Skip to main content
OT/ICS Cybersecurity AssessmentFree Assessment—Is your critical infrastructure protected?Request Now→
TTPSEC SPATTPSEC
Services
About UsBlogAcademyPartner With UsContact
BookRequest Assessment
  2. Security Policy
Legal

Information Security Policy

Our commitment to protecting information assets and managing risk.

Last updated: March 8, 2026

1. Purpose

This Information Security Policy establishes the principles, guidelines, and commitments of TTPSEC SpA for the protection of information assets belonging to both the organization and our clients. This policy is mandatory for all employees, contractors, and third parties who access the organization's systems and information.

2. Scope

This policy applies to:

  • All information assets of TTPSEC SPA, regardless of format (digital, printed, verbal).
  • All information systems, networks, applications, and technology services.
  • Client information managed during the delivery of cybersecurity services.
  • All internal employees, consultants, contractors, and vendors with access to organizational information.
  • The offices of Coquimbo and Santiago, Chile, and remote operations.

3. Senior Management Declaration

Senior Management of TTPSEC SPA acknowledges that information security is a fundamental pillar of our operations as a cybersecurity consultancy. We are committed to:

  • Protecting the confidentiality, integrity, and availability of information.
  • Complying with applicable legislation, contracts, and regulatory commitments.
  • Managing information security risks in a systematic manner.
  • Continuously improving the Information Security Management System (ISMS).
  • Allocating the resources necessary for the effective implementation of this policy.
  • Fostering a culture of information security throughout the organization.

4. Guiding Principles

4.1 Confidentiality

Information is classified and protected according to its sensitivity. Only authorized personnel may access the information necessary to perform their duties (principle of least privilege). Client information is handled under strict non-disclosure agreements (NDAs).

4.2 Integrity

We ensure that information is accurate, complete, and protected against unauthorized modification. We implement integrity controls on critical systems and verification processes for consulting deliverables.

4.3 Availability

We ensure that information and services are accessible when needed. We maintain business continuity and disaster recovery plans for critical services.

5. Reference Normative Framework

Our Information Security Management System is based on:

  • ISO/IEC 27001:2022 — Information Security Management System.
  • ISO/IEC 27002:2022 — Information Security Controls.
  • ISO/IEC 27701:2019 — Privacy Information Management.
  • NIST Cybersecurity Framework 2.0 — Cybersecurity Framework.
  • ISA/IEC 62443 — Industrial Automation and Control Systems Security.
  • Ley 21.663 — Cybersecurity Framework Law (Chile).
  • Ley 21.719 — Personal Data Protection Act (Chile).

6. Risk Management

TTPSEC SPA implements a formal information security risk management process that includes:

  • Identification: continuous inventory of information assets and associated threats.
  • Assessment: analysis of the likelihood and impact of identified risks.
  • Treatment: selection and implementation of controls proportionate to the risk level.
  • Monitoring: periodic review of risks and control effectiveness.
  • Acceptance: residual risks are formally accepted by Senior Management.

7. Control Domains

7.1 Access Control

  • Multi-factor authentication (MFA) for all systems.
  • Role-based access control (RBAC) and principle of least privilege.
  • Periodic review of permissions and access rights.
  • Centralized identity management.

7.2 Cryptography

  • Data encryption in transit (TLS 1.3 minimum).
  • Data encryption at rest for sensitive information.
  • Secure cryptographic key management.
  • Digital signatures for critical documents.

7.3 Operational Security

  • Vulnerability and patch management.
  • Security monitoring and intrusion detection.
  • Protection against malware and advanced threats.
  • Encrypted backups with periodic restoration testing.
  • Event logging and audit trails.

7.4 Communications Security

  • Network segmentation and VPN for remote access.
  • Email security (SPF, DKIM, DMARC).
  • Traffic filtering and data exfiltration prevention.

7.5 Secure Development

  • Secure development practices (Security by Design).
  • Code review and static application security testing (SAST).
  • Dynamic application security testing (DAST).
  • Secure dependency and third-party component management.

7.6 Vendor Management

  • Security assessment of critical vendors.
  • Non-disclosure agreements and contractual security clauses.
  • Vendor compliance monitoring.

