Information security and privacy policy

1. Introduction 

Genuine School recognizes that information is an essential strategic asset for fulfilling its educational mission and institutional management. In a digital, global environment regulated by multiple jurisdictions, information security is a critical component for ensuring the trust of students, families, staff, partners, and authorities. 

This policy establishes the institutional framework for the protection of information, ensuring that it is managed in accordance with the principles of confidentiality, integrity, availability, and privacy, and aligned with ISO/IEC 27001:2022 and applicable legal requirements in each jurisdiction where the institution operates. 

2. Purpose 

The purpose of this policy is to establish the principles, guidelines, and responsibilities governing the comprehensive management and protection of institutional information processed by Genuine School, guaranteeing its confidentiality, integrity, availability, and privacy, as well as its ethical and secure use. 

This instrument constitutes the guiding framework of the institutional Information Security Management System (ISMS), designed to: 

• Comply with the international standard ISO/IEC 27001:2022 and other best practice standards in information security. 

• Ensure regulatory compliance in all jurisdictions where Genuine School operates, including, among others, the legislation of Colombia, Brazil, the United States, and the European Union. 

• Protect the rights of data subjects, particularly minors, by ensuring security measures proportionate to the sensitivity of the information. 

• Support Senior Management’s commitment to risk management, continuous improvement, and the promotion of an organizational security culture. 

3. Scope 

This policy is mandatory and applies across the entire organization, including: 

• Institutional Processes: All strategic, core, and support processes defined in the Genuine School Process Map, as well as any other related or complementary processes involving the processing of institutional information. 

• Information: All data, documents, or data sets generated, processed, stored, transmitted, or deleted by Genuine School, in any format or medium—whether physical, digital, or audiovisual—including information owned by Genuine School and information received or managed on behalf of third parties. 

• People: All members of the educational community and stakeholders, including students, parents or legal guardians, teachers, administrative staff, directors, suppliers, contractors, strategic partners, and any third party with access to institutional information. 

• Platforms and Services: All institutional technological systems, applications, and services, whether proprietary or provided by third parties (such as Microsoft 365, Teams, AWS, Jira, GitHub, BUK, Treble, among others), including any new platforms or tools that may be adopted in the future. 

• Physical and Virtual Environments: All physical facilities, administrative or academic headquarters, remote work environments, virtual classrooms, cloud services, and any other means through which institutional information is accessed, processed, or managed, without geographical or jurisdictional limitation. 

4. Regulatory and Reference Framework 

Information security management at Genuine School is based on a regulatory and best practice framework that integrates international standards and applicable legislation in the jurisdictions where the institution operates. This framework forms the basis for the design, implementation, monitoring, and continuous improvement of the Information Security Management System (ISMS) and ensures compliance with legal, contractual, and regulatory requirements. 

This policy is aligned with: 

A. International Standards and Norms: 

• • ISO/IEC 27001:2022 – Information Security Management Systems (ISMS). 

• • ISO/IEC 27002:2022 – Information security controls. 

• • Best practices and guidelines issued by the National Institute of Standards and Technology (NIST), when applicable. 

B. Data Protection and Privacy Legislation: 

• • General Data Protection Regulation (GDPR) – European Union. 

• • Brazilian Data Protection Law (LGPD) – Brazil. 

• • Law 1581 of 2012 and Decree 1377 of 2013 – Colombia. 

• • Children’s Online Privacy Protection Act (COPPA) – United States. 

• • Family Educational Rights and Privacy Act (FERPA) – United States. 

• • Other applicable data protection and privacy laws in the jurisdictions where the institution operates or provides services. 

C. Sectoral and Contractual Regulations: 

• • Contractual obligations with suppliers and strategic partners, establishing security and confidentiality requirements. 

• • Regulatory requirements applicable to the education sector and the provision of digital services. 

D. Internal References: 

• • Genuine School’s Privacy and Personal Data Processing Policy. 

• • ISMS procedures and protocols. 

• • Incident Response Plan. 

This framework will be reviewed and updated periodically to reflect regulatory, technological, and organizational changes, ensuring its continued validity and effectiveness. 

5. Guiding Principles 

Information security management at Genuine School is governed by the following principles, aligned with ISO/IEC 27001:2022, applicable legislation, and international best practices: 

• Legality and Lawfulness: All personal data processing and information management activities shall be carried out in compliance with current regulations in the jurisdictions where the institution operates, including GDPR, LGPD, Law 1581, FERPA, and COPPA, among others. 

• Confidentiality: Information shall be accessible only to authorized individuals, based on their role and legitimate need. 

• Integrity: Information and related assets shall be maintained in a complete, accurate, and reliable state, protected against unauthorized modification. 

• Availability: Information and assets shall be available to authorized users when and where required, ensuring business continuity. 

