GLOBANT INFORMATION SECURITY TEAM (GIST)

Document Name: Non-standardized external apps guidelines Date of March 2021

Creation:

Status (Draft, Approved Author: GIST

Approved) and Date:

Document Classification (Internal, Restricted, Public): Internal

Ver. No. Ver. Date Description Reviewer Approver

1.0 March 2021 First version GIST Gustavo Ugaz

1.1 September 2022 Policy Review GIST Martin Rodriguez

1.2 January 2023 Approved Applications Dashboard added & GIST Martin Rodriguez
Ownership criteria items

1.3 September 2023 VPN access options GIST Martin Rodriguez

Page 1 of 6
 GLOBANT INFORMATION SECURITY TEAM (GIST)

Document Name: Non-standardized external apps guidelines Date of March 2021

Creation:

Status (Draft, Approved Author: GIST

Approved) and Date:

Document Classification (Internal, Restricted, Public): Internal

Contents

Introduction 3

General Requirements 3
User Management 3
Password Management and MFA 3
GIST follow up 4

GIST Compliance Requirements 4

Certifications 4
Meeting with GIST Compliance Team 4

GIST Cybersecurity Requirements 5

Required items 5

GIST Operations related 6

Page 2 of 6
 GLOBANT INFORMATION SECURITY TEAM (GIST)

Document Name: Non-standardized external apps guidelines Date of March 2021

Creation:

Status (Draft, Approved Author: GIST

Approved) and Date:

Document Classification (Internal, Restricted, Public): Internal

Introduction
This document is a guideline to standardize a new tool or an existing tool to be approved by
GIST. You can find all the available applications in the following link.

In this document, you will find the general requirements and then the specific requirements
provided by the various GIST areas. All requirements are necessary and mandatory in order to
obtain the approval of the GIST area.

Compliance with this Policy

Compliance with this policy and the documents referred to it is mandatory to all employees,
contractors, third parties and business partners with whom Globant conducts business. Lack of
compliance with this policy will be considered a Security Incident, where an investigation will be
initiated and the root cause of the issue will be addressed.
If you are not able to follow the security policies described in this document, please ensure you
notify this with GIST (Globant Information Security Team). A Security Exception might be all you
need to clear your non-compliance.
Those individuals, contractors, third parties or business partners who have failed to keep
compliance with this policy might face consequences such as suspensions, penalties or even
legal actions.

General Requirements
User Management

All users must authenticate in the application with a SSO solution. The possible alternatives are:
● Google Solution: You need to contact the Google administrator
● Azure Solution: You need to contact the Windows team

In case external users have to access the application (e.g providers or clients), they need to use
a Globant provided user (external mail or external AD user) .

Page 3 of 6
 GLOBANT INFORMATION SECURITY TEAM (GIST)

Document Name: Non-standardized external apps guidelines Date of March 2021

Creation:

Status (Draft, Approved Author: GIST

Approved) and Date:

Document Classification (Internal, Restricted, Public): Internal

GIST follow up
● A GDoc must be created by GIST to follow up the revision detailed on this policy.
● The Drive folder created for the revision must contain all the documentation related to
this revision, such as certifications, architecture diagrams, and permissions matrix,
among others.

Ticket request
There are two possible scenarios:

Option 1: If you need to request an exception for your project or yourself create a ticket on the
next category:
Security > Information Security > Exception & Approvals‎

Option 2: In case you require an application that is not on the list and is needed by all globers
please create a ticket at Invgate within the next category:
Security > Applications > Vendor Applications

GIST Compliance Requirements

To have GIST Compliance approval the application must comply with the items listed below.

Certifications
The application owner must ask the provider for one or more of the following:
- ISO 27001
- SOC 2 / 3
- Personal Data Certification - if required depending on the information handled
- Health information Report - depending on the information handled
- PCI - depending in the information handled

Page 4 of 6
 GLOBANT INFORMATION SECURITY TEAM (GIST)

Document Name: Non-standardized external apps guidelines Date of March 2021

Creation:

Status (Draft, Approved Author: GIST

Approved) and Date:

Document Classification (Internal, Restricted, Public): Internal

Meeting with GIST Compliance Team

A meeting with GIST Compliance must be done. During the meeting GIST will ask about
technical and non technical items such us:
- Owner, description and certifications will be the first items
- GIST Compliance will ask about:
- Architecture (SO and DB)
- Provider (on prem or cloud)
- Datacenter (location and access)
- Change Management
- Backups
- User management (ABM)
- Access management (authentication and passwords)
- Roles and Responsibilities
- Critical Access and Segregation of duties

GIST Compliance will define if the application must be SOX Compliance or not. If the tool will be
a SOX tool or in case it will be affected by audit controls, some information will be asked to
comply with the first control revision. If it is not SOX the tool can be asked to have some internal
controls. The GIST Compliance team will help the area owner or will guide them to ensure the
application is controlled.
Some documents are defined to help the involved area
- (Tool) Standard Policy
- ABM guideline
- Change Management guideline

GIST Cybersecurity Requirements

To have GIST Cybersecurity approval the application must comply with the items listed below.

Page 5 of 6
 GLOBANT INFORMATION SECURITY TEAM (GIST)

Document Name: Non-standardized external apps guidelines Date of March 2021

Creation:

Status (Draft, Approved Author: GIST

Approved) and Date:

Document Classification (Internal, Restricted, Public): Internal

Required items

1. Architecture components
2. Support for SSO integration (Google and Azure)
3. MFA support
4. Certifications that the platform may have such as ISO 27001, SOC1-2, GDPR, CCPA,
HIPAA, etc.
5. Privacy Policy
6. Privilege access management
7. Most recent vulnerability report (3 months at least).
8. Pentest executed (current year)
9. An NDA must be signed by the vendor and legal support to allow us to ask the vendor
for several documents (SDLC, quality and cybersecurity).
10. Internal Ownership Roles (management): GIST Team will determine the ownership of the
product based on business needs. The owner of the application will be responsible for
their management and control of the application and might respond to all related events.
11. Internal Ownership roles (Internal Responsible). Who will be responsible for the
Administration.
12. Internal Ownership roles (Control). Who will be responsible for the roles and
privileges audit.
13. Log information detailed + SOC Integration (Splunk cloud).
14. Incident Response
15. Extras: Roles and privileges Matrix, etc.

The GIST Vulnerability team can ask for all the mentioned items and also for any other extra
elements that can be accurate to the case under consideration.

GIST Operations related

GIST Operations team will be able to perform all the validations that may be necessary to
support the request. This can include interview stakeholders, ticket management as
collaborators and evidence requests.

Page 6 of 6