Test SmartSearchWP

Contexte

Corporate
Policy
Policy Title
Information Technology Security Policy
Page
1 of 14
Effective Date
March 19, 2025
Previous Date
February 1, 2021
Organization Units Affected
Alamo Group Inc. and
All Subsidiaries
Approved by
Agnes Kamps
Contents
I. DEFINITIONS ………………………………………………………………………………………………………………………………………2
II. PURPOSE …………………………………………………………………………………………………………………………………………..2
III. POLICY STATEMENT ……………………………………………………………………………………………………………………………2
A. AUTHORIZED DEVICES …………………………………………………………………………………………………………………..3
B. AUTHORIZED SOFTWARE ………………………………………………………………………………………………………………3
C. CHANGE MANAGEMENT ……………………………………………………………………………………………………………….4
D. VULNERABILITY ASSESSMENT AND REMEDIATION ……………………………………………………………………………4
E. CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES …………………………………………………………………………5
F. EMAIL AND WEB BROWSER PROTECTIONS ………………………………………………………………………………………6
G. DATA PROTECTION ……………………………………………………………………………………………………………………….6
H. MEDIA SANITIZATION ……………………………………………………………………………………………………………………7
I. LOGICAL ACCESS CONTROL ……………………………………………………………………………………………………………8
J. PHYSICAL ACCESS CONTROL …………………………………………………………………………………………………………..9
K. WIRELESS ACCESS CONTROL ………………………………………………………………………………………………………….9
L. MALWARE DEFENSE ………………………………………………………………………………………………………………….. 10
M. BOUNDARY DEFENSE …………………………………………………………………………………………………………………. 10
N. ACCOUNT MONITORING AND CONTROL ……………………………………………………………………………………… 11
O. MAINTENANCE, MONITORING, AND ANALYSIS OF AUDIT LOGS ……………………………………………………… 12
P. INCIDENT RESPONSE AND MANAGEMENT …………………………………………………………………………………… 12
Q. DATA RECOVERY CAPABILITY ……………………………………………………………………………………………………… 13
R. PENETRATION TESTING ……………………………………………………………………………………………………………… 13
IV. RIGHT TO SEARCH …………………………………………………………………………………………………………………………… 13
V. RESPONSIBILITY ………………………………………………………………………………………………………………………………. 14
VI. VIOLATION …………………………………………………………………………………………………………………………………….. 14
Corporate
Policy
Policy Title
Information Technology Security Policy
Page
2 of 14
Effective Date
March 19, 2025
Previous Date
February 1, 2021
Organization Units Affected
Alamo Group Inc. and
All Subsidiaries
Approved by
Agnes Kamps
I. DEFINITIONS
A. Incident – A violation or imminent threat of violation of requirements within this document, other computer security policies, acceptable use policies, standards, or standard security practices.
B. Information asset – A piece or type of information of value to Alamo Group.
C. Information container – The location of an Information Asset. This can include a system, a physical entity, or a person.
D. Local Area Network – A system for linking systems with each other to share data, devices, programs, print documents, etc., usually confined to one office or building.
E. Media Sanitization – A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
F. Multi-factor authentication – Authentication practices that include a variety of techniques; including the use of smart cards, certificates, one-time passwords, tokens, biometrics, or other methods that require two independent forms of validation.
G. Personal device – A device that is designed to operate in a single user mode with access to multiple applications or apps. Common examples include mobile phones or tablets.
H. Personal email – An electronic mail method, service, or application that is not administered, maintained, or accessible for review by Alamo Group.
I. Secure physical storage – A storage location that is restricted by lock or combination to a known number of individuals with the ability to monitor access and revoke access as needed.
J. Senior Security Officer – The Corporate Controller or other person appointed by the Chief Executive Officer.
K. Target Data – The information subject to a given process, typically including most or all information on a piece of storage media.
L. Wide Area Network – A network of computers in a large area (as a country or the globe) for sharing resources or exchanging data.
II. PURPOSE
The purpose of this policy is to specify the principals and requirements that have been established to protect information assets of Alamo Group Inc and all subsidiaries (« Alamo Group »).
