This document has been created by Microsyslabs S.A.S. (hereinafter referred to as MICROSYSLABS or the Company), considering the guidelines established by the Ministry of ICT in Colombia in its Guide No. 2 – Elaboration of the General Information Policy. The referenced document is based on best practices and international industry standards, and therefore, it fully addresses the needs of our clients regarding the guidelines followed by the Company regarding Information Security.

This document is intended as a basic guideline to be considered in the management of information during the normal execution of business activities. Therefore, it outlines not only the directives but also the position and commitment of the company’s top management regarding the maintenance of confidentiality, integrity, and availability of information assets belonging to the Company, its suppliers, and clients who have shared it with MICROSYSLABS. This is a necessary activity to carry out the use of technological solutions contracted with the company or for the development of business relationships.

Information Assets: It corresponds to any complete unit of data or information that has been identified as existing in the company, either because it has been created within it or has been received from third parties and is part of the management processes that the Company must carry out in its daily activities. Assets are the resources of the Information Security System necessary for the Company to function and achieve the objectives set by top management. Any component (human, technological, software, documentary, or infrastructure) that supports one or more business processes of the Company and, therefore, must be protected.

Threat: An external factor that exploits a weakness in information assets and can negatively impact the organization. There is no single classification of threats; the important thing is to consider all of them when identifying them.

Antivirus: It is a type of software used to prevent, search for, detect, and remove malware from a computer. Once installed, most antivirus software runs automatically in the background to provide real-time protection against malicious attacks. Additionally, they help protect files and hardware from malware execution, such as worms, trojans, and spyware.

Authentication: It is the process of verifying the ID of a user or technological resource/system when trying to access a processing resource or information system.

Authenticity: The property that guarantees that the identity of a subject or resource is as declared.

Chain of Custody: A detailed record of evidence treatment during the security incident response process, including who, how, and when it was transported, stored, and analyzed to prevent alterations or modifications that compromise it.

Information Characteristics: The main characteristics are confidentiality, availability, and integrity.

CCTV: It stands for “closed circuit television,” which consists of one or more surveillance cameras connected to one or more video monitors or televisions that display the images transmitted by the cameras.

Computer Center: A specific area designated by companies for the storage of multiple computer equipment for their IT processes. These devices are connected to each other through a data network. The computer center must comply with certain industry standards to ensure basic conditions of security, availability, and continuity, including physical access controls, fire-resistant wall, floor, and ceiling materials, main and alternate power supply, adequate environmental conditions, among others.

Cable Centers: They are rooms within the company where communication devices are installed, and electrical and/or data cables that cover the company’s premises arrive. Like computer centers, cable centers must meet requirements for physical access control, materials used in walls, floors, and ceilings, power supply, and temperature and humidity conditions.

Cybersecurity: Set of elements, measures, and equipment designed to control the IT security of an entity or virtual space.

Encryption: It is the transformation of data through the use of cryptography to produce unintelligible (encrypted) data and ensure its confidentiality. Encryption is a very useful technique to prevent information leakage, unauthorized monitoring, and unauthorized access to information repositories.

Authentication: It is the process of verifying the ID of a user or technological resource/system when trying to access a processing resource or information system.

Authenticity: The property that guarantees that the identity of a subject or resource is as declared.

Chain of Custody: A detailed record of evidence treatment during the security incident response process, including who, how, and when it was transported, stored, and analyzed to prevent alterations or modifications that compromise it.

Information Characteristics: The main characteristics are confidentiality, availability, and integrity.

CCTV: It stands for “closed circuit television,” which consists of one or more surveillance cameras connected to one or more video monitors or televisions that display the images transmitted by the cameras.

Computer Center: A specific area designated by companies for the storage of multiple computer equipment for their IT processes. These devices are connected to each other through a data network. The computer center must comply with certain industry standards to ensure basic conditions of security, availability, and continuity, including physical access controls, fire-resistant wall, floor, and ceiling materials, main and alternate power supply, adequate environmental conditions, among others.

