Information security policy
We recognize the importance of the security, privacy and confidentiality of your personal information.
<p> </p>
<div class="cms-button block" data-block-name="cms-button" data-block-status="loaded">
<div class="cms-button-content">
<div class="cms-button-container w-full">
<style>
.cms-button .cms-rich-text-external-icon {
display: none !important;
}
</style>
<a href="/en/about-us/contact-us" target="_blank" data-button="true" data-external="false" class="group relative z-2 cursor-pointer inline-flex justify-center align-center items-center transition-all rounded-[32px] border border-[2px] px-6 gap-2 h-12 bg-background-brand-primary-default border-transparent outline-none focus:outline-none focus-visible:outline-none focus-visible:ring-0 focus-visible:ring-offset-0 focus-visible:shadow-none active:outline-none active:ring-0 active:shadow-none hover:bg-background-brand-primary-hover hover:border-transparent active:bg-background-brand-primary-active active:border-transparent group/cms-button" title="Contact us" style="text-decoration: none; --button-border-active: transparent; --button-border-focus: transparent;">
<div class="absolute transition-all max-w-full max-h-full w-full h-full outline rounded-[32px] outline-offset-[-4px] z-1 outline-2 group-focus-visible:outline-border-stroke-focus group-focus-visible:outline-offset-[4px] hidden group-focus-visible:block"></div>
<span class="text-center flex justify-start align-center text-xl font-bold text-text-brand-primary group-hover:text-text-brand-primary">
<div class="flex items-center justify-center gap-[12px]">Contact us</div>
</span>
</a>
</div>
</div>
</div>
General notice
We are committed to the confidentiality, integrity and availability of information in all the activities we carry out to secure the information of our customers, flyers, users, human talent, suppliers and shareholders through the Information Security Management System and the Corporate Information Security Policy
<p style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5; margin-bottom: 16px;">
Establishes the commitment of Aerovías del Continente Americano S.A. Avianca, Avianca Ecuador S.A., Avianca Costa Rica S.A., Aviateca S.A., Regional Express Américas S.A.S., and Taca International Airlines S.A. to information security management through:
</p>
<ul style="padding-left: 24px; margin: 16px 0;">
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Implementing international standards, legal and organizational requirements, and information security controls that enable the management of risks affecting the confidentiality, integrity, availability, and privacy of information, while ensuring compliance with information security objectives.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Promoting a culture of information security and continuous improvement among collaborators (direct and subcontracted) and related third parties (suppliers and contractors).
</li>
</ul>
<p style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5; margin-bottom: 16px;">
The objectives of the Information Security Management System are:
</p>
<ul style="padding-left: 24px; margin: 16px 0;">
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
<strong>Information protection:</strong> Strengthen the protection of the organization’s information by considering risks, security, compliance, and the continuity of processes and technology.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
<strong>Identity and access management:</strong> Optimize access management times for critical systems.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
<strong>Business continuity:</strong> Strengthen the organization’s business continuity program and disaster recovery plan.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
<strong>Vulnerability management:</strong> Ensure compliance with the vulnerability management policy to protect the organization’s systems.
</li>
</ul>
1. PURPOSE AND SCOPE
<br>
1.1 Purpose
This policy seeks to establish the information security and cybersecurity guidelines required for the protection of the information of Investment Vehicle 1 Limited (the “Company”) and any of its subsidiaries (with the Company the “Organization”), against situations that may affect the Confidentiality, Integrity and Availability (as defined below) of the information of the Organization and that may cause financial, legal, competitive and/or reputational impact on the Organization (the “Policy”).
<br>
1.2 Scope
The scope includes all the information and valuable resources (Information and Communications Technologies -ICTs-, Facilities, and Operational Technologies -OTs-) associated to or that belongs to the Organization or that is managed by third parties (suppliers and contractors), regardless of the format, medium, in all its forms (digital, handwritten, spoken, printed), presentation and/or place where it is located, including cyberspace.
