Cybersecurity and Information

Security Procedures
Version 1 (September
2019)

Annex:
Cybersecurity Policies and Procedures

1
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)

Table of Contents

1. Basic principles _________________________________________________________________ 3

2. Management Model_______________________________________________________________ 3
3. Confidential Data Management _____________________________________________________ 3
3.1 Proper password management ________________________________________________________ 3
3.2 Secure E-Mails _____________________________________________________________________ 4
3.3 Information Backups ________________________________________________________________ 4
3.4 Transfer Information from Secure Form ________________________________________________ 5
3.5 Proper Use of Removable Storage Media _______________________________________________ 5
4. IT Infrastructure Security Management_______________________________________________ 6
4.1 Access to personal devices __________________________________________________________ 6
4.2 Access to servers and communications equipment _______________________________________ 6
4.3 Protect personal and business devices _________________________________________________ 7
4.4 Personnel working remotely __________________________________________________________ 7
4.5 Assignment and use of equipment for staff use __________________________________________ 7
4.6 Equipment Room Maintenance ________________________________________________________ 8
5. Management of access to Data Networks and Corporate Applications _____________________ 8
5.1 Access to Network Services __________________________________________________________ 8
5.2 Remote Access (VPN) _______________________________________________________________ 9
5.3 Access to the WIFI network ___________________________________________________________ 9
5.4 Access to Information Systems _______________________________________________________ 9
5.5 Network Monitoring, Applications and Services _________________________________________ 10
6. Technological Asset Management _________________________________________________ 11
6.1 Hardware and Software Inventories ___________________________________________________ 11
7. Informatic Incident Management ___________________________________________________ 11
7.1 Event logs and correlations with Incidents _____________________________________________ 12
8. Additional Measures _____________________________________________________________ 12

2
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)

1. Basic principles
 Promotes that South Trade's Information and Telecommunications Systems are aligned with the
appropriate level of cybersecurity according to the industry.
 It sensitizes users to cybersecurity risks and promotes the provision of knowledge, skills, experience and
technological capabilities to support the company's cybersecurity objectives.
 It strengthens capacities for prevention, detection, reaction, analysis, recovery, response, research and
coordination in the face of new threats.
 Promotes the existence of adequate cybersecurity mechanisms for systems and operations managed
by third parties providing services to the company.
 It is equipped with procedures and tools to keep abreast of changing conditions in the technological
environment and new threats.

2. Management Model
This Cybersecurity Management Model is based on general industry best practices for offices and,
specifically, IMO recommendations for ship security, so as to provide the resources for an environment
aligned with established business and cybersecurity objectives.

3. Confidential Data Management

Confidential Data is secret and valuable; it corresponds to the company's most valuable asset.
Common examples of these are:
 Unpublished financial information.
 Customer/partner/sales data.
 Patents, formulas or new technologies.
 Lists of clients (potential and current).

In this policy, users are given recommendations on how to avoid security breaches, for which the following
procedures are defined:

3.1 Proper password management

Password leakage is a critical risk since it can compromise the company's infrastructure. Passwords should
not only be difficult to decipher/guess, they should also remain secret. For this reason, it is recommended to
users:
 Choose passwords with at least 8 characters (including uppercase, lowercase, numbers and symbols)
and avoid information that can be easily guessed. For example:

3
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
o Birthday.
o Name of a family member.
o Generic passwords:
 1234
 asdf
 admin
 Remember passwords instead of typing them. If an employee needs to enter its password, it is required
to keep the document (digital or physical) confidential and destroy it at the end of the job.
 Exchange credentials only when absolutely necessary. If the exchange is not possible in person,
employees should prioritize a telephone channel instead of mail; and if only if they can recognize the
person with whom they are speaking.
 Change passwords every 6 months.

Remembering a large number of passwords can be complicated. It is suggested that users categorize their
passwords, and if necessary, only write them down in an encrypted digital document and ensure their non-
disclosure.

3.2 Secure E-Mails

E-Mails usually host Malicious Software (such as Viruses, Trojans, etc.). To avoid Malware infection or
Information Theft, users are instructed to:

 Avoid opening Attachments and open links whose content is not properly explained. For example:
 "You won an iPhone X. CLICK HERE TO CLAIM YOUR PRIZE!"
 "Look at this video, it's amazing!"
 "Dear, attached report requested (report.docx.exe)."
 Suspect advertising and propaganda:
 "Unmissable offers."
 "The new iPhone for only 1 USD!"
 Check that the email address matches the sender's name. Check the box addresses and make sure
the mail is legitimate.

If a user is unsure of the legitimacy of an email, he or she can consult the company's IT area.

