Compliance Center / Regulatory Library / CUSOFIPO Infosec Decomposition
CUSOFIPO · Infosec View

CUSOFIPO Infosec Clause Decomposition Workspace

This demo turns the Circular Única de Sofipos into an executable operating split for information security, system controls, electronic channels, outsourcing, continuity, and reporting-data integrity. The goal is to separate what Infosec owns from what Legal, Business, Risk, Finance, and Operations must validate.

View Clause Matrix Open CUSOFIPO Source
Source Document
297
source PDF pages
Infosec Domains
8
governance, systems, risk, reporting, outsourcing
Demo Items
51
working draft, not final legal mapping
Primary Owner
Infosec
controls, system evidence, technical validation
Use boundary: This page is an Infosec-facing responsibility and evidence demo. It is not a legal opinion. Legal applicability, regulatory interpretation, exemptions, and N/A decisions remain owned by Legal / Compliance.
Clickable Jump Map
organized by executable Infosec domains
01
Governance & Internal Control
Control framework, segregation of duties, remediation closure.
02
Information Security & Technology
Authentication, access control, encryption, backup, system testing.
03
Risk Management
Technology risk, fraud events, KRI and risk-limit inputs.
04
Credit Process & System Controls
Credit-system access, automated decisions, e-channel controls.
05
Regulatory Reporting & Data Quality
Complete and timely information, database integrity, filing evidence.
06
Third Party & Outsourcing
Vendor security, client-information protection, subcontracting, continuity.
07
Continuity & Incident Response
BCP/DR, fraud-project evidence, incident remediation.
08
Ownership Boundary
Define delivery boundaries across Infosec, Legal, Business, Risk, Finance, and Ops.
Ownership Model
Infosec-led with partner validation

Infosec owns

Security control library, IAM, encryption, logging, backup and recovery, vulnerability and vendor-security evidence.

Legal / Compliance owns

Applicability, regulatory interpretation, N/A decisions, regulator communication, and formal policy wording.

Business / Product owns

Product process, customer journey, electronic-channel design, operational evidence, and launch approvals.

Risk / Finance / Ops owns

Risk registers, reporting data, capital and finance assumptions, operational continuity, and customer-service evidence.