<br>
2. RESPONSABILITIES
The Risk and Information Compliance Department, is the area responsible for formulating the Policy, disclosing it, reviewing it at least once a year and keeping it updated; monitoring that it is complied with, in accordance with the mission and vision of the Organization, and compliance with the regulations applicable to the Organization.
<br>
2.1. Policy approval
The Audit Committee is responsible for ratifying this policy and its updates, monitoring the information risk profile, promoting the culture of information security and cybersecurity, encouraging compliance with its guidelines, allocating resources for compliance, as well as generally monitoring compliance with this Policy.
<br>
2.2. Information Risk and Compliance Department functions
<br>
<ul style="padding-left: 24px; margin: 16px 0;">
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Define the scope of the Information Security and Cybersecurity Program aimed at protecting the confidentiality, integrity, and availability of the Organization’s information, ensuring regulatory compliance and implementing industry-recognized best practices and methodologies.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Promote the effective management of cyber and information security risks through the identification, analysis, evaluation, and treatment of such risks.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Define processes for the continuous updating of regulatory frameworks related to Information Security and Cybersecurity.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Support the response to information security and cybersecurity alerts and incidents reported by employees, related third parties, or identified through monitoring activities conducted by information security management platforms that may impact the Organization’s processes, technological resources, or systems.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Define a technology recovery management program to ensure the availability and continuity of critical business functions and processes in the event of interruptions.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
With the support of the Legal Department, monitor compliance with applicable laws and regulations related to Information Security and Cybersecurity.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Monitor compliance with the Information Security and Cybersecurity Program and management system, in alignment with the Organization’s mission and vision, and with the regulations applicable to each of its companies.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Through the Legal Department, establish and maintain relationships with authorities, special-interest groups, and other relevant stakeholders in information security and cybersecurity.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Support the Organization in implementing measures and controls necessary to ensure compliance with this policy.
</li>
</ul>
2.3. The Organization, its officers, directors, employees (direct or outsourced) and related third parties (suppliers and contractors) who have access to the Organization's information, whether on a regular or occasional basis, in the performance of their duties, are responsible for:
<br>
<ul style="padding-left: 24px; margin: 16px 0;">
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Know and comply with this Policy, as well as the related manuals, procedures, and instructions referenced in this document.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Implement this Policy together with any manuals, procedures, or instructions established for its execution.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Assume responsibility for managing risks related to the Organization’s information and implementing appropriate mitigation actions.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Consider information security and cybersecurity requirements in processes, initiatives, projects, and contracting activities.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Identify and report to the Information Risk and Compliance Department any events or incidents that may threaten compliance with information security policies and procedures.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Monitor compliance with applicable laws and regulations related to information security and cybersecurity.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Use the Organization’s technological and information resources responsibly, only in environments or applications approved by the CIO (including those associated with AI) and solely for authorized purposes.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Identify and notify the Information Risk and Compliance Department of current and emerging cyber threats and cybersecurity risks that may affect the Organization.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Comply with the Organization’s practices for the secure use of authentication information and authentication mechanisms (passwords, access codes, MFA, passwordless authentication), and apply the principle of minimum privilege when accessing information.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Manage digital identities and assign minimum access privileges according to responsibilities, as well as request the timely removal of digital identities and access rights when they are no longer required.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Ensure compliance with the principle of Segregation of Duties to minimize the risk of concentrating critical responsibilities in a single individual.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Define operational and technological contingency plans necessary to maintain the continuity of the company’s critical processes and services, and ensure they are tested periodically to remain effective.
</li>
</ul>
<br>
3. CONTENT
<br>
General and specific aspects of the Policy.