3.3 Information Backups

The relevant information of the company must be periodically backed up, both that found in the file servers
and database of the company in order to keep safe one of the most important assets of any company, as is
its information, so in extraordinary situations or human errors of information loss there are options for partial
or total recovery of the compromised information and thus ensure the operational continuity of the company.

4
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
Users should be encouraged to use the company's file servers to maintain their documents and important
information, as they have a defined backup scheme.

In order to achieve this objective, it is essential:

 Implement a regular backup scheme of information in the media to ensure its integrity and rapid
recovery if necessary.

 Databases, shared folders, applications, websites and any relevant information that is backed up
should be explicitly documented, indicating the periodicity of the backup and the recovery procedure.

 The backup scheme must comply with maintaining the integrity, confidentiality and availability of the
information.

 Logs should be kept in order to periodically audit that the backups made comply with the previous
point. Such audits should be documented and explicitly validated that the information is available
and that systems can continue to function normally with information from a backup.

 The performance of information backups should not hinder the normal operation of the systems or
the work of users, because it is recommended that they be performed during non-business hours.

3.4 Transfer Information from Secure Form

Transferring data introduces security risks, therefore, the user who requires to do so must:

 Avoid transferring sensitive data (e.g. customer information, personnel data) to other devices or
accounts unless absolutely necessary. When mass transfer of such data is required, the user should
ask the IT area for help.
 Share confidential information across the enterprise network/systems and not over public networks or
non-corporate private networks.
 Ensure that the recipients of the data are properly authorized persons or organizations and have
adequate Information Security Policies.
 Report fraud, privacy breaches and hacking attempts.

It is critical that the IT area is aware of fraud, security breaches, and malware so that they can protect the
company's IT infrastructure in a timely manner. For this reason, users are advised to report perceived attacks,
suspicious emails or attempted phishing/fraud as soon as possible to IT specialists. The area must properly
investigate to resolve the problem and, if necessary, send a company-wide security alert.

3.5 Proper Use of Removable Storage Media

The use of external storage devices introduces a great risk to the security of the company's network. The
misuse of these devices can cause the infection of the corporate network (viruses, Trojans, malware in

5
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
general) and lose control of the company's computer systems, with catastrophic consequences for the
organization, for example: theft and loss of information, malicious encryption of information assets, disclosure
of business secrets, publication of confidential information of staff.

To ensure proper use of Removable Storage Media, it is recommended to users:

 Do not connect unknown devices to company equipment.

 Use only authorized devices.
 Encrypt personal and assigned devices to prevent the loss of personal information.
 Immediately inform the Administration and the IT area in case of theft or loss of any removable media,
either personal or business.
 Do not leave personal or assigned storage devices unattended.
 Scan once a week the information contained in the Removable Storage Media for Viruses, Trojans
and Malware in general.

4. IT Infrastructure Security Management

The company has different sensitive spaces in terms of electronic information management and information
systems that must be safeguarded.

4.1 Access to personal devices

 Access to offices should at least be restricted where there is computer equipment should be restricted.

 Any personal device (computer, notebook, telephone, tablet, etc.) of the company must be assigned
to properly identified users who must take care and good use of them, preventing and safeguarding
any improper access to the information they contain.

 Team assignments must be properly documented and updated over time.

4.2 Access to servers and communications equipment

 The South Trade IT area is the only one authorized to access the server room and network equipment,
being in charge of the administration of the controls and registers (log) of access to these
dependencies.

 If third party activities are required within the equipment room, you must always be accompanied by
company IT personnel.

 Server room access logs should be audited regularly to detect abnormal patterns.

6
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
4.3 Protect personal and business devices
When the user uses their digital devices to access mail or corporate accounts, security risks are introduced
to the company's information. It is suggested that users maintain both their personal devices and those
assigned by the insurance company. For this, it is recommended:

 Keep passwords protected.

 Keep Antimalware solutions up to date.
 Ensure that no devices are left exposed or unsupervised.
 Install Application and System security updates monthly or as soon as patches are available.
 Access user accounts and enterprise systems only through secure, private networks.

Users are also advised to avoid accessing third-party credentialed systems, sharing personal credentials or
devices, or leaving accounts on third-party devices.

When new users are assigned a company equipment or device, they will receive training in:

 Configuring Disk Encryption.

 Configuration of Password Management tools.
 Installation of Antimalware Software.

Users are advised to protect their devices and consult the IT area if they have any questions.

4.4 Personnel working remotely

Users with access to remote work should follow the instructions in this policy as well as those working in
offices. Since company resources (accounts, systems and networks) will be accessed, they will be obliged
to use encryption, protection and configuration mechanisms for a secure and private connection. It is
recommended to ask for help in the IT area if necessary.