III. POLICY STATEMENT
Alamo Group will work towards achieving the goals of ensuring the confidentiality, integrity, and availability of information assets through the application of the following policy statements.
Corporate
Policy
Policy Title
Information Technology Security Policy
Page
3 of 14
Effective Date
March 19, 2025
Previous Date
February 1, 2021
Organization Units Affected
Alamo Group Inc. and
All Subsidiaries
Approved by
Agnes Kamps
Where this Policy provides specific guidance, it should be strictly followed. However, this Policy cannot cover every possible issue or situation we may face, and therefore, the overall principles of ensuring the confidentiality, integrity, and availability of information assets should be used in evaluating a situation of concern that is not specifically covered.
A. AUTHORIZED DEVICES
Facilitate the management of hardware devices to ensure that only authorized devices are given access, and unauthorized and unmanaged devices are prevented from gaining access.

  1. Only devices owned by or in the care of Alamo Group are permitted to connect to a Local Area Network of an Alamo Group facility.
  2. Personal devices are prohibited from connecting to an Alamo Group Local Area Networks regardless of device ownership.
  3. Default device logon credentials must be reset before placing a device into service.
  4. Remote access to devices must be performed over encrypted communication protocols if encrypted remote access is supported. Preference should be given to devices that support encrypted communication protocols for remote access when acquiring new devices.
  5. Software embedded in devices must meet the requirements set forth in the « Authorized Software » section of this document.
    B. AUTHORIZED SOFTWARE
    Actively manage software on the network so that only software that has been authorized by the Corporate IT Department is installed or executed.
  6. Only software that has been obtained legally and properly licensed for use within Alamo Group may be installed or used on devices owned by or in the care of Alamo Group.
  7. Software support agreements and support lifecycles should be maintained to enable access to software updates as vulnerabilities are disclosed or detected.
  8. Public disclosure of a software vulnerability that if exploited may result in unauthorized administrative access or the gaining of valuable information that may be used to aid in the unauthorized gaining of access must be mitigated or a compensating control put in place to compensate for the vulnerability.
  9. Vulnerabilities must be addressed in accordance with the requirements set forth in the « Vulnerability Assessment and Remediation » section of this document.
  10. The use of software that does not violate any of the requirements of this section but alters the business practices of how data is stored, transmitted, or processed within Alamo Group must be
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    4 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
    considered. The Corporate Information Technology (IT) Help Desk must be contacted to validate the acceptability of software.
    C. CHANGE MANAGEMENT
    JD Edwards (All Instances)
    i. Separate Production, Development, and Test environments must be in place for the JD Edwards application.
    ii. Software that is developed and may affect financial data integrity must be tested by the Corporate Accounting Department and the Accounting Department responsible for the integrity of the financial information of the JD Edwards instance being modified.
    iii. Signoff Sheets must accompany copies of Test Documents and be retained until superseded by the Accounting Department responsible for the integrity of the financial information of the JD Edwards instance being modified.
    iv. Each step in the process for approval, development, testing and promotion to production of new software, software updates or modifications must be approved either on a signoff sheet with signature or email messages that originate from an authorized employee containing the same detail.
    v. New software, software updates or modifications must be tested in an isolated test environment and approved before being promoted to the production environment.
    vi. Modifications to the core application code must be approved in writing by the Vice President of Information Technology of Alamo Group Inc. The Chief Financial Officer of Alamo Group Inc. must also be informed of any core application code modifications.
    D. VULNERABILITY ASSESSMENT AND REMEDIATION
    Identify vulnerabilities, remediate, and minimize the window of opportunity for threats to information confidentiality, integrity, or availability.
  11. Vulnerability assessments must be performed by a third-party using methods that have received Security Content Automation Protocol (SCAP) validation from the National Institute of Standards and Technology (NIST).
  12. Any third-party performing vulnerability assessments must be approved by the Corporate IT Department.
  13. The Corporate IT department will be responsible for ensuring that vulnerability assessments are performed at all Alamo Group companies.