<br>
3.1 The Organization recognizes that information is an indispensable input for the execution of processes, decision making in the development of business objectives and for the design and definition of the products and services that constitute the differentiating factor of what we are to our customers, collaborators and associates. It also recognizes the importance of preventing information security and cybersecurity risks throughout their lifecycle; such protection is framed by 3 properties:
<br>
<ul style="padding-left: 24px; margin: 16px 0;">
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
<strong>Confidentiality:</strong> Information must not be made available or disclosed to unauthorized individuals, entities, or processes.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
<strong>Integrity:</strong> The accuracy, reliability, and completeness of information must be preserved.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
<strong>Availability:</strong> Information must be accessible and usable when requested by an authorized individual, area, or process, and at the time it is required.
</li>
</ul>
<br>
3.2 The information and valuable resources associated with the information that the Organization uses for the development of its business objectives must be identified; the information and other associated resources must have a responsible person assigned to them, who must make the decisions that are pertinent for their protection, in accordance with the internal requirements and regulations applicable to each company.
<br>
3.3 All information, regardless of the medium in which it is found or the location from which it is accessed, must be classified to establish its sensitivity (the level of reserve that must be maintained on its content) and its criticality (the level of availability required so that business operations are not interrupted). It is the responsibility of the members of the Organization to know the classification of the information they use for the development of their activities; and of those responsible for the processes to define the controls to protect the information according to the classification handled by each Company that is part of the Organization.
<br>
3.4 The Organization identifies as confidential or privileged information, the following information, among other, as the definition of confidential information must be made on case by case basis:
<br>
<ul style="padding-left: 24px; margin: 16px 0;">
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Stock exchange shares, strategic and financial information, information related to strategic alliances, projections, results, and financial disclosures.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Information related to customers, collaborators, shareholders, related third parties, contractors, suppliers, travelers, users, and investors.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Insider information concerning significant and confidential company events.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Material non-public information, including, for example, merger information, strategic projects, asset disposals, changes in dividend policies, business partner information, shareholder information, among others.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Business information that the Organization is required to protect, including patents, inventions, commercial agreements, contracts, software source code, and any other information capable of providing a competitive advantage.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Revenue optimization practices, pricing strategies, and net fare information.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Information related to operations and associated processes.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Security reports; risk, compliance, internal and external audit information; operational incidents; information security and cybersecurity incidents; investigations; and legal matters related to any of the foregoing.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Reports issued by or submitted to regulatory authorities that contain confidential information.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Keys, PINs, passwords, and information used to access corporate networks and/or applications.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Information subject to personal data protection regulations (including payment card data) in the jurisdictions where the Organization operates or conducts business.
</li>
</ul>
<br>
The aforementioned information, and any other that is considered due to its classification as confidential or privilege information may not be used for the personal benefit of any administrator, collaborator or third party that has access to, or for any purpose other than that originally intended for such information.
<br>
3.5 It is the duty of all those responsible for processes, project or initiative leaders and contract managers to ensure that information risks are identified, analyzed, evaluated, treated and monitored, in accordance with the procedures of the Information Risk and Compliance Department, ensuring that the corresponding risks are kept within the risk levels acceptable to the Organization.
<br>
3.6 Information resources such as: equipment, business applications, Internet services, Intranet, collaborative tools (e-mail, chat, cloud storage), among others, are provided to all employees of the Organization for the exclusive use of the Organization. Access to and use of these resources must be authorized by the person responsible for each resource and in accordance with the responsibilities of his or her function. Information resources must be returned immediately to the administrator when they are no longer needed.
<br>
3.7 The Organization must ensure that its employees, any officer, manager or any person in charge of information management processes implement information security measures such as, but not limited to: checks and investigations on personal references, work references, work experience, complementary tests, security survey, aptitude and knowledge test, in a manner that supports security policies and in compliance with local regulations.
<br>
3.8 All employees and related third parties undertake to handle the confidentiality of the Organization's information regardless of whether they have signed a confidentiality agreement at the time they join the Organization and are responsible for the confidentiality of the information even after the end of their relationship with the Organization.
<br>
3.9 The Organization shall have a permanent information security and cybersecurity culture program to keep all its personnel informed about policies, information security responsibilities and the continuous threats that put the information it manages and/or processes at risk.
