General information security policy

1. Scope

This document was developed by the Information Security area and has received approval from the CEO of COCO INVERSIONES TECNOLÓGICAS S.A.S. Compliance is mandatory for all corporate personnel, as well as third parties, suppliers, and contractors. COCO INVERSIONES TECNOLÓGICAS S.A.S. specializes in providing communication services between healthcare institutions and patients through digital tools and artificial intelligence.

2. Key definitions

Confidentiality: ensures that information will only be viewed and accessed by duly authorized individuals (ISO/IEC 27001:2022). Integrity: ensures that information will only be modified by duly authorized individuals (ISO/IEC 27001:2013). Availability: guarantees that information will always be available whenever it needs to be consulted or accessed (ISO/IEC 27001:2022). ISMS: Information Security Management System.

3. Roles & responsibilities

The Information Security Leader implements ISO 27001, identifies risks and threats, designs mitigation strategies, and handles audit and evidence requirements. The Security Committee (CEO, CO-CEO, CMO, CTO, CFO, and RSI) reviews, evaluates, and approves the ISMS, the current policy, and measures against security threats. All internal and external personnel must accept this policy in writing, comply with ISMS regulations, attend training sessions, and report situations threatening information security.

4. Policies & commitment

For COCO INVERSIONES TECNOLÓGICAS S.A.S., information is one of the most important pillars for service delivery. The organization commits to protecting it by upholding the principles of Confidentiality, Integrity, and Availability, complying with applicable legal requirements and security controls, and continuously monitoring the ISMS to improve and ensure its effectiveness.

5. General Guidelines

All individuals linked to COCO (clients, collaborators, suppliers, contractors, partners) must safeguard corporate information they access and prevent its loss, alteration, destruction, or misuse. Protected assets include: information, collaborators, software applications, computer equipment, physical facilities, communication networks, auxiliary equipment, information systems, client databases, and patient databases. The organization manages and mitigates risks, takes proactive measures against cybersecurity threats, and implements a business continuity plan. Specific policies (acceptable use, passwords, backups, email, access control, remote work, encryption, etc.) are reviewed twice a year at the end of each semester or when significant changes occur.

6. ISMS Objectives

Culture: train and raise awareness among collaborators and contractors on information protection. Incidents: identify, analyze, and promptly close information security incidents. Risks: control, mitigate, and prevent risks associated with information security. Continuity: ensure the availability of organizational processes. Security Controls: evaluate and monitor ISMS controls and procedures. Continuous Improvement: establish an organizational commitment to monitoring the management system.

7. Responsibilities, Conformity & Validity

The Information Security area is responsible for managing implementation, ensuring compliance, conducting periodic reviews, updating, disseminating, and training personnel. Non-compliance with this policy entails sanctions established in the work regulations. This document must be reviewed and approved by senior management of COCO INVERSIONES TECNOLÓGICAS S.A.S. Its validity is permanent.