Page Principles
Each item should answer four questions: what is the regulatory requirement, who is the primary team, who supports it, and what work needs to be done now.
Source page hints are kept so SME reviewers can later backfill exact article and clause references.
CUSOFIPO Infosec Clause Matrix
Demo · 51 items
Ref Requirement Name Source Lens Primary Team Supporting Teams Work Scope Status Open
CUSO-SEC-001
Internal control system
control library and monitoring evidence
 Art. 52/79 lens; p.72/p.93 mention control interno, system support, and electronic channels. Build the Infosec control library and map systems, processes, evidence frequency, and control owners. Legal/Compliance confirms policy scope; Business validates process coverage. Control matrix, owner RACI, policy version, monitoring records. Mapped Open
CUSO-SEC-002
Segregation of duties and role boundaries
organizational roles to system access
 p.72/p.74 relate to internal control, responsibilities, and information-system availability. Define SoD rules, sensitive privileges, approvers, and conflict handling. Business validates job roles; HR/Legal supports authorization evidence. Role matrix, access approvals, SoD conflict list, exception approvals. Mapped Open
CUSO-SEC-003
Corrective action register
issue, remediation, retest, closure
 p.95 points to operation manuals, controls, and security or contingency programs. Maintain security remediation register with source, risk rating, owner, and retest result. Compliance confirms remediation governance; Business validates process impact. Issue tracker, remediation plan, retest proof, closure approval. Demo Open
CUSO-SEC-004
Confidentiality of authentication factors
customer and internal-user authentication protection
 p.72/p.117 mention confidentiality in generation, storage, transmission, and reception of identification and authentication factors. Design controls for MFA, passwords/NIP, keys, credential storage, and transmission protection. Product confirms customer-authentication journey; Legal confirms user notices. Authentication architecture, MFA report, key or credential-protection standard, testing records. Mapped Open
CUSO-SEC-005
System authorization and access policies
least privilege and privileged access
 p.72/p.117 mention system operation, authorization, access controls, and database/application integrity and confidentiality. Operate IAM, PAM, access reviews, leaver revocation, and service-account controls. Business confirms access need; HR supports joiner, mover, and leaver flow. IAM policy, quarterly access review, PAM logs, leaver revocation records. Mapped Open
CUSO-SEC-006
System documentation and pre-implementation testing
SDLC, change, and test evidence
 p.95 says systems should be documented, updated, and tested before implementation. Require security review, SAST/DAST, change approval, pre-release validation, and rollback plan. Product/Engineering provides requirements, UAT, and release approval. Change ticket, security-test report, UAT record, release approval. Mapped Open
CUSO-SEC-007
Backup and recovery mechanisms
recoverability and integrity
 p.95/p.117 mention backup and recovery mechanisms to ensure information integrity. Define backup policy, retention, encryption, restore tests, and remediation for failures. Ops/Business confirms RTO/RPO and critical-service scope. Backup job report, restore test, RTO/RPO approval, failure remediation records. Needs Evidence Open
CUSO-SEC-008
Electronic-media security and encryption
sensitive data in transit, storage, and processing
 p.211 mentions security in transmission, storage, and processing, and encryption or encrypted channels for sensitive information and authentication factors. Maintain TLS, data encryption, key management, truncation or masking, and key-access controls. Product/Data confirms sensitive fields and business transmission paths. TLS scan, cryptography standard, key inventory, data-flow map, masking rules. Mapped Open
CUSO-SEC-009
Technology and operational risk inputs
Infosec risks feeding ERM
 p.72/p.90 relate to riesgo operativo and administración de riesgos. Maintain technology risk register, risk assessments, control effectiveness, and security KRIs. Risk owns ERM framework and risk acceptance. Technology risk register, KRI dashboard, risk acceptance, committee minutes. Mapped Open
CUSO-SEC-010
Fraud and system-event identification
monitoring, alerting, investigation
 p.117 mentions identification and resolution of fraud and system events. Operate security monitoring, fraud-linked alerts, incident severity, investigation records, and remediation closure. Business/Ops owns customer handling; Legal decides regulatory notification. Alert rules, SIEM/EDR records, fraud tickets, response reports. Mapped Open
CUSO-SEC-011
Security KRIs and risk-limit monitoring
inputs for risk committee
 p.90 points to risk policies, limits, and portfolio monitoring. Define KRIs for patching, vulnerabilities, access anomalies, backup failures, and third-party security. Risk approves thresholds and adds them to governance cadence. KRI definition, monthly report, threshold breach handling, meeting minutes. Demo Open
CUSO-SEC-012
Credit-system access and auditability
credit files and decision systems
 p.74 mentions information systems supporting complete and timely credit/deposit status information. Protect credit-system access, audit logs, data modification privileges, and sensitive-field access. Credit Risk/Business confirms approval roles and business need. RBAC matrix, audit logs, access review, sensitive-field inventory. Mapped Open
CUSO-SEC-013
Automated authorization and rule-change control
decision rules, models, and changes
 p.74 relates to automated information systems and authorization flow; exact article mapping needs SME review. Apply change control, access control, and logging for approval rules, model parameters, and policy changes. Risk/Business approves policy and model logic. Rule-change ticket, approval record, test samples, rollback plan. Demo Open
CUSO-SEC-014
Customer electronic-channel operation support
app, web, service, and transaction journey
 p.72/p.117 mention electronic channels supporting operations and customer service. Validate e-channel data flows, authentication, transaction integrity, logging, and anomaly monitoring. Product/Ops confirms customer journey and exception-handling process. Data-flow map, app-control test, log samples, exception-handling SOP. Mapped Open
CUSO-SEC-015
Complete and timely information availability
information available to regulator, federation, and authorized personnel
 p.74 mentions systems allowing complete and timely information for authorized personnel. Define reporting-source access, data lineage, access audit, and reporting-system availability. Reporting/Compliance owns filing and reporting assumptions. Data lineage, reporting-system access, availability records, filing receipt. Mapped Open
CUSO-SEC-016
Source-data integrity and confidentiality
database, application, and reporting source tables
 p.72/p.117 mention database and application integrity and confidentiality. Protect database access, change logs, direct-data-change approvals, backups, and reconciliations. Finance/Risk confirms figures and reconciliation results. DB access, change logs, data validation, reconciliation records. Needs Evidence Open
CUSO-SEC-017
Regulatory filing evidence retention
submission, receipt, version, approval
 CUSOFIPO has multiple reporting obligations; this item is a demo for filing evidence management. Provide controls for filing-system accounts, submission logs, file integrity, and retention access. Compliance/Finance owns submission content and regulator receipt. Filing calendar, approval, submission-package hash, regulator receipt. Demo Open
CUSO-SEC-018
Third-party monitoring policies
vendor security review and ongoing monitoring
 p.217 mentions third-party or commissioner service policies, obligations, and monitoring. Perform vendor security due diligence, tiering, contract security clauses, annual review, and issue tracking. Legal owns contracts; Business owns service need and performance. Vendor assessment, contract clauses, SLA, review record, remediation tracking. Mapped Open
CUSO-SEC-019
Client-information confidentiality and security with third parties
data sharing and processing protection
 p.217 mentions confidentiality and security of client information. Define data classification, sharing approval, encryption, access logs, minimization, and deletion or return controls. Legal/Privacy confirms contracts, consent, and privacy notice. DPA, security clauses, data flow, access logs, deletion proof. Mapped Open
CUSO-SEC-020
Subcontracting restrictions and approval
vendor downstream suppliers
 p.217 mentions subcontracting restrictions. Require critical vendors to disclose subcontractors and complete security approval and change notice. Legal owns contract restrictions; Procurement maintains vendor master data. Subcontractor register, approval record, contract clause, change notice. Demo Open
CUSO-SEC-021
Third-party continuity and disaster contingency
critical vendor service recovery
 p.217 mentions business continuity and disaster contingency. Collect critical-vendor BCP/DR evidence, RTO/RPO, exercise results, and failure remediation. Ops/Business confirms service dependency, fallback plan, and customer impact. Vendor BCP attestation, DR test, dependency list, fallback plan. Needs Evidence Open
CUSO-SEC-022
Service continuity and contingency plans
critical-system BCP/DR
 p.117 mentions contingency plans for continuous services; p.95 mentions contingency and security programs. Build BIA, BCP, DR, exercises, RTO/RPO validation, and recovery evidence. Business/Ops confirms critical processes and acceptable downtime. BIA, BCP, DR test, exercise report, improvement plan. Mapped Open
CUSO-SEC-023
Fraud-prevention project evidence retention
five-year retention signal
 p.93 mentions fraud-prevention project evidence retained at least five years. Provide retention mechanism for fraud monitoring, rule changes, project delivery, and security validation evidence. Fraud/Compliance confirms retention scope and use cases. Project files, rule version, testing records, retention policy, access records. Demo Open
CUSO-SEC-024
Incident handling and corrective closure
incident, root cause, notification, remediation
 p.117/p.95 relate to fraud or system event identification and resolution, plus security and contingency programs. Maintain incident-response process, severity model, root cause analysis, remediation retest, and lessons learned. Legal/Compliance decides regulatory notification; Ops executes customer and business recovery. Incident ticket, timeline, RCA report, notification decision, closure proof. Mapped Open
Topic Detail Split
responsibility and evidence split