8. Security Incident Management

We maintain a formal incident management process that encompasses:

  • Detection and reporting: internal and external reporting channels via contacto@ttpsec.com.
  • Classification: assessment of incident severity and impact.
  • Containment: immediate actions to limit the scope of the incident.
  • Eradication: elimination of the root cause of the incident.
  • Recovery: restoration of services and normal operations.
  • Lessons learned: post-incident analysis and control improvements.

Security incidents involving personal data will be notified to affected data subjects and competent authorities within the legally established timeframes.

9. Business Continuity

TTPSEC SPA maintains a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) that ensure the availability of critical services. These plans are tested and updated on a regular basis.

10. Awareness and Training

All employees receive:

  • Information security training upon onboarding.
  • Ongoing training on emerging threats and best practices.
  • Periodic phishing simulation exercises and social engineering attack drills.
  • Updates on changes to security policies and procedures.

11. Compliance and Audit

Compliance with this policy is mandatory. Periodic internal audits are conducted to verify conformance with this policy and the applicable reference standards. Non-conformities are managed through the ISMS corrective action process.

12. Sanctions

Violation of this policy may result in disciplinary measures ranging from formal warnings to termination of the employment or contractual relationship, depending on the severity of the breach. Criminal conduct will be reported to the appropriate authorities.

13. Vulnerability Reporting

If you discover a security vulnerability in our systems, we invite you to report it responsibly to contacto@ttpsec.com. We are committed to investigating and responding to all vulnerability reports in a timely manner. Please refer to our security.txt file for more information.

14. Review and Updates

This policy is reviewed at least annually or whenever significant changes occur in the organization, applicable legislation, or the threat landscape. Any amendments are approved by Senior Management and communicated to all relevant stakeholders.

15. Contact

For inquiries about this policy:

  • Email: contacto@ttpsec.com

Professional certifications and accreditations

Over 50 professional cybersecurity certifications including CEH, CCISO, CPTS, ISO 27001, and MITRE ATT&CK.
AttackIQ Foundations of AI Security
SCF Architect Certified Individual
CertiProf ISO 27001 Lead Auditor
EC-Council Associate CCISO
CCI Profesional Nivel Negro
USACH Ransomware Cyber Defense Diploma
AttackIQ Intermediate Purple Teaming
MAD20 ATT&CK Cyber Threat Intelligence
AttackIQ Intermediate Breach and Attack Simulation
USACH Critical Infrastructure Standards Diploma
Burp Suite Certified Practitioner
SCF Practitioner Certified Individual
EC-Council Cybersecurity Career Mentor
eCIR Incident Response
EC-Council CTIA Certified
USACH Cybersecurity Auditing Diploma
PECB ISO 27001 Lead Implementer
CertiProf CAIPC Artificial Intelligence
USACH ISO 27035 Incident Response Diploma
eCDFP Digital Forensics
MAD20 ATT&CK Adversary Emulation Methodology
eCTHP Threat Hunting
EC-Council CSA Certified SOC Analyst
USACH Active Directory Windows Hacking Diploma
EC-Council ECIH Certified Incident Handler
CertiProf GAIPC Generative AI
MAD20 ATT&CK Purple Teaming Methodology
EC-Council CEH Master
EC-Council CEH Practical
HackTheBox Certified Bug Bounty Hunter
AttackIQ Intermediate MITRE ATT&CK
USACH Red Team Web Pentesting Diploma
PECB ISO 27032 Cybersecurity Manager
CertiProf CAIEC Expert AI
HackTheBox CPTS Certified Penetration Testing Specialist
AttackIQ Threat-Informed Architecture
USACH Cybersecurity Threat Intelligence Diploma
EC-Council CHFI Certified
AttackIQ Intermediate Purple Teaming
Fortinet NSE 3 Associate
MAD20 ATT&CK Threat Hunting Detection Engineering
Swimlane Administrator Technical
eJPT Junior Penetration Tester
CertiProf ISO 27001 Internal Auditor
USACH ISO 27001 Lead Auditor Diploma
MAD20 ATT&CK Fundamentals
USACH Red Team Campaign Preparation Diploma
EC-Council ECSA Certified Security Analyst
EC-Council CEH Certified Ethical Hacker
EC-Council CSA Certified SOC Analyst
HackTheBox CWES Certified Web Exploitation Specialist
CSA TAISE Trusted AI Safety Expert
MAD20 ATT&CK SOC Assessment
Swimlane Incident Responder Technical
AttackIQ Foundations of AI Security
SCF Architect Certified Individual
CertiProf ISO 27001 Lead Auditor
EC-Council Associate CCISO
CCI Profesional Nivel Negro
USACH Ransomware Cyber Defense Diploma
AttackIQ Intermediate Purple Teaming
MAD20 ATT&CK Cyber Threat Intelligence
AttackIQ Intermediate Breach and Attack Simulation
USACH Critical Infrastructure Standards Diploma
Burp Suite Certified Practitioner
SCF Practitioner Certified Individual
EC-Council Cybersecurity Career Mentor
eCIR Incident Response
EC-Council CTIA Certified
USACH Cybersecurity Auditing Diploma
PECB ISO 27001 Lead Implementer
CertiProf CAIPC Artificial Intelligence
USACH ISO 27035 Incident Response Diploma
eCDFP Digital Forensics
MAD20 ATT&CK Adversary Emulation Methodology
eCTHP Threat Hunting
EC-Council CSA Certified SOC Analyst
USACH Active Directory Windows Hacking Diploma
EC-Council ECIH Certified Incident Handler
CertiProf GAIPC Generative AI
MAD20 ATT&CK Purple Teaming Methodology
EC-Council CEH Master
EC-Council CEH Practical
HackTheBox Certified Bug Bounty Hunter
AttackIQ Intermediate MITRE ATT&CK
USACH Red Team Web Pentesting Diploma
PECB ISO 27032 Cybersecurity Manager
CertiProf CAIEC Expert AI
HackTheBox CPTS Certified Penetration Testing Specialist
AttackIQ Threat-Informed Architecture
USACH Cybersecurity Threat Intelligence Diploma
EC-Council CHFI Certified
AttackIQ Intermediate Purple Teaming
Fortinet NSE 3 Associate
MAD20 ATT&CK Threat Hunting Detection Engineering
Swimlane Administrator Technical
eJPT Junior Penetration Tester
CertiProf ISO 27001 Internal Auditor
USACH ISO 27001 Lead Auditor Diploma
MAD20 ATT&CK Fundamentals
USACH Red Team Campaign Preparation Diploma
EC-Council ECSA Certified Security Analyst
EC-Council CEH Certified Ethical Hacker
EC-Council CSA Certified SOC Analyst
HackTheBox CWES Certified Web Exploitation Specialist
CSA TAISE Trusted AI Safety Expert
MAD20 ATT&CK SOC Assessment
Swimlane Incident Responder Technical
TTPSEC SPA