Cable Centers: They are rooms within the company where communication devices are installed, and electrical and/or data cables that cover the company’s premises arrive. Like computer centers, cable centers must meet requirements for physical access control, materials used in walls, floors, and ceilings, power supply, and temperature and humidity conditions.

Cybersecurity: Set of elements, measures, and equipment designed to control the IT security of an entity or virtual space.

Encryption: It is the transformation of data through the use of cryptography to produce unintelligible (encrypted) data and ensure its confidentiality. Encryption is a very useful technique to prevent information leakage, unauthorized monitoring, and unauthorized access to information repositories.

Social Engineering: In the field of IT security, it is the practice of obtaining confidential information through the manipulation of legitimate users by gaining their trust, often with the aim of obtaining information, access, or privileges in information systems that allow them to carry out acts that harm or expose the individual or organization to risks and/or abuses.

IDS: Intrusion Detection System.

IPS: Intrusion Prevention System.

Impact: Consequences produced by a security incident on the organization.

Information Security Incident: An unwanted or unexpected event or series of events related to information security that has a significant probability of compromising business operations and threatening information security.

Integrity: It is the protection of the accuracy and complete state of assets.

Logs: Records of information systems that allow verifying the tasks or activities performed by a particular user or system.

Malware: A general term to refer to any type of malicious software designed to infiltrate a device without the user’s prior knowledge. There are many types of malware, each with different objectives. However, all variants share two defining features: they work discreetly and actively work against the interests of the person, entity, or device being attacked.

Removable Media: Any removable hardware component used for information storage. Removable media includes tapes, removable hard drives, CDs, DVDs, and USB storage devices, among others.

Best Practice: A specific security rule or platform that is accepted across the industry to provide the most effective approach to a specific security implementation. Best practices are established to ensure that the security features of systems and information are addressed correctly.

Phishing: A type of crime classified as a scam. It uses techniques like social engineering, posing as a trusted person or company in an apparent electronic communication, with the goal of fraudulently acquiring confidential information.

Business Continuity Plan: A plan aimed at ensuring the continuity of the organization’s operational functions in case of an unexpected event that jeopardizes them.

Risk Treatment Plan: A management document that defines actions to reduce, prevent, transfer, or accept unacceptable information security risks and implement the necessary controls to protect it.

Policy: A high-level statement that describes the Company’s position on a specific topic.

Security Policy: A document that establishes the management’s commitment and the organization’s approach to information security.

Clear Desk Policy: It instructs employees, customers, suppliers, and other collaborators to leave their desks free of any information susceptible to misuse at the end of their workday.

Procedure: Procedures specifically define how

MICROSYSLABS’ management, understanding the importance of proper information management, is committed to implementing an Information Security Management System (ISMS) to establish a framework of trust in carrying out its duties with third parties (clients, employees, partners, suppliers, or others) who may be interested in the business activities, all in strict compliance with the laws in Colombia and in line with the Company’s mission and vision resulting from organizational planning and strategy review exercises carried out by the Company.

For MICROSYSLABS, information protection seeks to reduce the impact generated on its assets by systematically identifying risks in order to maintain an exposure level that allows for safeguarding the integrity, confidentiality, and availability of this information, in line with the needs of different identified stakeholders. Accordingly, this policy applies to the Company as defined within its scope, including its employees, apprentices, trainees, suppliers, partners, third parties, and the general public, considering that the principles governing the development of actions or decision-making around an Information Security Management System (ISMS) will be determined by the following premises:

• Minimize risk in the development of the Company’s most critical functions, including (but not limited to) project management, information technology management, physical and financial resource management, and human resources management.

• Comply with information security principles based on best practices.

• Comply with administrative function principles.

• Comply with the national and international legislative framework where the organization chooses to have a presence.

• Maintain the trust of its customers, partners, and employees.

• Support technological innovation.

• Protect information assets.

• Establish policies, procedures, and instructions related to information security, following best practices.

• Strengthen the culture of information security among employees, third parties, apprentices, trainees, and customers of the Company.

• Continuously improve information security management.

• Ensure business continuity in the face of incidents.

• Review and adjust policies at least once a year or whenever required by a change.