4.5 Assignment and use of equipment for staff use

The computers, notebooks, smartphones and peripherals necessary for the development of the entrusted
functions are assigned to the users to give them an institutional use and will be configured, according to the
guidelines established for such purposes. Therefore, users who are responsible of such equipment should:

 The use of the assigned equipment can only be used to fulfill the tasks inherent to its function
within the company.

 Only software authorized by the company's IT area may be installed.

7
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
 The company information stored in the devices is confidential, so you must take the necessary
safeguards so that such information is not leaked to third parties in the event of loss of equipment.

 Personal information should not be stored on company equipment.

 In case of requiring other equipment for the development of meetings, workshops

or others

4.6 Equipment Room Maintenance

The equipment room is a space properly conditioned to maintain the necessary resources for the processing
and storage of company information. These resources are made up of servers, communication equipment,
network equipment, and storage and backup devices for company information.

Given the above, guidelines are established for the proper functioning of the equipment room and to proceed
in the event of adverse events that may affect it. Therefore, it must be:

 Restrict access to any unauthorized person.

 Perform preventive maintenance of the equipment that make up the room.

 Evaluate alternatives to improve the configuration of the equipment room, according to the available
resources, making the adjustments, updates and changes that correspond.

5. Management of access to Data Networks and Corporate Applications

The IT area of South Trade must ensure that all information that is trafficked through the different data
networks of the company must be protected ensuring its integrity and confidentiality.

For this purpose, a series of access control guidelines for South Trade networks are established and are
applicable to all officers (plant, hires, replacements and substitution), honorary personnel and third parties
providing services to South Trade.

5.1 Access to Network Services

 All users accessing the network must have a unique identification that is the access credentials of the
directory service, provided when they enter the institution.

 The users of the company have access permissions to the areas that correspond to them, being their
responsibility the good use and maintenance of the network access password and must comply with the
minimum requirements listed in the section "Management of Confidential Data".

 The WIFI network must have WPA2 encryption or higher.

8
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
 All communication devices (routers, firewalls, switches) must be protected by passwords, to which only
Soth Trade IT personnel must have access to administration configuration.

 Users who require access to communication devices must have a user account, associated with a profile
of privileges, to access services, corporate applications and network resources of the company.

 Access credentials to network resources and services should be personal and non-transferable,
avoiding the use of generic and shared accounts.

 The privileges assigned to the different profiles and the list of users assigned to those profiles should
be audited regularly in order to regularize the levels of access they may have during their stay in the
company, and to cancel those privileges when they are already part of the organization.

5.2 Remote Access (VPN)

 Remote access (from the Internet) to the South Trade network should be done in a secure and controlled
way, using a connection scheme called VPN (virtual private network), with authentication protocol and
SSL_VPN encryption, validating the authentication in the directory server.

 Remote access must be authorized by the Administration and reported to the IT area.

 Temporary access may be granted to personnel outside South Trade only in exceptional cases.

5.3 Access to the WIFI network

 Access to the wireless network must be restricted and password protected.

 WIFI access must be segmented for internal and external users, having very limited access for the latter.

 WIFI network traffic must be audited to detect unauthorized access and minimize risks.

5.4 Access to Information Systems

Users who access South Trade's information systems must ensure the faithful fulfillment of the confidentiality
and privacy of the information they handle, always to comply with:

 The integrity of the information that is registered or consulted from the different Computer Systems of
the company, avoiding inappropriate or corrupt modifications.

 Maintain the confidentiality of the information of the different systems protecting the access of

9
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
unauthorized users.

 Commit the necessary support for the availability of South Trade IT services and in the event that an
Information System presents problems or vulnerabilities are detected report immediately to your
supervisor or IT area of the company.

The request for specific access to information systems for new users must be managed by each area of
South Trade through their headquarters or who they designate for such function. The request for access
must be indicated:

• User who requires access permissions.

• Detail of the system(s) to which the user is requiring have access.

• Detail of the user profile that the official must have for each of the systems to which access is requested.

5.5 Network Monitoring, Applications and Services

Monitoring and alarm mechanisms should be in place to prevent attacks and, if they occur, to take adequate
and timely actions to minimize the impact on South Trade's information assets.

Protocols for monitoring networks, applications and services must be established to protect the company's
information assets.

 In order to access the monitoring tools for each of the utilities and hardware, the user must first have
administrator attributes, both of the domain and of the credentials handled by each of the tools. Only the
personnel who possess these attributes are the ones designated by the IT area.

 The first firewall of the local network (Firewall) should be used to block ports and protocols or enable
them, depending on the requirements of services and applications.

 The configurations of the firewall should be supported annually if an emergency recovery plan is
established.