  14. Vulnerability assessments must be performed from internal and external network perspectives.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    5 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
  15. The frequency of vulnerability assessments must be no less than once a month for both internal and external network perspectives.
  16. Vulnerabilities should have a risk-based rating applied to facilitate prioritization of remediation.
  17. Systems being assessed should have a risk exposure rating applied based on the asset’s exposure to compromise.
  18. Remediation of vulnerabilities should be prioritized according to a combination of the risk-based rating assigned to the vulnerability and the risk exposure of a given system with increased priority given to systems with the highest combination of risk and vulnerability exposure rating.
  19. The Corporate IT department will be responsible for overseeing remediation of vulnerabilities at all Alamo Group companies.
  20. The Corporate IT department will be responsible for directing appropriate personnel to remediate vulnerabilities if action is not taken in an appropriate time by an Alamo Group company.
    i. Vulnerabilities that if exploited may result in unauthorized administrative access or the gaining of valuable information that may be used to aid in the unauthorized gaining of access must be remediated in a timely manner.
    ii. Vulnerabilities that fit this definition and can be exploited from the internet should be remediated as soon as possible at a high level of priority.
    E. CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES
    Track/control/prevent/correct the use, assignment, and configuration of administrative privileges.
  21. Administrative privileges should be minimized and only used on accounts when required.
  22. Auditing and monitoring for irregular or unusual behavior should be implemented on accounts with administrative privileges.
  23. Multi-factor authentication should be used for administrative access whenever possible.
  24. Active Directory or server administrative tasks should be conducted from a workstation that does not have local administrative privileges and administrative access should only be used as needed.
    i. In a Windows PC environment, this requires administrators to operate their local PC as a non-administrative local user account and use the RunAs method to elevate permissions for administrative tasks. Only the second dedicated account shall have administrative privileges.
    ii. In a Linux/Unix environment, this requires that administrators logon to systems as a non-administrative account and then use the sudo command to elevate privileges.
  25. Default administrative credentials must be reset before placing a device or application into service.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    6 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
  26. Remote administrative access to devices or applications must be performed over encrypted communication protocols if encrypted remote access is supported. Preference should be given to configurations that support encrypted communication protocols for remote access when selecting new devices or applications.
    F. EMAIL AND WEB BROWSER PROTECTIONS
    Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
  27. Only web browsers and email clients supported by the software manufacturers may be used.
  28. Supported web browsers and email clients should be using the most recently available patches to take advantage of the latest security functions and fixes.
  29. Website filtering provided by a subscription based Uniform Resource Locator (URL) rating service must be performed on any device that establishes a connection to a Local Area Network.
    i. Uncategorized URLs should be blocked.
    ii. URLs with offensive ratings or ratings that are not required for business operations should be blocked.
    iii. Exceptions to URL filtering should be applied on a temporary as needed basis that is based on business requirements. Employees operating a PC that is exempt from URL filtering shall operate as a non-administrative local account on the PC that is exempt from URL filtering.
  30. Email content filtering must be performed on email addresses associated with Alamo Group.
  31. Email content filtering must include the ability to detect and prevent the delivery of spoofed messages originating from third parties that are crafted to appear as if they were sent using an email address of an Alamo Group member company.
    G. DATA PROTECTION
    Prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
  32. The use of personal email to conduct business of, or on behalf of Alamo Group by Alamo Group employees, is prohibited.
  33. An assessment should be performed to identify sensitive information that requires the protection of encryption and integrity controls.
  34. Devices that hold sensitive information should have hard drive or appropriate memory encryption capabilities deployed.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    7 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
  35. Automated systems should be deployed at the network perimeter to monitor for sensitive information to discover unauthorized attempts to exfiltrate data across network boundaries and block such transfers while alerting appropriate information security personnel.
  36. Periodic and automated scanning of server machines should be performed to determine whether sensitive data is stored in clear text methods that should otherwise be encrypted or stored in another location.
  37. Network based and host-based data loss prevention or intrusion detection systems should be in place to detect unexpected encrypted channels.
