Downloads
Downloads

Cybersecurity

Our goal at Aleatica is to foster a culture of continuous awareness among employees about cyberthreats, as well as to implement a solid strategy for managing the risks associated with cybersecurity in order to organize and protect the company’s information and technological infrastructure without disrupting Aleatica’s ability to deliver value to its stakeholders.

Cybersecurity strategy

To address this challenge, the Corporate IT Department created a global cybersecurity strategy by developing a Cybersecurity Framework based on the NIST-CSF (National Institute of Standards and Technology Cybersecurity Framework), which is a reference framework with a focus on reducing the risk associated with cybersecurity threats that may compromise information security, which will contribute to the creation of long-term value, ensuring that all stakeholders make secure use of information systems, technological components, and telecommunications, strengthening the prevention, defense, detection and response to cyber-attacks.

The Cybersecurity Framework is composed of a hierarchically organized core that is developed in Functions. These aim to organize core activities at the highest level to enable cybersecurity risk to be reduced to acceptable levels. These features include: Identify, Protect, Detect, Respond and, Recover.

Cybersecurity Governance

Leadership in these matters shall be the responsibility of the Director/Manager of the respective Business Unit within Aleatica, who shall observe and fully comply with the Cybersecurity Framework.

SCC
Strategic Cybersecurity Committee

Cybersecurity Officer

TCIT
Tactical Cybersecurity Incident Team

CIRG
Cybersecurity Incident Response Group

Cybersecurity Training

Aleatica’s cybersecurity training process consists of two main components:

The corporate IT areas

 (Corporate IT Management and Aleatica Labs) follow an annual cybersecurity training plan, overseen by Human Resources, which ensures full compliance with specialized training in cybersecurity and IT best practices.

For non-operational administrative employees in the Business Units and at the corporate level:

Employees must complete an annual cybersecurity certification course, accessible via a mobile app or website, allowing them to revisit the content as needed

Bimonthly webinars focus on raising awareness of information security and cybersecurity. Recordings are available in the app for offline viewing if employees miss the live session.

A global cybersecurity awareness campaign shares tips, news, infographics, and interactive videos through monthly email

Cybersecurity Escalation Process

In line with Aleatica’s Cybersecurity Framework, employees must report any suspected or actual cybersecurity threats to the IT Corporate Management’s Systems Help Desk (MAS) via email or phone. Each reported case is assigned a ticket number, and the Cybersecurity team investigates and resolves the issue. If there is a potential violation of data protection guidelines, the Data Protection area is informed to take appropriate action.

Cybersecurity Contingency/Business Continuity Plans

Aleatica has contingency and business continuity plans to address cybersecurity incidents. These plans ensure that critical business processes can continue to function using contingency mechanisms, as defined in the Disaster Recovery Plans (DRP) of each Business Unit and Corporate Office. In 2023, the Corporate IT Management and Cybersecurity team reviewed and validated the management of DRPs across all units. Each unit is required to test its DRP annually.

In case of a cybersecurity incident,

Aleatica follows predefined procedures, communication matrices, and guidelines to assess the severity and impact of the incident. The appropriate actions are taken based on the classification of the incident, and the incident is escalated and reported according to established protocols. These procedures are tested and validated with each incident or threat.

Cybersecurity Vulnerability Analysis

In February 2023, Aleatica engaged a cybersecurity expert firm, to provide services focused on resilience and incident response. These services included ethical hacking and penetration tests to identify vulnerabilities and improve the skills of Aleartica’s IT teams in cybersecurity. 
Two key reports were delivered:

A maturity analysis report, fully addressed by the third quarter of 2023.

An external analysis report, completed in January 2024.

As a result, Aleatica strengthened its IT security controls, enhanced its infrastructure, improved its ability to identify and respond to cybersecurity issues, and clarified cybersecurity roles. Also, a 24/7 response team was assigned for immediate action in case of cybersecurity incidents.

Since 2019, Aleatica's Corporate IT Department has conducted quarterly analyses to proactively identify and address vulnerabilities in technological resources that support key administrative tasks such as email, websites, servers, and user authentication.

Performance

In 2023, Aleatica’s Cybersecurity area within the Corporate IT Management achieved the following:

100% compliance

with the Annual Plan for specialized cybersecurity and IT best practices training for corporate IT areas (Corporate IT Management and Aleatica Labs).

A Cybersecurity Certification

course reached 93% of non-operational administrative users at both Business Units and the Corporate level.

Increased employee awareness

of malicious emails through social engineering tests, with success rates of 86% and 88%.

All Business Units maintained or increased

their cybersecurity maturity levels, with 100% reaching or improving by one level.

A stronger culture of cybersecurity awareness,

with more employees reporting threats, leading to improved cybersecurity controls.

Conducted five cybersecurity awareness campaigns

and five webinars.

In Aleatica, there were no data breaches in 2022 and 2023.

We develop intelligent transportation solutions that exceed user expectations and contribute to the sustainable development of our planet.