• Traceability: All relevant actions involving information and assets shall be recorded, allowing for auditing, control, and accountability. 

• Comprehensive Asset Management: All information assets—physical, digital, human, and intangible—shall be identified, inventoried, and documented in the institutional asset register, ensuring full coverage within the ISMS scope. 

• Continuous Inventory Updates: The asset inventory shall be continuously maintained, periodically reviewed, and updated to reflect any significant changes in the asset’s nature, location, condition, classification, or ownership. 

• Risk-Based Classification: Assets shall be classified based on their Confidentiality, Integrity, and Availability (CIA), considering the potential impact of loss, alteration, unauthorized disclosure, or unavailability. 

• Proportional Access Control: Access rights and permissions for each asset shall be assigned based on its classification level and criticality, applying the principle of least privilege and restricting access to only those individuals strictly necessary for the performance of their duties. 

• Data Minimization and Proportionality: The processing of personal data shall be limited to what is strictly necessary to fulfill the legitimate purpose for which it was collected. 

• Proactive responsibility: The institution shall adopt preventive measures to identify, mitigate, and manage risks before incidents occur. 

• Continuous improvement: The ISMS shall be periodically reviewed and updated to be adapted to technological, regulatory, and organizational changes, improving institutional resilience. 

6. Definitions 

For the purposes of this policy, the following definitions apply: 

• Institutional Information: Any data or data set related to Genuine School’s academic, administrative, contractual, strategic, or support activities, in any format or medium, whether physical, digital, or audiovisual. 

• Information Security Management System (ISMS): A structured set of policies, procedures, controls, resources, and governance mechanisms designed to protect institutional information and associated assets, ensuring their confidentiality, integrity, availability, and privacy. 

• Information Asset: Any resource or element—whether physical, digital, human, or intangible—that holds value for the institution and whose use, access, processing, or storage may affect the achievement of its strategic, mission-related, or operational objectives. All information assets require protection measures proportionate to their value, sensitivity, and criticality. 

• Asset Owner: The individual, role, or entity formally designated as responsible for ensuring that an information asset is identified, classified, protected, and managed throughout its entire lifecycle, from creation or acquisition to final disposition. The asset owner is responsible for defining security requirements and authorizing appropriate access levels. 

• Asset Custodian: The individual, role, or area that, under the asset owner’s guidelines, executes the necessary actions to implement, operate, and maintain the associated security controls, ensuring the proper use, storage, protection, and availability of the asset. 

• Asset Classification: A systematic evaluation process used to determine the required level of protection for an information asset, based on its assessment against the criteria of Confidentiality, Integrity, and Availability (CIA), as well as its sensitivity, operational relevance, and legal implications. 

• Criticality: A measure reflecting the importance of an asset to the institution, derived from its CIA classification and the potential impact of its loss, alteration, unauthorized disclosure, or unavailability. 

• Asset Inventory: An official, centralized, and continuously maintained record documenting all information assets within the scope of the ISMS, including their identification, location, owner, custodian, classification, and any other information relevant to their management and protection. 

• Data Subject: A natural person whose personal data is processed by Genuine School, in accordance with applicable data protection legislation. 

7. Information Security Objectives 

The objectives of Genuine School’s Information Security Management System (ISMS) are: 

• To protect the rights of personal data subjects, especially minors, by implementing organizational, technical, and personnel controls appropriate to the sensitivity and criticality of the information processed, in accordance with current legislation. 

• To ensure the continuity of academic, administrative, and support services, as well as the ability to recover from incidents, disruptions, or disasters, minimizing impacts on critical processes and stakeholders. 

• To reduce and manage risk exposure through a structured approach to identification, analysis, evaluation, treatment, and continuous monitoring, incorporating internal, external, technological, operational, and regulatory threat perspectives. 

• To maintain an up-to-date institutional inventory of information assets, ensuring their identification, classification, and assignment to owners and custodians, so that protection measures proportionate to their level of criticality are applied. 

• To strengthen the information security culture across the educational community and among stakeholders by promoting awareness, training, and best practices in the secure use of information and technological resources. 

• To ensure traceability and demonstrable compliance with applicable laws, standards, and contractual obligations by maintaining verifiable and auditable records that support ISMS conformity. 

8. Responsibilities 

Compliance with this policy and the effectiveness of the Information Security Management System (ISMS) depend on clearly defined roles and responsibilities, which are established as follows: 

8.1 Senior Management 

• Define and approve the institutional information security strategy. 

• Allocate the necessary human, technical, and financial resources for the implementation and maintenance of the ISMS. 

• Approve this policy, its revisions, and related policies. 

• Promote an information security culture at all levels of the organization. 

• Ensure compliance with legal, regulatory, and contractual obligations in all jurisdictions where the institution operates. 