  38. The Code of Business Conduct and Ethics addresses interaction with confidential and proprietary information.
    H. MEDIA SANITIZATION
    Prevent unauthorized access to information through a process of sanitizing digital media before its disposal or release for reuse outside of Alamo Group.
  39. Digital media (hard drives, tapes, portable data storage devices, printer or copier hard drives, etc.) that is owned by or in the care of Alamo Group must undergo a media sanitization process to purge Target Data from the media, destroy the media, or cryptographically erase Target Data before the media is disposed of or released for reuse outside of Alamo Group.
    i. Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques. Purge should consist of at least one pass of writes with a fixed data value, such as zeros. Multiple passes or more complex values may optionally be used.
    ii. Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.
    iii. Cryptographic Erase renders Target Data recovery infeasible using state of the art laboratory techniques in which the media encryption key for the encrypted Target Data is sanitized, making recovery of the decrypted Target Data infeasible.
  40. Media disposal records must be maintained for a period of two years following the date of media disposal or release for reuse outside of Alamo Group.
  41. Media disposal records should include the following:
    i. Date and time of media sanitization
    ii. Media identification information (serial number, source devices identification, etc.)
    iii. Name of individual or group that performed the sanitization
    iv. Description of the method of sanitization that was performed
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    8 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
    I. LOGICAL ACCESS CONTROL
    Track/control/prevent/correct secure access to critical information containers according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets.
  42. Authentication systems that rely on passwords must require passwords that include a minimum of 8 alphanumeric characters.
  43. JD Edwards passwords must change at a minimum every 365 days.
  44. Active Directory passwords must change at a minimum every 90 days.
  45. Active Directory accounts that have multi-factor authentication enabled for publicly available services may be exempt from periodic password change requirements.
  46. Active Directory accounts that are dedicated to service accounts may be exempt from periodic password change requirements.
  47. Account lockout threshold must exist within Active Directory and JD Edwards that disables the ability to login to an account after 10 unsuccessful login attempts.
  48. Administrative accounts that result in limiting service availability if they become locked may be exempt from password lockout requirements.
  49. Any Active Directory accounts that require a password be exempt from lockout or periodic password change requirements must require a password that includes a minimum of 15 alphanumeric characters.
  50. Employees should not share individual passwords with others. Necessary exceptions are permitted for systems that do not support role-based access control, typically found on network devices. Passwords shared as a result of technical role-based access limitations should be performed through specialized software solutions that incorporate access restrictions with data at rest encryption capabilities.
  51. Vendor supplied default passwords must be changed to a unique value.
  52. Passwords must not be documented unless within specialized software solutions that incorporate access restrictions with data at rest encryption capabilities.
  53. Direct access to the root account on Unix and Linux systems must not be used. Unix and Linux systems must be configured to require that technical staff first login with unique login credentials and then use the super user function to switch to the root user.
  54. Communication of sensitive information over public networks should be encrypted.
  55. Information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    9 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
    J. PHYSICAL ACCESS CONTROL
    Track/control/prevent/correct secure physical access to critical devices according to the determination of which persons have a need and right to access these critical assets.
  56. Server or network equipment must be obscured from public view.
  57. Third parties with access requirements to the physical areas where unsecured server or network equipment resides must be accompanied by an Alamo Group employee that is familiar with the requirements of the third party and interaction that is required with the server or network equipment in the same proximity.
  58. Physical access to server or network equipment should not be permitted from public areas that are readily accessible to visitors or guests. In situations where a physical barrier cannot be provided, compensating physical controls such as locking of rack enclosures or disabling of accessible power switches or interface ports must be in place.
  59. Humidity and temperature must be kept within recommended levels appropriate to the equipment; typically 60 to 80 degrees Fahrenheit (15 to 26 degrees Celsius) and 20 to 80 percent relative humidity for server or storage equipment.
    K. WIRELESS ACCESS CONTROL
    Track/control/prevent/correct the secure use of wireless Local Area Networks.
