Information security policy

Introduction

The purpose of this Information Security and Privacy Policy, within the Information Security Management System (ISMS), is to establish the management guidelines implemented by Jumbo Tours to ensure that the access, use, and custody of information assets are carried out in accordance with the business requirements established by Jumbo Tours. These guidelines are set with respect to the integrity, availability, and confidentiality of the information, respecting the current legal framework and faithfully complying with the established regulations.

Scope of Application

The ISMS Information Security and Privacy Policy is applicable to those who have access to the resources that have been identified as “information assets” of the company, within the established scope of the security management system. These protection requirements affect all information on electronic or paper support and the information systems owned by Jumbo Tours or managed for it.

Principles

The formulation of the ISMS Information Security and Privacy Policy is based on the following key protection principles:

  • Effectiveness: Guarantee that all information used is necessary and useful for the development and dissemination of data.
  • Efficiency: Ensure that the processing of information is carried out through optimal use of human and material resources.
  • Integrity: Ensure that all necessary and sufficient information for the operation of services and processes is processed in each of the computer systems.
  • Accuracy: Ensure that all information is free from errors and/or irregularities of any kind.
  • Availability: Guarantee that the information and the capacity for its manual and automatic processing are safeguarded and eventually recovered when necessary, in such a way that the operation of the services is not significantly interrupted.
  • Legality: Ensure that all information and the physical means that contain, process, and/or transport it comply with the current legal regulations in each area.
  • Confidentiality: Guarantee that all information is protected from unauthorized use, accidental disclosures, privacy violations, and other similar actions of unauthorized third-party access.
  • Privacy: Ensure security in relation to the collection, use, conservation, disclosure, and elimination of personal information.
  • Authorization: Guarantee that all accesses to data and/or transactions that use them comply with the corresponding authorization levels for their use and disclosure.
  • Physical Protection: Guarantee that all means of processing and/or conservation of information have physical protection measures that prevent improper access and/or use by unauthorized personnel.
  • Responsibility: Guarantee that interested parties are aware and responsible for safeguarding the security of information systems and for the actions that may be undertaken to reinforce it.

Objectives of the ISMS

 

The objectives of the ISMS regarding the established scope are:

  • Implement the value of Information Security and Privacy throughout the Organization.
  • Have every single person at Jumbo Tours contribute to the protection of Information Security and Privacy.
  • Define the commitment to continuous improvement as the security management framework, using the ISO 27001 standard as a reference for establishing the information security management system and the ISO 27002 standard as a set of good practices for information security management.
  • Guarantee Jumbo Tours’ commitment to the treatment of personal data and especially sensitive data, complying with the principles of privacy and data protection legislation.
  • Protect Jumbo Tours’ information from all threats, whether internal or external, deliberate or accidental, with the aim of guaranteeing the continuity of the service offered to customers.
  • Establish an information security and privacy plan that integrates prevention and risk minimization activities for security incidents based on the risk management criteria established by Jumbo Tours.
  • Assume responsibility for awareness and training in information security as a means to ensure compliance with this policy.
  • Extend our commitment to information security to customers and interested parties.

Policies, Rules, and Procedures

 

All employees and collaborators of Jumbo Tours actively participate in the culture of prevention and asset protection, derived from the ISMS. They must therefore act in accordance with this policy, and those security rules and procedures, developed and communicated by the entity.

 

ISMS Roles and Responsibilities

The assignment and delimitation of responsibilities to ensure that the objectives proposed in this security and privacy policy are implemented and met, require the establishment of certain roles responsible for the general aspects of information security management.

Jumbo Tours defines and communicates the necessary responsibilities to guarantee information security and compliance with the established objectives.

 

Risk Management

All information assets within the scope of the ISMS are subject to a risk analysis with the aim of evaluating the threats and risks to which they are exposed.

The risk management process includes activities such as system categorization, risk analysis, and the application of controls or security measures proportional to the level of risk.

Continuous Improvement

Information security management is a process subject to permanent updating. Changes in the organization, threats, technologies, and/or legislation are an example where continuous improvement of systems is necessary. Therefore, Jumbo Tours continuously reviews and improves policies, processes, and security measures to guarantee their effectiveness and adequacy.

 

Audits

Jumbo Tours performs audits, internal and external, in order to verify:

  • Whether the requirements of the international standard are met, as well as the legislation and other regulations applicable to the ISMS.
  • Whether the identified security objectives are met.
  • Whether controls have been effectively implemented and maintained.
  • Whether the expected results are being achieved.

 

Statement of Authority over the Policy

It is the responsibility of all people and departments involved in the processes or services included in the scope to strictly comply with this Security and Privacy Policy. To achieve this purpose, the involvement and participation of all Jumbo Tours employees are necessary.

It may also require the participation of suppliers and third parties in the application of security measures that are determined as minimum essential requirements.

The Policy will be periodically reviewed to ensure its validity and adequacy to the risks and needs of the company.