Security Policy

1. Purpose and scope

The purpose of this Policy is to define the objectives, direction, principles and basic rules for the management of information security at TEF.

This Policy applies to all TEF employees, as well as third parties to the organization.

2. Definitions

Confidentiality: attribute of information which is only available to authorized people or systems.

Integrity: attribute of information which can only be modified by authorized people or systems and in a permitted manner.

Availability: attribute of information that can only be accessed by authorized persons when necessary.

Security of the information: preservation of the confidentiality, integrity and availability of the information.

Information security management system: part of the general management processes responsible for planning, implementing, maintaining, reviewing and improving information security.

3. Responsibilities

The Information Security Manager is responsible for ensuring the preparation, update, communication and publication of this Policy.

TEF Management and the Managing Director are responsible for the approval and communication of this Policy.

The company's employees are responsible for compliance with the provisions herein.

4. Description

The Electric Factory Management recognizes the importance of identifying and protecting the organization's information assets. To this end, it will avoid the destruction, disclosure, modification and unauthorized use of all its information, committing to develop, implement, maintain and continually improve an Information Security Management System.

To define “Information Security”, The Electric Factory adopts the definition established in the UNIT-ISO/IEC 27000:2018, Information Technology - Security techniques - Information security management system - Overview and vocabulary standard. Docusign Envelope ID: 1542C415-0507-42DF-B2F7-D816C3DD7B18

Information Security is characterized as the preservation of:

• Its confidentiality, ensuring that only those who are authorized can access the information;
• Its integrity, ensuring that the information and its processing methods are accurate and complete;
• Its availability, ensuring that authorized users have access to information when they require it.

Information security is achieved by implementing an appropriate set of controls, such as policies, procedures, organizational structures, software and infrastructure. Said controls must be established to ensure the security objectives of the organization.

The Electric Factory will appoint an Information Security Manager who will be responsible for the guidance, implementation and maintenance of the Information Security Management System (ISMS).

This policy must be communicated, shared and complied with by all of the organization's personnel, regardless of the position they hold or their contractual modality.

It is The Electric Factory policy to:

• Set annual objectives related to information security
• Develop a process and methodology for identifying, evaluating and treating information security risks
• As per the results of the information security risk assessment, implement the corresponding corrective and preventive actions and define an action plan.
• Classify and protect information according to current regulations and assessment criteria in relation to the importance such has for the organization.
• Comply with legal, statutory and contractual regulations on information security
• Provide information security training and awareness to all staff
• Establish an information security incident management process which will have specific procedures that will cover everything from incident reporting to management and registration.
• Establish that all personnel are responsible for reporting information security incidents, whether confirmed or suspected, as well as any suspicious event according to the procedures defined.
• Set in place the mechanisms to guarantee the continuity of the business of The Electric Factory

5. Records

There are no records.

6. Annexes

There are no annexes.

7. References

UNIT-ISO/IEC 27000:2018, Information Technology - Security techniques - Information security management system - Overview and vocabulary standard.