<br>
3.10 Those responsible for contracts and contracting should ensure that the information security responsibilities of third parties and their supply chain who access, process, store or distribute information of value to the Organization are documented in contracts or other service delivery agreements and should monitor compliance throughout the completeness of the term of the contractual relationship.
<br>
3.11 It is the duty of all The Organization and related third parties to report any suspicion, abnormal condition or violation of the policies, responsibilities and procedures of information security and cybersecurity that threaten the Confidentiality, Integrity and Availability of The Organization's information immediately through the channels established by the Organization.
<br>
In the event that the situations described above affect or have the possibility of affecting or having any economical, material, reputational, legal or operational impact for the Organization, they must be reported immediately to the Information Risk and Compliance Department through the channels established by the latter.
<br>
The Information Risk and Compliance Department shall evaluate the incident reports and determine whether they meet the materiality criteria, in which case it shall inform the Investor Relations Department so that it complies with the Policy on Disclosure of Relevant Financial and Non-Financial Information to Shareholders, Market, Stakeholders and Interested Third Parties.
<br>
3.12 The Organization has the responsibility of implementing technical measures for the protection of information that is stored, processed, or transmitted; according to its classification and considering, but not limited to:
<br>
<ul style="padding-left: 24px; margin: 16px 0;">
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Information risk management.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Identification and classification of information assets.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Controls for secure data storage and transfer.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Protection against threats such as malware and other potential cyberattacks.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Digital identity management and access control for information, applications, infrastructure, and networks.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Security management for corporate and personal mobile devices and laptops used to provide services to the Organization.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Proper use of resources provided by the Organization, including internet access, corporate technology devices, and collaboration platforms such as SharePoint, OneDrive, Teams, email, and others.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Network and telecommunications security.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Security in the acquisition, development, and maintenance of technological resources, including systems, processing environments, and the management of technological obsolescence.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Removable storage media management.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Security of internal personnel and third parties.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Technical vulnerability management.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Cloud security.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Management of security logs, events, and incidents.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Physical and environmental security of data processing centers.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Controls for software installation, development, and storage.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Business continuity management, information backup, and recovery of technological platforms in the event of disasters.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Remote and off-site work.
</li>
<li style="font-size: clamp(0.875rem, 0.36vw + 0.765rem, 1rem) !important; line-height: 1.5;">
Responsible use and development of artificial intelligence (AI) technologies.
</li>
</ul>
<br>
3.13 The Information Risk Department may carry out monitoring activities in any Company of the Organization, on an exclusive basis, to determine the level of compliance with the guidelines established in this Policy. Including third parties and subcontracted companies that provide management, monitoring, and administration services for Investment Vehicle 1 Limited technology platforms.
<br>
Current legal regulation applicable to the policy.
<br>
3.14 The Organization, its Board of Directors and its executive group must commit to the compliance with the information security requirements established in its internal security policies, as well as those requested by the applicable laws and regulations, such as and without limitation: SOX (Sarbanes-Oxley Act), PCI DSS (Payment Card Industry Data Security Standards), international personal data protection laws, aviation sector regulations, industry or contractual agreements, licensing, intellectual property and others related to information security and cybersecurity.
<br>
3.15 In case of non-compliance with the established or subsequent security policy and/or procedures, the Organization will take the appropriate legal, administrative and/or disciplinary actions, in accordance with the provisions of the internal regulations of each of its companies and/or the applicable international and/or local information security, cybersecurity and personal data protection laws and regulations.
Cybersecurity tips
Your information has value, be prepared to face any risk situation that puts your data at risk. Learn how to browse safely:
Phishing attacks
Cyberattack used to obtain confidential information by deceiving users through false digital platforms or impersonating identities
Scams on social networks
This cyberattack usually uses strategies to get you to make transfers or hand over credit card information and passwords in the name of avianca
Be careful!
Doubt all messages or publications on pages in the name of avianca that request confidential information
