Bmotik Information Security Policy

1. Objective The main objective of this policy is to ensure the protection, integrity and availability of confidential information and services that our SaaS company provides to our customers. We seek to prevent unauthorized access, misuse, disclosure, alteration and destruction of information.

2. Scope This policy applies to all employees, contractors, consultants and third parties who have access to company systems and networks. This includes anyone who processes, stores or transmits information on behalf of the company.

3. Responsibilities All employees are responsible for protecting the information to which they have access. Any violation of this policy may result in disciplinary action, up to and including termination.

Access Management Access to systems and data will be controlled on a "need to know" basis. Employees shall only have access to the information they need to perform their duties. All access will be logged and reviewed regularly by the security committee and/or internal auditor to detect any suspicious activity.

5. Data Protection All data stored on our systems will be encrypted at rest and in transit using strong encryption algorithms. Regular (weekly) backups will be performed and tested to ensure that they can be recovered in the event of data loss. In addition, we will implement measures to protect against malware and cyber attacks, including, but not limited to, the following:

  • Use licensed software and if it is SaaS, use software that complies with European or American security standards and regulations.

  • Keep the system and applications up to date: Updates often include security patches for newly discovered vulnerabilities.

  • When handling sensitive data, bmotik's virtual private network (VPN) should be used.

  • Keep the firewall enabled.

  • Be cautious with suspicious e-mails and links, avoiding cyber attacks that start with a phishing email or a malicious link. Only confirm in emails sent from the same organization and opt for a posture of constant suspicion and verification. In case of any doubt about an email, ask the security committee.

  • Perform regular data backups on a weekly basis in the case of customers and monthly in the case of bmotik internal data.

  • Implement two-factor authentication on all accounts related to bmotik, its customers and suppliers.

  • Train employees on cyber security, keeping employees informed about cyber security best practices, such as not sharing passwords or opening suspicious emails.

  • Monitoring the network regularly, maintaining early detection of suspicious activity can prevent a large-scale attack.

  • Maintain the incident response plan up to date.

5.1. Prohibition of Removable Media: As part of our commitment to robust data security, the use of removable media, including but not limited to USB drives, external hard drives and other portable storage devices, to manage customer data is strictly prohibited.

5.1.1. Alternative Safe Alternative Methods: To facilitate the secure management of customer data, Bmotik has established alternative methods for data transfer, storage and exchange. These approved methods adhere to industry best practices and encryption standards to ensure the confidentiality and integrity of customer information.

5.2. Prohibition of Sharing User Accounts: As part of Bmotik's commitment to maintaining sound information security practices, the organization strictly prohibits the sharing of user accounts among multiple individuals. Each user account is designated for individual use and is not transferable. Bmotik employees and authorized users are expressly prohibited from sharing their assigned user accounts with others. A user account is intended for the exclusive use of the individual to whom it is assigned and must not be shared, transferred or used by anyone else.

5.2.1. Individual Responsibility: Each user is individually responsible for activities performed using their assigned user account credentials. Sharing user accounts undermines established security and accountability measures and increases the risk of unauthorized access to sensitive information.

5.2.2. User Authentication: Users must authenticate using their unique credentials when accessing Bmotik systems, applications and resources. Sharing user accounts compromises the integrity of the authentication process and may result in unauthorized access. All accounts must use MFA.

5.2.3. Safety Implications: Sharing user accounts poses significant security risks, including, but not limited to, unauthorized access, data breaches, and the inability to accurately trace actions to specific individuals. It also violates the principle of least privilege by allowing individuals access beyond their authorized permissions.

5.2.4. Consequences of the Violation: Violations of this policy will result in disciplinary action, which may include written warnings, suspension of account privileges or termination of employment, depending on the severity and recurrence of the violation. In addition, in cases where the violation leads to unauthorized access or compromises sensitive information, legal action may be taken.

6. Incident Management Any security incident must be reported immediately to the security team or committee. An investigation will be conducted and steps will be taken to prevent future incidents. This may include changes to policies and procedures, additional training or improvements to security measures.

The standard information security incident response plan is described below:

  • Preparedness: Before an incident occurs, all employees should be present and responsible for the training program of the personnel, the definition of roles and responsibilities, and the preparation of automatic monitoring tools available to the company and any other necessary resources. Recognizing the security committee, its communication channels and the company's policies regarding information security.
  • 2. Identification: The first step in responding to an incident is to identify that an incident has occurred. This may involve detecting suspicious activity, receiving reports from users or customers, or identifying a policy violation. As well as immediate notification to the security committee and then from this committee to the customer within 24 hours of the event.
  • 3. Containment: Once an incident has been identified, the immediate goal is to contain it to minimize the damage. This may involve shutting down affected systems or networks, revoking user access or changing passwords.
  • 4. Eradication: After containing the incident, the next step is to eradicate the cause of the incident. This may involve removing malware, fixing vulnerabilities or implementing new security measures.
  • 5. Recovery: Once the cause of the incident has been eradicated, systems and networks can be restored to normal operation. This must be done in a controlled manner to prevent the incident from recurring.
  • 6. Lessons Learned: After an incident has been resolved, it is important to review what happened and why it happened. This may involve a post-incident review, a security audit or a review of existing policies and procedures.
  • 7. Communication: Throughout the process, it is important to communicate effectively with all stakeholders. This may include employees, customers and regulatory authorities. Official company channels should be used for such communication and conversations via telephone or instant messaging should be avoided as much as possible.

 

7. Compliance The company will comply with all applicable laws and regulations related to information security and privacy. This includes the General Data Protection Regulation (GDPR), the Personal Data Protection Act (LPPD) and other relevant local and international laws.

8. Review and Update This policy will be reviewed and updated regularly, at least once a year or when significant changes occur in our business or in applicable laws and regulations.

9. Training All employees will receive regular information security training to ensure that they understand their responsibilities. This training will cover topics such as secure information handling, how to detect and report security incidents, and how to keep systems and data secure.

10. Security Committee A Security Committee will be formed comprised of key business representatives, including but not limited to IT, Legal, Operations and Finance. This committee will be responsible for the development, implementation and periodic, minimum annual oversight of the security program.

Communication with the safety committee shall be made through the following e-mail address: [email protected] or through the official communication channels enabled by the company.

11. Internal Audit Regular internal audits will be conducted to ensure compliance with this policy and to identify any areas requiring improvement.

Last modified February 5, 2024

Solutions

Products

Additional

Blog

Tips, news and more

Hardware

List of equipment recommended by bmotik (sale and rental) for events, immersive experiences, etc.

Referral Program

Do you know someone who organizes events or who could benefit from Bmotik's platforms? Refer them to us and win amazing incentives!

Developers

Consult our API to integrate your own digital assets with our registration and logistics App.

quiscos de auto impresion bmotik. Sistema de registro para eventos

Learn more about the EventTech industry and the cutting-edge technologies that are increasingly in demand at events of all kinds.

SCHEDULE A DEMO