 Mail of malicious origin should be filtered and observed in order to control mail viruses and spyware, a
task automatically performed by Google's Gmail, but supervised by IT staff, which can spread to users
and, therefore, to the local network. To this end, the tools available to the institution should be used.

 All traffic on the internal network, including Windows, Linux and OSX services, should be monitored
using the tools available for this purpose.

 The event logs of the Windows, Linux and OSX services should be periodically reviewed to detect early
or, failing that, correct those actions detrimental to the platform, the systems and their information assets.

1
0
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
6. Technological Asset Management
A detailed record of the company's technological assets must be kept, so an inventory of hardware equipment
must be kept that contains its history of use and configurations, both active and deregistered, as well as the
history and configurations of all pieces of software used by the company. This inventory should also be
complemented by shopping and vendor lists if necessary.

The following steps must be followed to keep a record of technology assets:

 Once the asset is received, the IT area must update its asset register with the minimum data necessary
for its correct control and monitoring, identifying data such as: product description (model, brand, etc.),
serial number, warranty period, among others.

 If a team is assigned to a user, it will be the responsibility of the IT area to record the information relevant
to the assignment, including user name, assignment date and performance area, among others, in order
to keep the company's technology assets inventory up to date.

 For the technological assets that are defective or susceptible of being deregistered, the IT area will notify
the corresponding area in order to manage the administrative procedure for these purposes.

6.1 Hardware and Software Inventories

The operating systems of both application servers and users, information systems and specific hardware
software, require to be recorded as assets, in addition to tracking their useful life within the company,
therefore, must carry a resume of the asset, either hardware or software.

This inventory is vital for preventive maintenance, bug fixes, software updates and security patches. In that
way, it requires:

 To maintain a record of changes of operating systems, software in general and associated hardware.

 Critical security updates and patches will be applied to Windows Servers and PCs. Since some security
patches or updates could affect the proper functioning of certain functionalities of both Windows and the
hosted systems, it is advisable to review the documentation of the update or security patch before
applying it to the servers.

 In the case of Linux operating systems, the update and patches will be done manually and directly
connected to the repositories of the most popular distributions (Example: CentOS repo, REMI).

 The operation of communications hardware, servers and storage requires highly complex
configurations, so it is necessary to record them in the respective hardware inventory.

7. Informatic Incident Management

The following guidelines are established for the occurrence of incidents or the detection of threats and / or

1
1
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
weaknesses that could compromise the security of information assets of the company and its technology
supports. For this, it is required:

 To maintain records of incidents and/or threats that have occurred, including solutions that are
implemented.

 To immediately inform the IT area of the occurrence of incidents or the detection of threats and/or
weaknesses that could compromise the security of the company's information assets.

 To classify incident types in:

o Problems in the server room or in the equipment that compose it.

o Theft of devices assigned to personnel or company information.

o Unauthorized personnel entering the user's server room or workstations.

o Denial of service attacks (DDoS), hacking and impersonation techniques.

o Computer viruses and malware in general.

o Problems accessing network services, corporate applications and/or company

website.

 To continuously follow up on incident reporting incident reports in order to identify root cause of the
problem and identify behavioral patterns.

7.1 Event logs and correlations with Incidents

System event records that generate operating systems, databases, communication equipment, endpoints,
and antivirus/antimalware software generated on the South Trade data network must be consolidated,
reviewed, and maintained.

Based on general guidelines, logs of events, warnings and errors detected resulting in cybersecurity incidents
should be documented in order to detect the recurrence of an incident and/or improve the response time for
events and incidents, as well as detect behavioral patterns.

The South Trade IT area should seek daily review of these events and use some software to detect
correlations between events. The monitoring of these events must be accompanied by technological tools,
such as SIEM Software, for example, to find correlations between the various events in order to detect early
cyberattacks to the company's data and networks.

8. Additional Measures

1
2
 Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
To reduce the likelihood of security breaches occurring, users are instructed to:

 Turn off your screens and lock your devices when they leave your workspace.
 Report damaged or stolen equipment as soon as possible to the IT area.
 Change all user account passwords when a device has been stolen.
 Report perceived threats and potential security vulnerabilities in enterprise systems.
 Withdraw from suspicious downloads and use of unauthorized (or illegal) software on company
equipment.
 Avoid accessing suspicious or unauthorized sites.

The user is also expected to engage with the company's Social Media and comply with the Internet Usage
Policy.

The IT area should:

 Install Firewalls, Antimalware Software, Endpoint Protection and Access Authentication Systems.
 Organize Information Security trainings to all users of the company.
 Inform users regularly about new E-Mail or Malware scams and how to combat them.
 Investigate security breaches thoroughly.
 Follow these policies like all other staff.

The company owns and will own the physical and digital controls necessary to protect the information.

1
3