  60. A wireless Service Set Identifier (SSID) that provides a connection to wireless data collection or printing equipment must not be used for other purposes, such as courtesy internet connections for guests or employees.
  61. Wireless networks offered as a courtesy to guests or visitors must be configured with logical or physical separation from Local Area Networks.
  62. Personal devices are prohibited from connecting to an Alamo Group wireless network that is not separated from Local Area Networks of an Alamo Group facility.
  63. Peer to peer wireless network capabilities should be disabled on wireless networks used for third party or guest access.
  64. Wireless networks should use current encryption standards such as the Advanced Encryption Standard (AES) with at least Wi-Fi Protected Access (WPA2) protection.
  65. Wireless connection client activity such as associations, disassociations, and IP address assignments should be logged and reviewed periodically for unusual activity.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    10 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
    L. MALWARE DEFENSE
    Control the installation, spread, and execution of malicious code at multiple points.
  66. Automated tools must be deployed to continuously monitor systems to detect malicious programs or applications.
  67. Malware detection systems must be standardized among Alamo Group companies within 1 year of acquisition or at the next solution renewal period, whichever is most practical.
  68. Malware detection events must be sent to a centralized event log.
  69. Anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), or containerization should be considered on systems with a high exposure to risk.
  70. Domain Name System (DNS) logging should be enabled on all DNS servers and log information should be stored in a form that can be inspected for malicious DNS queries.
    M. BOUNDARY DEFENSE
    Detect/prevent/correct the flow of information transferring across networks of different trust levels.
  71. Inbound network traffic must be denied by default and exceptions added to allow access to systems or services based on requirements. Access requirements must be authorized by the IT department responsible for maintaining access of the network in question.
  72. Outgoing network traffic must pass through at least one system to inspect the traffic for malicious activity, such as command and control communication or participation in malicious activity against third parties.
  73. Inbound and Outbound sessions for any network boundary device must be logged in the form of flow data to a flow collector capable of analyzing the traffic for anomalous activity.
  74. Remote access to a Local Area Network is provided through a Virtual Private Network (VPN) configuration.
  75. The VPN connection process must be configured to require multi-factor authentication.
  76. All inbound remote access VPN activity must be logged and reviewed periodically for anomalous activity.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    11 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
    N. ACCOUNT MONITORING AND CONTROL
    Manage the life cycle of system and application accounts; through their creation, use, dormancy and deletion.
  77. Accounts of the following services or applications are subject to the authorization process used throughout Alamo Group:
    i. Active Directory (alamogrp.com domain)
    ii. Email
    iii. JD Edwards
    iv. RFSmart
    v. Transform Content Center
  78. A written or electronic request must be submitted to the Information Technology (IT) department responsible for account access to be processed.
  79. Completion of request must be documented at the time the requested change is made.
  80. A list of employee terminations must be generated by Human Resources and provided to the IT department responsible for account access each month.
  81. The IT department must review the list of employee terminations each month and remove access of any accounts that failed to be completed during the termination process.
  82. User account additions, changes, or deletions within the JD Edwards application must be processed by the IT department responsible for account access.
    i. JD Edwards user access creation or modification must be approved in writing by a manager of the employee requesting access, Human Resources representative of the given business unit, or Controller of the given business unit using the Computer Authorization Form available from the IT department responsible for account access.
    ii. The Business Unit Controller must be notified of JD Edwards account creation or modifications.
    iii. The request must be routed to the Senior Security Officer for approval prior to completion if a segregation of duties conflict is possible based on the requested update.
    iv. The IT department responsible for account access must be notified within one business day of an employee’s termination that may require changes to JD Edwards user security.
    v. The IT department responsible for account access must complete any request for the removal of access within two business days of being notified.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    12 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
    O. MAINTENANCE, MONITORING, AND ANALYSIS OF AUDIT LOGS
    Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an incident.
  83. Devices and applicable software applications must be configured to synchronize with a reliable time source.
  84. Audit log settings must be validated before placing a system into production. Logs must include an accurate date and time in addition to relevant event information.