Governance & Internal Control

Infosec focus
Convert regulatory language into control library, RACI, remediation register, and control frequency.
Partner teams
Legal/Compliance confirms policy wording; Business confirms process coverage.
Evidence
Control matrix, policy version, approvals, remediation closure records.

Information Security & Technology

Infosec focus
IAM, PAM, authentication factors, encryption, SDLC, backup and recovery, logging and monitoring.
Partner teams
Product/Engineering confirms system design, customer flow, and release plan.
Evidence
Architecture diagram, access review, TLS/encryption test, change ticket, restore test.

Risk Management

Infosec focus
Feed security risk, fraud events, vulnerabilities, and vendor risk into ERM.
Partner teams
Risk approves rating, thresholds, and acceptance flow.
Evidence
Risk register, KRIs, meeting minutes, risk-acceptance records.

Credit Process & System Controls

Infosec focus
Protect credit-system access, decision-rule changes, customer e-channels, and transaction logs.
Partner teams
Credit Risk/Business/Product confirms credit policy, approval roles, and customer journey.
Evidence
RBAC, decision-rule changes, test samples, exception-handling SOP.

Regulatory Reporting & Data Quality

Infosec focus
Protect reporting sources, database privileges, filing-system accounts, and file integrity.
Partner teams
Compliance/Finance/Risk confirms reporting assumptions, figures, and submission.
Evidence
Data lineage, reconciliation, filing receipts, access logs.

Third Party & Outsourcing

Infosec focus
Vendor due diligence, contract security clauses, client-data protection, subcontracting, and third-party BCP.
Partner teams
Legal/Procurement/Business confirms contracts, procurement, and service need.
Evidence
Vendor assessment, DPA, SLA, subcontractor register, DR attestation.

Continuity & Incident Response

Infosec focus
BIA, BCP/DR, incident response, fraud evidence retention, and remediation retesting.
Partner teams
Business/Ops/Legal confirms acceptable downtime, customer handling, and regulatory notification.
Evidence
BIA, exercise report, incident timeline, RCA, notification decision.

Future Extension

Next step
Backfill exact article numbers, short source excerpts, applicability decisions, and system evidence links for each demo item.
AI assist
Once RAG is ready, use it to locate clauses, match evidence, and flag expiry or gaps.
Infosec Evidence Checklist
for later evidence collection automation
Policies & Procedures
Security policy, access control policy, change process, incident response, BCP/DR process.
Identity & Access
RBAC, PAM, MFA, access reviews, leaver revocation, service-account inventory.
Encryption & Keys
TLS scan, cryptography standard, key inventory, key access, masking or truncation rules.
Logging & Monitoring
SIEM/EDR logs, fraud alerts, system events, investigation records, response reports.
Backup & Recovery
Backup reports, restore tests, RTO/RPO, failure remediation, critical-system inventory.
Third-Party Security
Vendor assessment, DPA, SLA, security clauses, subcontractor register, vendor BCP/DR.
Data & Reporting
Data lineage, DB access, reconciliation, submission hash, filing receipt, retention policy.
Incident & Remediation
Incident ticket, timeline, RCA, notification decision, remediation plan, retest proof.
Suggested Next Steps
actionable in the next two weeks
  • 1
    SME backfills exact clauses
    Use the CUSOFIPO source to add article numbers, short excerpts, and applicability decisions for the 24 demo items.
  • 2
    Confirm Business and Legal split
    Confirm owner, partner, and sign-off team item by item so Infosec does not own legal interpretation.
  • 3
    Reserve evidence fields
    This version does not show an evidence checklist; it only reserves future field direction: source system, frequency, owner, and expiry reminder.
Demo page · Infosec decomposition based on RM-002-CUSOFIPO.pdf · Formal clause interpretation requires Legal/Compliance confirmation