Center of excellence in industrial cybersecurity. We protect critical infrastructure in Latin America.

Company

  • About Us
  • Certifications
  • Contact
  • Partner With TTPSEC
  • Whistleblower Channel

Services

  • OT/ICS Cybersecurity
  • IT Cybersecurity
  • Ethical Hacking
  • All Services

Academy

  • PurpleTeam Academy
  • TTPSEC AI Development
  • CISO Blog

Legal

  • Information Security Policy
  • Privacy Policy
  • Whistleblower Channel
  • security.txt

TTPSEC SpA — Cybersecurity Engineering

www.ttpsec.cl

ISO

ISO 27001:2022 Certification

In implementation

TTPSEC is AI-First

TTPSEC SpA (RUT 77.547.404-1) expressly declares that artificial intelligence constitutes an integral part of its operational methodology. This declaration is made in compliance with the principles of transparency, accountability, and responsibility established in the OECD Principles on Artificial Intelligence (2019, updated 2024), the UNESCO Recommendation on the Ethics of Artificial Intelligence (2021) and, where applicable, Regulation (EU) 2024/1689 of the European Parliament and of the Council (AI Act) for projects within European scope.

Full Declaration

TTPSEC is a legally incorporated and recognized entity.

Headquarters: Coquimbo, Chile|Branch: Santiago, Chile
RUT: 77.547.404-1|ROL: 345308-1|Registered Trademark: No. 1376754

Business License: Municipality of Santiago de Chile 345308-1

www.ttpsec.comwww.ttpsec.netwww.ttpsec.orgwww.ttpsec.clwww.ttpsecurity.cl
www.purpleteam.clwww.purpleteamacademy.clwww.purpleteamacademy.comwww.purpleteamacademy.netwww.purpleteamacademy.org

© 2022-2026 TTPSEC SpA. All rights reserved.