  85. Log data should be configured to transmit log data to Alamo Group’s Security Information and Event Management (SIEM) system before being placed into production.
  86. Devices and applications that cannot provide log data in a compatible format to the SIEM system must be configured to store logs locally within the device or application.
  87. Data sources that are considered to be in scope for annual IT control audits must have log data retained for two years. All other log data shall be retained for one year.
  88. Log data must be reviewed at least once per month.
  89. Log reviews may use manual or automated methods.
    P. INCIDENT RESPONSE AND MANAGEMENT
    Quickly discover an attack and then effectively contain the damage, eradicate the attacker’s presence, and restore the integrity of the affected information containers.
  90. An incident response plan should exist and include the following:
    i. A definition of personnel roles for handling incidents
    ii. A description of phases during incident handling
    iii. An expectation of response times administrators and other personnel should have in notifying appropriate contacts of anomalous events
    iv. A list of recipients of the incident report; including at a minimum the Senior Security Officer, Vice President Corporate IT, and Internal Audit Director.
  91. Administrative job duties; including those delegated to third party support groups, should be assigned with incident response responsibilities in mind.
  92. Simulations of incident response plans should be performed at least once per year.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    13 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
    Q. DATA RECOVERY CAPABILITY
    Properly backup critical information with a proven methodology for timely recovery of it.
  93. Data must be protected from loss through effective backup methods.
  94. Encryption of backup data while at rest on media should be used. Practices to ensure the secure physical storage and transport of media must be in place when data at rest encryption is not available.
  95. Encryption Keys must be stored in at least one offline or near line location that is not continuously addressable.
  96. Automated backup methods must include the ability to notify backup operators in the event of a failure in the automated backup process.
  97. Data restoration procedures should be reviewed to ensure accuracy and effectiveness at least once per year.
    R. PENETRATION TESTING
    Test the overall strength of Alamo Group defenses by simulating the objectives and actions of an attacker.
  98. Penetration tests must be performed by a third party.
  99. Any third-party performing penetration tests must be approved by the Corporate IT Department.
  100. Penetration tests must be performed on a reoccurring basis of no less than once per year.
  101. Remediation of vulnerabilities discovered during a penetration test should be prioritized according to a combination of the risk based rating assigned to the vulnerability and the risk exposure of a given system; with increased priority given to systems with the highest combination of risk and vulnerability exposure rating.
  102. Deficiencies discovered as part of a penetration test must be addressed in accordance with the requirements set forth in the « Vulnerability Assessment and Remediation » section of this document.
    IV. RIGHT TO SEARCH
    Alamo Group authorized personnel may at any time (and in accordance with applicable law) access and search all Alamo Group IT related equipment as well as employee offices and work areas on company property, including but not limited to locked and unlocked desks, file cabinets, files and lockers, without prior notice, for business-related reasons as determined in their sole discretion.
    Corporate
    Policy
    Policy Title
    Information Technology Security Policy
    Page
    14 of 14
    Effective Date
    March 19, 2025
    Previous Date
    February 1, 2021
    Organization Units Affected
    Alamo Group Inc. and
    All Subsidiaries
    Approved by
    Agnes Kamps
    V. RESPONSIBILITY
    A. Managers and Supervisors are responsible for enforcement of this policy for compliance.
    B. Facility Human Resources are responsible for ensuring notices of guidelines are properly posted.
    C. Corporate Information Technology is responsible for updating this policy as necessary.
    D. The Vice President of Corporate IT is responsible for the oversight of this policy of ensuring the confidentiality, integrity, and availability of information assets of Alamo Group.
    VI. VIOLATION
    An employee who violates this policy will be subject to appropriate disciplinary action up to and including immediate termination of employment.
    Devices or software found to be in violation of this policy will be subject to appropriate actions up to and including the unannounced termination of network access or system availability.
Bonjour, puis-je vous aider ?
Pixel
Chatbot Image Bonjour, je suis SmartSearchWP, comment puis-je vous aider ?

Doté d'une intelligence artificielle, le robot peut faire des erreurs. Pensez à vérifier les informations importantes.