Information security policy

1. Introduction

The Dominican Institute of Civil Aviation, hereinafter IDAC, a specialized and technical public entity, with legal personality, its own patrimony, power of regulation, decision and authority to implement its internal organization, understands and recognizes that information is its asset principal. The purpose of this information security policy is to define the requirements framework for:

a) Preserve the integrity, availability and confidentiality of the information and IDAC systems.

b) Minimize the risks caused by information security incidents or events.

c) Guarantee that the IDAC complies with all applicable legal regulations.

d) Safeguard data and information related to Operational Safety.

With the understanding that Information Security is to preserve the confidentiality, integrity and availability of it, regardless of its storage or transmission medium, considering the authentication of the means that provide it and the non-repudiation of the information as such .

2. Declaration

IDAC declares that as an institution it must protect critical and essential information assets used in its institutional processes, against internal or external, deliberate or accidental threats, in order to minimize damage and loss thereof, guaranteeing continuity of business processes and contributing to the achievement of the strategic objectives of the institution.

To comply with this policy, IDAC undertakes to:

a) Establish objectives in relation to Information Security.

b) Develop, implement and maintain an Information Security Management System (hereinafter ISMS).

c) Continuously improve the ISMS.

d) Carry out risk evaluations and, according to their result, implement the corresponding actions, in order to treat the risks that are considered unacceptable, according to the criteria established and approved by the IDAC.

e) Establish the control objectives and the corresponding controls, by virtue of the risk needs arising from the risk analysis.

f) Comply with business, legal or regulatory requirements and contractual security obligations.

g) Raise awareness and train all staff on information security.

h) Take the necessary actions to guarantee the continuity of the missionary and support processes of the institution.

i) Punish any violation of this policy and any other internal regulations related to the ISMS, in accordance with the provisions of 41-08 of Public Function and its application regulations or applicable legislation.

j) Report information security violations, confirmed or suspected.

k) Enforce this policy to all collaborators, suppliers and contractors.

3. Scope

This policy is applicable to all collaborators, suppliers and contractors who have access to data or information owned by IDAC in any of its facilities or local or remote operations.

4. Information Security Objectives

IDAC establishes the following information security objectives:

a) Comply with both the legislation and applicable regulations on information security, as well as the requirements voluntarily established, including those of the ISMS.

b) Preserve the confidentiality of the information.

c) Punish deliberate acts or carelessness that reveal information to unauthorized persons, processes or entities.

d) Maintain the integrity of the information by protecting it from unauthorized modifications.

e) Ensure the availability of information for authorized users.

f) Train all required personnel in information security.

g) Report and investigate all security breaches and possible weaknesses.

h) Safeguard all data or information that affects operational safety.

i) Comply with the provisions regarding information security and cybersecurity contained in the Annexes to the Chicago Convention, the technical documents of the International Civil Aviation Organization (ICAO) and Law 491-06 of Civil Aviation.

5. Information ownership

Except for legal or contractual provision that establishes otherwise, all data and / or information generated by collaborators, contractors, suppliers and clients of the institution, is the property of IDAC, regardless of its storage or transmission medium.

To protect and properly manage this property, the IDAC General Directorate reserves the right to examine all information stored or transmitted, being able to delegate this power to the official or collaborator that it deems appropriate.

6. Related documents

For practical purposes, the IDAC will establish the classification of the information, the roles and responsibilities, the pertinent guidelines, the methodology for risk management, the management of events and incidents and any other matter that it considers pertinent for compliance with this policy in separate documents, which will refer to this policy and will be considered an integral part of it.

7. Consequences of non-compliance

Failure to comply with the provisions contained both in this policy and in the related documents will be governed by the IDAC Disciplinary Procedure, the legislation and / or the ICAO regulations, as applicable.