Scope/Applicability

This policy applies to the entire Company, its employees, contractors, partners, and third parties related to MICROSYSLABS.

Compliance Level

All individuals covered by the scope and applicability must comply with 100% of the policy.

Non-compliance with the Information Security policy will result in legal and disciplinary consequences as applicable to the Company’s regulations, including those established in the norms governing national and territorial government regarding Information Security.

Exceptions to this policy may be granted, subject to approval by the General Management or the Security and Continuity Steering Committee.

Below are the 13 specific security policies that support MICROSYSLABS’ ISMS:

5.1. MICROSYSLABS has decided to define, implement, operate, and continuously improve an Information Security Management System (ISMS), supported by clear guidelines aligned with business needs, best practices, and current regulatory requirements.

5.2. MICROSYSLABS is committed to complying with laws, regulations, and standards related to Information Security, both in Colombia and in countries where clients consuming the offered technologies are located. If any gaps or non-compliance conditions are identified, the ISMS management will address the need for adjustment and compliance.

5.3. Responsibilities for information security will be defined, shared, published, and accepted by each employee, contractor, or third party, considering the principles of segregation of duties to prevent unauthorized access to unrelated information assets, reduce the possibility of unauthorized or unintentional modification, or misuse of information assets.

5.4. MICROSYSLABS will protect the information generated, processed, or stored by its business processes and related information assets.

5.5. MICROSYSLABS will protect the information created, processed, transmitted, or stored by its business processes to minimize financial, operational, or legal impacts due to incorrect use. This requires the application of controls according to the classification of the information under its ownership or custody.

5.6. MICROSYSLABS will protect its information from threats arising from internal personnel, considering different moments or stages of employees during their contractual relationship with the Company and even after such relationship has ended.

5.7. MICROSYSLABS will protect processing facilities and the technological infrastructure supporting its critical processes.

5.8. MICROSYSLABS will control the operation of its business processes, ensuring the security of technological resources and data networks supporting its operations.

5.9. MICROSYSLABS will implement access control to information, systems, and network resources, considering principles of segregation of duties for employees, contractors, or third parties. Conflicting duties and areas of responsibility must be identified and resolved to reduce the possibilities of unauthorized or unintentional modification of Company information or misuse of Organization’s assets.

5.10. MICROSYSLABS will ensure that security is an integral part of the life cycle of information systems.

5.11. MICROSYSLABS will ensure proper management of incidents and security events, as well as weaknesses associated with information systems, for an effective improvement of its security model.

5.12. MICROSYSLABS will ensure the availability of its business processes and continuity of its operation based on the impact that events may generate.

5.13. MICROSYSLABS will ensure compliance with legal, regulatory, and contractual obligations established with third parties in Colombia, and will respect and seek compliance with such obligations with third parties who contract its services in countries other than Colombia.

Non-compliance with the Information Security and Privacy Policy will entail legal consequences in accordance with the regulations of the Company, including the applicable rules of the national and territorial Government of Colombia, and those of countries where clients consuming the offered technologies are located, concerning Information Security and Privacy.

Here is the translation of the text:

Below, we list specific policies for the implementation of the required controls in the management of the Company’s Information Security Management System (ISMS).

6.1. Information Security Organization:

The superior governing entity for achieving the formulated purpose is defined as the Information and Continuity Management Steering Committee, composed of: the General Manager (or their delegate), the Director of Technology Operations, the Director of Software Engineering and Infrastructure, the Risk Leader in Information Security and Continuity, the Administrative Director, the Marketing and Sales Director, and the Human Resources Director.

This committee will be responsible for reviewing and updating this Policy document, leading internal communications within the Company to foster a culture around information security, supervising the results of the information security management system and requesting adjustments or improvements when needed. It will be in charge of directing communications to third parties when incidents related to information security and business continuity occur. The committee will ensure the proper attention and handling of information security incidents that may arise. It will identify and ensure the necessary connections between the ISMS and the Company’s Safety and Health Management System (SHMS) to maintain a unified vision in managing the risks that may affect information security and workplace safety.

The committee should meet at a frequency it defines to ensure timely execution of the mentioned functions.

