Cybersecurity

Management Framework
May 2023
Relevant milestones in Cybersecurity
ULTRAMAR has defined as strategic focus:
“Ensure the stability of computer systems and in a security environment against attacks”
2019-2020
Cybersecurity assessments for most
of the group companies.
Delivery of Roadmap for
strengthening cybersecurity to each
administration..
2021
Creation and publication of a
Cybersecurity policy.
Virtual meeting with all CEOs
2022 2023
Start of internal cybersecurity Definition of Minimum or
audits cybersecurity baseline
Review and redefinition of the
CIS Controls and Subcontrols to
be implemented and
documented
Assignment of companies by
implementation groups: IG1,
IG2, IG3
Baseline that all companies should implement

Perimeter Firewall, desirable with IPS and WAF module, for the security of applications and sites exposed to the Internet.

Email protection with anti-spam modules and configuration of DKIM and SPF records Phishing and Phishing protection, all available in
Office365 Suite.

Hardering for Servers and applications, databases, operating systems and 3rd party apps: set of techniques, tools and best practices
to reduce vulnerabilities, Administration and enforcement of GPOs in AD For access accounts and application logins and event
logging.

Centralized Antivirus: desirable with EDR and application patching modules for vulnerability management of operating systems and
third party software.

Implement Active Directory configuration for secure passwords.

MFA Remote Access Security, mandatory for administrators and optional for users.

Ethical Hacking at least once a year.

Controles CIS: Definición
¿Qué Son Los Controles CIS?
Los Controles de Seguridad Crítica CIS, son un conjunto de
mejores practicas y acciones especificas priorizadas que
ayudan a prevenir y mitigar los ciberataques mas peligrosos y de
mayor alcance, también sirven como apoyo para el
cumplimiento de múltiples marcos de seguridad informática que
reducen en gran medida el riego de seguridad informática.
¿Quién Necesita Controles CIS?
A diferencia de muchos otros estándares y regulaciones de
cumplimiento destinadas a mejorar la seguridad informática, los
controles CIS son de aplicación universal y agnósticos de la
industria. Como resultado, pueden fortalecer con éxito la
seguridad de la información y el gobierno de TI de cualquier
organización. Existen diferencias significativas entre los
controles CIS y otros marcos de seguridad. Sin embargo, lo más
importante es que los controles del CIS reconocen que algunas
organizaciones tienen recursos limitados.
¿Por Qué Son importantes?
Los controles CIS son importantes porque minimizan el riesgo de
violaciones de información, fugas de información, robo de propiedad
intelectual, espionaje corporativo, robo de identidad, pérdida de
privacidad, denegación de servicio.
¿Por qué Funcionan?
Los controles CIS funcionan porque:
• Son informados por ataques y defensas efectivas.
• Reflejan el conocimiento de expertos de empresas, gobierno e
individuos, así como de sectores (gobierno, energía, defensa,
finanzas, transporte, academia, consultoría, seguridad, TI).
• Son para todos los roles (administradores y analistas de
amenazas, tecnólogos, buscadores de vulnerabilidades, creadores
de herramientas, proveedores de soluciones, defensores, usuarios,
formuladores de políticas, auditores.
Implementation Groups

The objective of the CIS controls is to contribute to making the Internet ecosystem more secure in Ultramar's
different companies. For this reason, the CIS are not a checklist, but rather a starting point for business units to
create their own cybersecurity ecosystem.

The CIS control implementation groups seek, precisely, to adapt this globally recognized methodology to the reality
and complexity of each of the Holding companies. Thus banishing the idea that cybersecurity is only a matter for
large companies and public administrations.

In this sense, it is logical that the implementation of CIS controls should be carried out taking into account the
characteristics, needs and resources of each company, as well as its level of exposure to cyber-attacks.
Implementation Groups

CIS Critical Security Controls v7.1 (cisecurity.org)

One of the most relevant aspects of the structure of the CIS v7.1 controls guide is the classification and prioritization of the implementation of the 20
controls and 171 sub-controls taking into consideration the size, risk profile and resources available in the organization to implement a cybersecurity
strategy, CIS defines and classifies the sub-controls considering 3 implementation groups that are described below, according to the description it is
possible to better identify which controls and cybersecurity practices are appropriate for the organization.

Implementation Group 1 Number of recommended sub-controls:

An IG1 organization is a small to medium-sized enterprise with limited IT resources and minimal cybersecurity expertise to protect IT assets. The main
concern of these organizations is to keep the business operational as they have limited tolerance to technological disruptions. The sensitivity of the
information they handle is low and is mainly linked to employee or financial information. The sub-controls selected for this implementation group can be
implemented with limited cybersecurity expertise and are aimed at protecting against non-targeted attacks. These sub-controls are the minimum that 74
any organization is recommended to implement to protect against the most common attacks (basic cybersecurity hygiene). These sub-controls are also
aimed at small businesses or home office schemes.

Implementation Group 2 Number of recommended sub-controls:

An IG2 organization hires positions responsible for managing and protecting the IT infrastructure. This organization supports multiple departments with
different risk profiles based on their function and mission. Some small business units may have regulatory requirements to meet.
IG2 organizations often store and process sensitive customer or organizational information and can withstand short interruptions to their services. A
major concern is losing customer confidence resulting from a security breach.
The sub-controls selected for IG2 organizations depend on the company's level of technology adoption and require a higher level of security expertise
101
and specialization to install and configure.

Implementation Group 3 Number of recommended sub-controls:

A more mature IG3 organization, Mature organizations with significant resources and high risk exposure from handling critical assets and data need to
implement security measures in the IG3 category along with IG1 and IG2. Security measures selected for IG3 reduce targeted attacks from
sophisticated adversaries and reduce the impact of zero-day attacks.
171