CISO – Chief Information Security Officer 

• Lead the technical, operational, and administrative implementation of the ISMS. 

• Coordinate the identification, classification, and management of information assets, ensuring their protection throughout their lifecycle. 

• Oversee the management of security incidents, including root cause analysis and the implementation of corrective and preventive actions. 

• Plan and supervise internal audits and ISMS reviews. 

• Coordinate risk assessments and monitor risk treatment plans. 

• Report periodically to Senior Management on ISMS performance and opportunities for improvement. 

8.2 Information Security Committee 

An interdisciplinary body responsible for: 

• Approving action plans, specific policies, and operational procedures related to information security. 

• Validating asset classifications and impact assessments (including Data Protection Impact Assessments – DPIAs). 

• Coordinating the institutional response to security incidents, ensuring appropriate internal and external communication. 

• Assessing and recommending measures to address emerging threats, vulnerabilities, and regulatory changes. 

• Reviewing existing controls and proposing improvements to ensure their ongoing effectiveness. 

8.3 Data Protection Officer (DPO) 

• Oversee regulatory compliance regarding personal data protection and privacy. 

• Manage data subjects’ rights (access, rectification, erasure, portability, objection, among others). 

• Conduct Data Protection Impact Assessments (DPIAs) when processing involves a high risk. 

• Notify security incidents or data breaches to the competent authorities and data subjects, in accordance with applicable legislation. 

• Advise Senior Management, the CISO, and operational areas on data protection matters. 

8.4 Users 

All members of the Genuine School community and stakeholders with access to institutional information are required to: 

• Comply with this policy and all ISMS-related procedures. 

• Use institutional information and resources responsibly, ethically, and strictly for authorized purposes. 

• Safeguard their access credentials and devices against misuse. 

• Promptly report any incident, anomaly, or suspected vulnerability to the CISO or the Information Security Committee. 

• Participate in information security awareness and training activities established by the institution. 

9. Risk Management Approach 

Information security risk management at Genuine School is a continuous and structured process aimed at identifying, assessing, treating, and monitoring risks that may affect the confidentiality, integrity, availability, or privacy of institutional information, as well as the continuity of operations. 

This approach is based on the following principles: 

• Comprehensive Coverage: Covers all information assets, processes, people, technologies, physical locations, and external services within the ISMS scope. 

• Standardized Methodology: A formal risk analysis and assessment method aligned with ISO/IEC 27005 and applicable supplementary guidelines is employed, integrating qualitative and quantitative criteria according to the nature of the asset and its potential impact. 

• Multi-Jurisdictional Perspective: Considers applicable legal, regulatory, and contractual requirements in all jurisdictions where Genuine School operates or has users, including the United States, Colombia, Brazil, and the European Union. 

• Classification and Criticality: Risks are assessed based on asset classification using Confidentiality, Integrity, and Availability (CIA) criteria, which determine each asset’s criticality and required level of protection. 

• Prioritized Risk Treatment: Risks are prioritized based on likelihood and impact, with proportionate and cost-effective preventive, detective, and corrective measures applied accordingly. 

• Periodic Review: Risk assessments are reviewed at least annually, and whenever significant changes occur in processes, technologies, asset locations, legal requirements, or organizational structure. 

• Recording and Traceability: All risk management activities, including assessments, treatment plans, and follow-up actions, are formally documented to ensure traceability and provide evidence for internal and external audits. 

The CISO, in coordination with the Information Security Committee, is responsible for leading this process and ensuring the active participation of asset owners, custodians, and other relevant stakeholders. 

10. Information Classification and Protection 

Information classification is a fundamental pillar of the Information Security Management System (ISMS), as it enables the application of protection measures proportionate to the sensitivity, criticality, and risk associated with each asset. Genuine School adopts a three-level classification model based on functional sensitivity, approved by Senior Management and aligned with ISO/IEC 27001:2022 (controls A.5.12 and A.5.13), as well as applicable regulations in the United States, Colombia, Brazil, and the European Union. 

10. 1 General Principles 

• Comprehensive Coverage: All information assets—regardless of format (physical, digital, audiovisual, human, or intangible)—must be classified and appropriately protected. 

• CIA-Based Classification: Classification is based on Confidentiality, Integrity, and Availability (CIA) criteria, as well as the potential legal, reputational, operational, and financial impact of a security incident. 

• Mandatory Labeling: All assets must be clearly labeled, either physically or digitally, to indicate their classification level. 

• Continuous Updates: Classifications are subject to periodic review and must be updated whenever there are changes in the asset’s nature, location, criticality, or ownership. 

• Integration with Asset Inventory: Each asset’s classification, along with its designated owner and custodian, must be recorded in the Institutional Information Asset Inventory. 