6.2. Asset Management:

Guidelines are established to indicate to employees the limits and procedures regarding identification, use, management, and responsibility for information assets. The following are proposed:

Asset Identification: An inventory of the Company’s information assets, whether owned or from third parties, should be made, considering the identification of the owner or responsible person for each information asset, and clear tools to be used for the task. This inventory will be created by the Risk Leader in Information Security and Continuity and should be reviewed and updated as changes (updates, additions, retirements) are made to them.

Classification of Information Assets: The Company must classify information assets according to their criticality, sensitivity, and confidentiality. These definitions must be established in a management procedure defined by the Risk Leader in Information Security and Continuity. Third parties that have provided information assets to be stored and safeguarded by the Company will be invited to this review to be equally involved in the responsibility of ensuring them.

Labeling of Information Assets: All information assets must be labeled following criteria that allow for quick identification, purpose, and given classification. These definitions must be documented in a procedure defined by the Risk Leader in Information Security and Continuity.

Return/Transport/Final Disposal of Assets: The Company delegates to the Risk Leader in Information Security and Continuity the definition of instruments and mechanisms to carry out the activities of return, transportation, and/or final disposal of Information Assets when defined by third parties at the beginning of business relationships. It will also establish mechanisms and controls to ensure that employees deliver physical assets and information once their employment, agreement, or contract with the Company is terminated. The possibility of eliminating these assets, with a record of the executed activity and possible scope, should be considered as a first control action. The deployment and control of this task will be under the responsibility of the IT Service Management and Software Engineering and Infrastructure areas.

Removable Media Management: For the Company, adequate custody of Information Assets is essential. Therefore, while the use of removable media by employees is authorized (understood as electronic devices that store information and can be removed from computers), continuous information and precautionary campaigns will be conducted to prevent risks that may affect the availability, confidentiality, and integrity of the Company’s information assets through these devices.

Disposition of Assets/Information Backups: The Company must establish mechanisms for the proper custody and disposal of identified and classified information assets. These mechanisms will be detailed in a procedure describing how the final disposal, withdrawal, transfer, or reuse of assets will be carried out securely and correctly when they are no longer needed.

It is also the duty of the Company, through activities carried out by the Infrastructure area, under the leadership of the Leader, to obtain backups of information assets offered as a product to customers. The guidelines and procedures for storing information assets must be established by the Infrastructure Leader, ensuring that backups are performed in accordance with the organization’s strategy and technologies in use.

Regarding employee information used in their roles, the storage of information directly in cloud media, according to the collaborative tool approved for use in the Company, should be enabled.

Authorized Software: The Company must define and keep updated a list of third-party software products authorized to be implemented on its technological infrastructure. This software control will be exercised after an inventory is taken among the Technology Operations and Software Engineering and Infrastructure Departments, consolidating the inventory as an information asset of the Company. The control procedures defined by the Risk Leader in Security and Continuity will be verified. Any employee requiring software not listed in the authorized software inventory must make the corresponding request following the defined procedures by the responsible departments.

Networks, Mobile Devices, and Personal Computers: In the Company, employees can access wireless networks from their laptops, with minimum permanent access guaranteed from their workstations. It is not allowed to access the Company’s wireless networks from mobile phones, tablets, or other personal devices. Likewise, employees can only access the Company’s email accounts and authorized roles through the Company’s data networks and internet links, specifically for each environment to which they have been granted access.

Visitors to Company offices may access a visitor wireless network configured for this purpose, only under authorization from the Director of Software Engineering and Infrastructure or their delegate, using personal computers. Visitors are not allowed to access the main Company data network from mobile phones. Employees of the Company are authorized to use only the assigned computer equipment for their functions. The use of Company networks, connection to the Company’s network, and downloading of Company information assets on personal computers are not allowed. Each employee will be assigned personal computer equipment based on their role and requirements.

