INFORMATION SECURITY POLICY OF DRIVING GROUP

Objective

The purpose of this current policy is to establish the general guidelines that our
information security management system must follow. Recognizing the vital
importance of safeguarding information, especially regarding employees,
customers, and business processes, DRIVING EVENTS, hereinafter
referred to as DRIVING GROUP, has implemented an information management
system based on TISAX.

Scope

This policy applies to all individuals involved in the development,
implementation, and maintenance of the information security policy certified
under TISAX by DRIVING GROUP.

Policy

3.1 Information Security Policy Management Guidelines

These guidelines manage the company’s information security from the highest
level of management, providing a framework for overseeing the implementation
of the information security management system. The information security policy,
certified under TISAX, is meticulously defined and approved by the CEO of
each company within DRIVING GROUP.

3.2 Corporate Information Security Policy

At DRIVING GROUP, information is positioned as an essential asset for service
delivery and efficient decision-making, generating an explicit commitment to
safeguarding its most crucial properties as part of a strategy focused on
business continuity, risk management, and the consolidation of a security
culture.

With full awareness of current needs, DRIVING GROUP implements an ISMS
as the tool that identifies and minimizes information-related risks, establishes a
security culture, and ensures compliance with legal and contractual
requirements, as well as other requirements from our customers and
stakeholders. A key point of the policy is the implementation, operation, and
maintenance of an information security management system.

Fundamentals of DRIVING GROUP’s Information Security Policy

  • Ensure the confidentiality, integrity, and availability of information.
  • Comply with all applicable legal requirements.
  • Have a continuity plan that allows for rapid recovery from a disaster.
  • Train and raise awareness among all employees on information security.
  • Properly manage all incidents that occur.
  • Inform all employees about their security duties and obligations, and that they
    are responsible for complying with them.
  • Communicate the mandatory compliance with this Policy to all DRIVING
    GROUP     personnel and anyone working on its behalf, including contractors and
    visitors to our facilities.
  • Designate a Security Officer in charge of the organization’s ISMS.
  • Continuously improve the ISMS and, therefore, the organization’s information
    security.

Objectives of this Policy

  • Ensure that information assets receive an adequate level of protection.
  • Classify information to indicate its sensitivity and criticality.
  • Define protection levels and special handling measures according to their
    classification.

This Policy applies to all information managed by DRIVING GROUP, regardless
of the medium on which it is stored.

Information owners are responsible for classifying it according to its degree of
sensitivity and criticality, documenting and keeping the classification updated,
and defining the roles that should have access permissions to the information.

The Security Officer is responsible for ensuring that the established security
requirements are considered according to the criticality of the processed
information, for the use of information technology resources.

Each information owner will oversee that the information classification and
labeling process in their department is completed in accordance with the
provisions of this Policy.

Disciplinary Process

DRIVING GROUP has established a disciplinary process to address cases of
non-compliance with the information security policy.

The disciplinary process is based on the following principles:

  • Fairness: The disciplinary process must be fair and equitable for all
    employees.
  • Transparency: The disciplinary process must be transparent for all
    employees.
  • Effectiveness: The disciplinary process must be effective in deterring non-
    compliance with the information security policy.

The disciplinary process comprises the following stages:

  • Investigation: DRIVING GROUP will conduct a thorough investigation of any
    suspected non-compliance with the information security policy.
  • Evidence Collection: DRIVING GROUP will collect evidence supporting the
    allegations of non-compliance with the information security policy.
  • Hearing: The accused employee will have the opportunity to present their
    defense at a hearing.
  • Decision: DRIVING GROUP will make a decision regarding the sanction to be
    imposed on the accused employee.

The sanctions that can be imposed, generally based on what is established in
the Collective Agreement, include:

  • Verbal or written reprimand.
  • Employment suspension.
  • Dismissal.

DRIVING GROUP is committed to ensuring a fair and transparent disciplinary
process.