 10.2 Additional Considerations 

• Minors’ Data: Always classified as Level 3 – Confidential, regardless of its nature, and requires verifiable, explicit consent, unless otherwise legally justified. 

• Criminal/Judicial Data: Subject to strictly controlled access, enhanced traceability, and documented legal justification for any disclosure. 

• Internal Documents Without Personal Data: Even in the absence of personal data, documents of a strategic or operational nature must be classified as Level 2 – Confidential. 

• Online Publication: Availability on the internet does not imply that information is public; legal validation is required, and in the case of minors, verifiable consent remains mandatory. 

11. Implementation Strategy and Controls 

Genuine School will implement an integrated set of technical, organizational, physical, and contractual controls designed to protect information assets in accordance with their classification, criticality, and risk level. These controls will be applied in accordance with the principles of the Information Security Management System (ISMS), and in alignment with international standards and applicable legal requirements in all jurisdictions where the institution operates. 

11.1 Technical Controls 

Technological security measures shall be developed and implemented to safeguard institutional information against unauthorized access, loss, alteration, or improper disclosure. These measures shall be regularly reviewed and updated to address evolving threats and ensure their continued effectiveness. 

11.2 Organizational Controls 

Clearly defined policies, procedures, and roles shall be established to support the secure management of information, promote a culture of security, and ensure that all members of the educational community understand and fulfill their responsibilities. 

11.3 Personnel Controls 

Mechanisms and practices shall be put in place to regulate, hold people accountable, and monitor access to institutional information, ensuring that only authorized individuals—based on their roles and responsibilities—are permitted to access and use such information. 

11.4 Contractual and Third-Party Controls 

Formal clauses, agreements, and commitments shall be established with suppliers, strategic partners, and third parties who access institutional information, ensuring that they comply with the same security and confidentiality requirements applied internally by the institution. 

12. Incident Management and Service Continuity 

A. Framework for Action 

• • All information security incidents shall be managed in accordance with the ISMS Incident Response Procedure and any specific processes associated with each information classification level (Public, Confidential, Restricted). 

• • Incident management shall follow a structured approach, including detection, containment, eradication, recovery, and post-incident review, in alignment with ISO/IEC 27035:2022 best practices. 

B. Notification and Reporting 

• • Any member of the educational community, supplier, or third party who detects an information security incident or suspects a vulnerability shall report it immediately to the CISO or the Information Security Committee via established reporting channels. 

• • Reports shall include, at a minimum: a description of the incident, date/time of occurrence, affected system(s) or asset(s), classification of the compromised information, and initial mitigation actions taken. 

C. Analysis and Documentation 

• • The CISO shall coordinate a root cause analysis to determine the origin, scope, and impact of the incident, including whether personal data, sensitive information, or critical assets are affected. 

• • All incidents shall be formally recorded in the Institutional Security Incident Register, including supporting evidence, mitigation actions, and preventive measures. 

D. Notification to Authorities and Data Subjects 

• • When an incident involves personal or sensitive data, Genuine School shall notify the competent supervisory authorities and affected data subjects in accordance with applicable legal requirements and timelines in each jurisdiction (e.g., GDPR – EU, LGPD – Brazil, FERPA/COPPA – USA, or Law 1581 – Colombia). 

• • All notifications shall be documented, including evidence of delivery and content. 

E. Service Continuity Plan 

• • Genuine School maintains a Service Continuity Plan, integrated with the Disaster Recovery Plan (DRP), to ensure the continuity of critical academic and administrative operations during disruptive incidents. 

• • The plan shall be tested at least annually through simulations, system restoration tests, and data recovery exercises. 

F. Continuous Improvement 

• • Following each incident, a post-incident review shall be conducted to identify opportunities to improve technical, organizational, and personnel controls, as well as procedures and training programs. 

• • Lessons learned shall be incorporated into the ISMS and communicated to relevant departments to prevent recurrence. 

13. Review and Continuous Improvement 

This policy shall be reviewed and updated periodically to ensure its continued relevance, effectiveness, and alignment with the applicable regulatory framework, strategic objectives, and operational context of Genuine School. 

The review shall be conducted at least annually, and additionally whenever: 

• Significant changes occur in applicable laws or regulations in any jurisdiction where the institution operates. 

• New platforms, technologies, processes, or services are introduced that involve the processing of institutional information. 

• Vulnerabilities, information security incidents, or nonconformities are identified that may affect the security of information. 

• An internal or external audit requires a review, or the Information Security Committee recommends it. 

The review process shall be led by the CISO, validated by the Information Security Committee, and approved by Senior Management, ensuring proper version control, traceability of changes, and timely communication to all relevant stakeholders. 

Continuous improvement shall be embedded within the Information Security Management System (ISMS) through the incorporation of lessons learned from incidents, audit outcomes, performance metrics, and outputs from the risk management process.