6.3. Access Control:

The following guidelines are established to determine the protection mechanisms, limits, and procedures regarding the administration and responsibility related to access to information, whether electronic or physical, in the Company. The following policies are outlined:

User and Password Access Control: It is the responsibility of the Director of Software Engineering and Infrastructure and the IT Service Management to define the procedures for creating, modifying, suspending, or deleting users and passwords on the platforms under their care. These procedures will be implemented by the Support Leader and the Infrastructure Leader of the Company. Every user of the technology services, whether an employee, contractor, or other third party, who has an account and access to the Company’s platforms, must ensure the proper management of the provided user and password. It should be understood that these are personal and non-transferable and should not be lent or shared. Therefore, the Company must create and provide each employee and/or user with a user and password for access, according to the limitations of access to information assets. A baseline will be defined in the access management to the Company’s information systems. It is also necessary for every user to ensure that the accesses granted to the information assets correspond to those for which access has been granted due to their functions and tasks. They should avoid accessing information assets that are not part of their job responsibilities and report any unauthorized accesses they identify to their immediate supervisor and the Risk Leader in Information Security and Continuity.

Provision of Access Control: The definition of procedures for the management of assignment, modification, review, or revocation of rights and/or privileges to each of the created users is the responsibility of the Support Leader (for personal computer equipment) and the Infrastructure Leader (for the wolkvox platform and

network infrastructure) of the Technology and Software Engineering and Infrastructure areas of the Company. These procedures will be applied to special cases such as users with higher privileges used for the administration of the Company’s infrastructure, applications, and information systems, stipulating the scope granted on the platforms under their care. In no case is it authorized for these users to, at their discretion, delete, correct, or alter records of their user’s platform usage, nor to alter data captured during the normal operation of the information systems or platforms supporting the Company’s operations, without the approval of the Information Security and Continuity Management Steering Committee. The procedures necessary to implement the defined access provisions must be jointly evaluated by the Risk Leader in Information Security and Continuity and the Infrastructure Leader and implemented.

Password Management: As passwords are the basic mechanism for authenticating users’ access to the Company’s network, applications, and/or information systems, it is defined that passwords must have a minimum length of 8 characters, including at least one special character, one number, and a mix of upper and lower-case letters. It is generally required to configure a temporal validity for passwords, with a maximum of three months. Passwords must be changed once assigned by an internal system administrator. It is the responsibility of the Risk Leader in Information Security and Continuity, together with the Infrastructure Leader, to identify the platform components where the assignment of these password definitions is not possible and inform the Information and Continuity Management Steering Committee for risk assessment and possible treatment actions.

Security Perimeters: The following areas are established with restricted access for employees, contractors, or third parties: the location where LAN and internet telecommunications equipment are located in the Company’s administrative offices. Any addition or modification to the condition of these physical security areas must be considered by the Information and Continuity Management Steering Committee and must be documented by the Software Engineering and Infrastructure Department, indicating which employee, contractor, or third-party roles will have access to these security areas. Access by individuals not pre-authorized to these security areas must request access from the person delegated in each case as responsible for authorizing access and the conditions for access. Therefore, a procedure must be documented by the Infrastructure Department.

6.4. Secure Software Development

The Company, aware of the importance of offering secure software products to the market, must establish the ways, means, and competencies to achieve secure software artifacts in line with best practices for secure software development. To do this, it will incorporate methodologies with an appropriate cost-benefit ratio that allows for secure software development in line with industry guidelines. Additionally, it will establish controls to validate the strength of third-party software products, should the Company decide to involve them, in relation to security premises, and manage these products with the vendor to evolve the software towards the Company’s definition of secure software.

6.5. Confidentiality

For the Company, managing the confidentiality of information assets is a relevant task. Therefore, every document regulating the Company’s relationships with employees, contractors, or others must contain confidentiality clauses that establish the conditions for the delivery, custody, and handling of information assets that may be exchanged between the parties as a result of the employment or commercial relationship. The consequences of improper handling of information assets by any of the parties will also be stipulated.

6.6. Integrity

For the Company, all verbal, physical, or electronic information must be adopted, processed, and delivered or transmitted in its entirety, coherently, exclusively to the corresponding individuals, and through the appropriate means, without modifications or alterations, except as determined by authorized and/or responsible individuals for such information. In the case of contractual relationships, the commitment to the integral and comprehensive management of internal and external information will be included in the clauses of the respective contract under the heading of “Information Integrity Clause.”

