Bancolombia continuously seeks to improve its capacity in the governance of Cybersecurity and Information Security.
Our processes are referenced in international standards of information security, in addition to the most relevant national and international regulations.
Our strategy is part of the development of the competitive strategy defined by the businesses, as well as the Corporate strategy of the Bancolombia Group, through the enabling of capabilities that ensure the confidentiality, integrity and availability of information, contributing to the trust of our customers and improving the internal user experience, also seeking that cybersecurity is part of the daily life of all people.

Our integral security strategy covers:

Information security.
Cybersecurity.
Personal data protection.
Fraud Management

Juan Camilo Zuluaga Peralta

VP Customer and Employee Services

Juan Camilo Zuluaga Peralta

VP Customer and Employee Services

Currently the Vice President of Client and Employee Services at Grupo Bancolombia, where he has worked for 18 years. He has extensive experience as a Project Manager and Director of Origination and Collection.

He is an international negotiator and a finance specialist from EAFIT University in Colombia, holds an Executive MBA from Monash University in Australia, obtained through Bancolombia's Excellence Scholarship Program, and has also completed the Senior Management program at the Instituto de Empresa (IE) in Spain.

Management Model

Regarding information security and cybersecurity governance, the Organization has established an ISMS (Information Security Management System) to manage information security and cybersecurity through artifacts that have a continuous improvement cycle and are shared with employees and third parties that have employment and business relationships with the Entity.

Bancolombia's Group ISMS is managed through:

Government Frames:

The most internationally recognized and current versions have been implemented in the Organization as a basis for evaluating security controls.

Governance Frameworks:

The Organization has implemented the most internationally recognized standards in their current versions as a basis for evaluating security controls.

ISO/IEC 27001: Provides a framework of 93 controls in its 2022 version
CSF NIST V.2.0: Provides a framework of 108 controls in its version 2.0

Maturity Models:

The most internationally recognized models are used to measure the level of adoption of security controls in the organization.

CMM: Provides a model for measuring process capability maturity.
ISO/IEC 15504: Provides a model for assessing the capabilities of development processes.

Policies:

There are Cybersecurity and Information Security Policies to establish the intention of senior management regarding the treatment of risks associated with information. They are approved by the Board of Directors.

Risk Management.pdf

Standards:

They contain mandatory guidelines that support policy compliance and ensure consistency of security in the organization.

Baselines:

Contain security parameters that must be implemented in the technological infrastructure in order to add a security layer to the components.

Cybersecurity Committee:

In the information security and cybersecurity management model, committees have been formed to promote projects, make decisions, manage the progress of the strategy and governance, and deal with issues related to risks, compliance and regulations associated with information:

Corporate Cybersecurity and IS Committee
Bancolombia Cybersecurity and IS Committee

Likewise, the leaders of the Cybersecurity and Information Security Environment have active participation in other committees of the Organization:

Audit Committee: comprised of members of the Board of Directors and other participants.
Risk Committee: comprised of members of the Board of Directors and other participants.
Technology and Cybersecurity Committee: this is a new committee formed in 2024, made up of three independent members and one non independent member of the Board of Directors. The Committee is attended as permanent guests by the Vice President of Corporate Services, the Vice President of Technology, the Leader of Corporate Cybersecurity Environment, and the Director of Non-Traditional Risks. Additionally, the Vice President of Internal Audit and the Vice President of Risks, as well as other Bank employees, may attend as guests, depending on the topics to be addressed. The main objective of this Committee is to support the Board of Directors in the strategic direction and oversight of matters related to the technology and cybersecurity. For this purpose, it will acknowledge technology trends that may impact the company’s strategic plans, as well as reports on the technological operations of Bancolombia, including progress in software development, technology architecture, availability of channels and services IT continuity, and investment performance.

See more icon-arrow2-down

Information Security, Cybersecurity, and Fraud Management Reports

Cybersecurity and Information Security Management Report

Audience: Board of Directors

Frequency: semi-annual, July - January

Content: progress of the strategy, half-yearly achievements, main figures, relevant issues of the semester.

Security Report

Audience: President, Corporate Vice President and Vice President of Administration and Security and selected Directors.

Frequency: monthly

Content: figures, strategic indicators and relevant topics.

Security report

Audience: Teams and specific positions

Frequency: weekly

Content: figures, strategic indicators and relevant topics.

Information Security, Cybersecurity and Fraud Management Processes

In Grupo Bancolombia, the Cybersecurity, Information Security and Fraud Management processes are defined in accordance with the best practices of COBIT 2019 – NIST – ISO27000:

Governance of Cybersecurity and Information Security: ensures the definition, implementation and monitoring of the strategy and governance of cybersecurity and information security, for the treatment of the Organization's risks, in accordance with the applicable regulations and best practices.
Protect information assets: secures the critical information assets identified and classified within the processes, to minimize information security risks based on the information protection governance model defined within the organization.
Securing digital services: protects the information assets that rest in the organization's digital systems, guaranteeing the coverage and risk level defined by the organization.
Identity and access management: manages Identities and access to systems, seeking compliance of access, treatment of risks of unauthorized access, compliance with organizational policies and regulatory requirements.
Monitor and respond to security events: prevent, detect, respond and recover from threats, events and incidents of cybersecurity and information security that threaten the information and availability of the Bancolombia Group's services, in a timely and accurate manner, remedying in the shortest possible time.
Fraud management strategy: defines the transactional fraud management strategy and leads its development, in accordance with the risk profile of the channels and products, regulatory frameworks, policies and security standards, ensuring our customers' experience in the secure use of transactional channels.
Fraud management and containment: defines and leads the typification of fraud modus operandi, efficiently identifying any fraud and loss exposure to customers, employees and assets of Bancolombia, according to the needs of our customers, risk management, business requirements and operational support areas and thus, anticipate or react in a timely manner.
Special Investigation Services: investigates and monitors potential internal fraud and malpractice events in order to prevent, deter, detect and minimize internal fraud and malpractice.
Fraud management analytics: identifies fraud trends by performing information analysis, for the subsequent design and implementation of statistical models and monitoring rules that allow preventing, detecting and reacting to internal and external fraud events.
Fraud management services: leads, manages and integrally defines the service functions for potential customers or fraud victims, external fraud investigation processes, as well as the administration and management of the operation related to transactional monitoring.
Security of People and Physical Infrastructure: defines and leads the operation of Physical and Electronic Security of the Bancolombia Group, in accordance with risk management, customer expectations, standards and regulatory frameworks of the national territory, positively influencing the relationship with authorities, associations and control entities. In order to protect the technological and physical integrity of people (customers and employees), processes and assets.
Cybersecurity and Security Assessment: External evaluation and assessment of the maturity level of its cybersecurity and information security capabilities.

Document in Spanish

Assessment de ciberseguridad y seguridad

See more icon-arrow2-down

Cybersecurity and Information Security Culture

We provide knowledge to the Bancolombia Group's various audiences to develop and strengthen skills that lead them to adopt conscious behaviors for the protection and secure use of information, technology, channels, and financial products in their daily lives.

We add value through a culture-enabling strategy for fraud prevention, maintaining the Group's reputation, protecting information, and ensuring regulatory compliance.