINE SECURITYsecurity officer.

18.       PROTECTION OF INFORMATION STORED AND IN TRANSIT(ART. 22)

In the organisation andimplementation of security, special attention will be paid to informationstored or in transit through portable or mobile equipment or devices,peripheral devices, information carriers and communications over open networks,which must be specially analysed to achieve adequate protection.

Procedures will be applied toensure the long-term recovery and preservation of electronic documents producedby the information systems within the scope of application of this RoyalDecree, where required.

Any information on non-electronic support that has been adirect cause or consequence of the electronic information referred to in thisRoyal Decree must be protected with the same degree of security as the latter.To this end, the measures that correspond to the nature of the medium will beapplied, in accordance with the applicable regulations.

19.       PREVENTION        BEFORE OTHER         SYSTEMS      INTERCONNECTED INFORMATION (ART. 23)

The perimeter of theinformation system will be protected, especially if it is connected to publicnetworks, as defined in Law 9/2014, of 9 May, General Telecommunications,reinforcing the tasks of prevention, detection and response to securityincidents.

20.       ACTIVITY LOGGING AND DETECTION OF HARMFUL CODE(ART. 24)

In order to satisfy the purposeof this Royal Decree, with full guarantees of the right to honour, personal andfamily privacy and the self-image of those affected, and in accordance with theregulations on the protection of personal data, public service or employment,and other applicable provisions, the activities of the users will berecorded,  

retaining the informationstrictly necessary to monitor, analyze, investigate and document improper orunauthorized activities, allowing the identification of the person acting atall times.

In order to preserve thesecurity of information systems, guaranteeing and in accordance with theprovisions of the General Data Protection Regulation and respect for theprinciples of purpose limitation, data minimisation and limitation of thestorage period set out therein, the subjects included in Article 2 may,  To the extent strictly necessary andproportionate, analyze incoming or outgoing communications, and solely forinformation security purposes, so that it is possible to prevent unauthorizedaccess to networks and information systems, stop denial-of-service attacks,prevent malicious distribution of harmful code as well as other damage to suchnetworks and information systems.

In order to correct or, where appropriate, demandresponsibility, each user who accesses the information system must be uniquelyidentified, so that it is known, at all times, who receives access rights, whattype they are, and who has carried out a certain activity.

21.       SECURITYINCIDENTS (ART. 25)

The entity owning theinformation systems within the scope of this Royal Decree shall have securityincident management procedures in accordance with the provisions of Article 33,the corresponding Technical Security Instruction and, in the case of an essentialservice operator or a digital service provider, in accordance with the provisions of the annex to Royal Decree 43/2021,of 26 January, which implements Royal Decree-Law 12/2018, of 7 September, onthe security of networks and information systems.

Likewise, detectionmechanisms, classification criteria, analysis and resolution procedures will beavailable, as well as channels of communication to interested parties and theregistration of actions. This register will be used for the continuous improvementof the security of the system.

22.      CONTINUITY OF ACTIVITY (ART. 26)

The systems shall have backupsand the necessary mechanisms shall be put in place to ensure the continuity ofoperations in the event of loss of the usual means.

23.       CONTINUOUS IMPROVEMENT OF THE SECURITY PROCESS(ART. 27)

The comprehensive securityprocess implemented must be continuously updated and improved. To this end, thecriteria and methods recognized in national and international practiceregarding the management of information technology security will be applied.

24.       EXPECTEDRESULTS

The expectedresults of the Security Policy are as follows:

•      Continuous improvement of safety management. Theorganization will have better security resources in the form of knowledge,procedures, and tools.

•      Consolidation of trust in the Company bycustomers and suppliers, accompanied by an improvement in the public image.

•      Reduction of costs derived from securityincidents, through the progressive implementation of security controls.

•       Ensuringcompliance with legal and ethical requirements.