6.7. Availability of Service and Information

The Company must have a business continuity plan to ensure, recover, or restore the availability of the processes supporting the Information Security Management System and the Company’s mission-critical processes in the event of an information security incident.

The Company has established availability objectives for services associated with the wolkvox platform, committing to achieve availability levels equal to or higher than 99.6% of the time per month.

To achieve this availability target, the Company, under the direction of the Technology Operations Management, must design and implement management procedures in line with industry best practices to manage the risks that may affect the achievement of the availability objective.

Additionally, the Company, under the direction of the Software Engineering and Infrastructure Management, must define guidelines to achieve a segregation of environments to minimize the risks associated with the implementation of changes and new developments to reduce the impact of service unavailability during the development, testing, and production phases. Furthermore, the incorporation of Change Management guidelines will ensure that steps to production minimally affect availability and are carried out under controlled conditions.

6.8. Information Security Incident Management

The Company, under the direction of top management, is committed to the appropriate handling of events, incidents, and information security vulnerabilities. This management must be based on best practices and must apply to all users with authorized access to any information system.

It is the responsibility of the Information Security Risk Leader and the ICT Service Management to define the procedure for registering, handling, and resolving incidents related to the affecting of own information assets or those of third parties under the Company’s custody. Best practices for the handling of the chain of custody of elements that may be subject to analysis to identify causes and responsible parties for the events presented must be considered and documented.

The Information Security Risk Leader is responsible for presenting a monthly report on registered events, the treatment given, and the risk management actions being formulated to mitigate such risks to the security and continuity management steering committee.

6.9. Information Security Training and Awareness

The achievement of a culture that understands and promotes the benefits of information security is fundamental for the Company as it will help reduce vulnerabilities and threats related to individuals. Therefore, the following is established:

• Top management is committed to allocating sufficient resources to develop training programs for employees and third parties, as well as to maintain the information security management system.
• A training program for employees on the information security management system, conducted by the human talent management area of the company, must be established.
• All employees of the organization will receive training, and contractors and third parties related to the Company will be informed of the system guidelines and the responsibilities that they have as a fundamental part of the commitment to information security.
• Employee attendance at information security management system training events held by the Company will be monitored, and this activity will be considered an integral element of employee performance.
• Periodic review of training results will be conducted to improve processes.

6.10. Use of Cryptographic Controls and Key Management

Cryptographic Controls: The Technology Operations, Software Engineering and Infrastructure, and Information Security and Continuity Risk areas will be responsible for defining the most appropriate information encryption mechanisms based on the Company’s needs. This should be done based on the analysis of information security and continuity risks, considering criteria such as authenticity, confidentiality, integrity, and non-repudiation in communications or information processing.

As the standard encryption methodologies recommended by the industry (AES, 3DES with a dimension starting from 256 bits, and RSA with a dimension starting from 2048 bits) for different assets and information systems belonging to Microsyslabs where the use of cryptographic controls is relevant. Additionally, Colombian regulations regarding data protection, applicable standards, and existing technology will be taken into account.

Key Management: The Technology and Operations, Software Engineering and Infrastructure, and Information Security and Continuity Risk areas will be responsible for defining the administration of encryption keys. The Company must protect encryption keys against modification and/or destruction; secret and private keys also require protection against unauthorized distribution. Techniques to ensure the integrity of information should be used. Physical-logical protection controls should be used to protect the equipment and/or system used in the generation, storage, and safeguarding of keys. Those responsible for encryption systems and cryptographic keys will establish controls to ensure the security of the system and keys based on the risk analysis performed by the Information Security and Continuity Risk Leader and manage access only to authorized personnel. These systems or tools must be included in the inventory of authorized software, and the use of information encryption tools or systems other than those authorized will not be allowed.

6.11. Monitoring

This policy document must be reviewed at least once a year by the information security and continuity management steering committee or earlier if it becomes evident that the defined policies need to be reviewed and/or adjusted to ensure the confidentiality, integrity, and availability of the company’s information assets.