Text approved by the Management on 24 November 2020.
This Information Security Policy is effective as of that date and until it is superseded by a new Policy.
This document sets out the Information Security Policy of Ivnosys Soluciones S.L. as the set of basic principles and lines of action to which the organisation is committed, within the framework of the ISO 27001 Standard and the National Security Scheme (ENS).
The organisation depends on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.
Information is a critical, essential asset of great value for the development of the company’s activity. This asset must be properly protected, regardless of the formats, supports, transmission means, systems or people handling its dissemination, processing or treatment.
The aim of information security is to ensure information quality and the continuous provision of services by acting preventively, supervising daily activity and reacting promptly to incidents, in order to ensure information quality and business continuity, as well as minimise the risk and allow the return on investment and business opportunities to be maximised.
ICT systems must be protected against rapidly evolving threats that may affect the confidentiality, integrity, availability, intended use and value of information and services. To cope with these threats, a strategy that adapts to changing environmental conditions is required to ensure the continuous provision of services. This implies that departments must apply the minimum security measures required by the National Security Scheme and the ISO/IEC 27001 Information Security Systems Standard, as well as continuously monitor the levels of service provision, follow up on and analyse reported vulnerabilities and prepare an effective response to incidents, so as to ensure continuity of the services provided.
Different departments must ensure that ICT security is an integral part of every stage of the system’s life cycle, from design to decommissioning, through development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, in the request for proposals to suppliers and in technical reports for ICT projects.
Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS and the Business Continuity System of the ISO 22301 Standard.
This article states the following:
Article 7. Prevention, reaction and recovery.
Similarly, the system will keep services available throughout the life cycle of digital information, via a design and procedures that are the basis for the preservation of digital assets.
The company’s management, aware of the value of information, is deeply committed to the policy described in this document.
Departments should avoid or at least prevent to the extent possible information or services from being damaged by security incidents. To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. Furthermore, with the clear aim of improving such prevention, departments must also implement all the necessary requirements to comply with the ISO 27001 Standard. These controls, as well as the security roles and responsibilities of the whole staff, must be clearly defined and documented.
To ensure compliance with the policy, departments must:
Since services can rapidly deteriorate due to incidents, ranging from a simple slowdown to a halt, services must continuously monitor operation to detect anomalies in service levels and act accordingly, as provided for in Article 9. Regular reassessment of the ENS, which suggests the following: “The security measures shall be reassessed and updated on a regular basis, to adapt their effectiveness to the constant evolution of risks and protection systems, even rethinking security, if need be.”
Monitoring is particularly relevant when establishing defence lines, in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that will reach those responsible regularly and whenever a significant deviation from the parameters that have been pre-set as normal occurs.
Article 8 establishes:
Article 8. Defence lines:
For any type of communication, be it internal or external, the provisions of the Communications Plan, published in the Ivnosys Management System, prepared by the organisation, must be followed.
In order to guarantee the availability of critical services, the organisation has set up a General Business Continuity Plan (PCN), published in the Management System, assessing possible disaster scenarios and a recovery strategy, and establishing emergency plans that are reviewed periodically.
This Security Policy applies to the information systems that support the installation and operation processes of the following trust services in cloud mode:
The Information Security Policy is approved by the company’s Management, whereas its content and that of the rules and procedures set out is mandatory:
As has been mentioned above, the purpose of this Information Security Policy is to protect the information assets of Ivnosys Soluciones, ensuring the availability, integrity, confidentiality, authenticity and traceability of the information and the facilities, systems and resources that process, manage, convey and store them, always in accordance with business requirements and current legislation.
Information must be protected throughout its life cycle, from its creation to its eventual deletion or destruction. To this end, the following minimum principles are established:
Ivnosys boasts a procedure for the management and organisation of both internal and external responsibilities in the field of information security, which determines the Management System Committee, whose main mission is the approval, supervision of compliance, management and dissemination of the organisation’s standards and policies, as well as the monitoring and management of present incidents and risks, in the field of information security.
The roles of the SG Committee are set out in the organisation’s Management System.
The SG Committee meets at least every six months, whereas its mandatory members are the General Director, the IT Director, the Management System Manager and the Security Manager.
Although there is no obligation to have a Data Protection Officer (DPO) on staff, in accordance with the regulations issued by the GDPR, of its own free will and due to the services provided by the organisation, there is a law firm specialising in the matter that acts as an external DPO, appointed before the AEPD.
Moreover, at the request of the Committee, any other person in charge/role, whose intervention is required due to their being affected by the National Security Scheme, the GDPR or any other standard related to information security, such as, among others, the person in charge of the service and the security manager, may attend.
Since security must involve all members of the organisation, as set out in Article 12 of the ENS and Annex II of the ENS, in section 3.1, the Security Policy must identify clear responsible parties for ensuring compliance and conveying it to all members of the organisation.
In the Ivnosys Management System, there is a section to identify the people who hold the roles that make up the SG Committee and include their specific functions.
The management will assign, renew and communicate the responsibilities, authorities and roles with regard to information security, while determining in each case the reasons and the term of validity, and will manage any conflict that may arise. It will also ensure that users know, assume and exercise the responsibilities, authorities and roles assigned to them.
The SG Committee will be responsible for the annual review of this Information Security Policy and the proposal for its revision or maintenance.
The policy will be approved by the company’s Management and, as it is a public document in accordance with the Ivnosys Information Classification Policy (available in the Management System), it will be disseminated by the Communications Department, so that all affected parties are aware of it, and made available to third parties through the company’s website: www.ivnosys.com.
Furthermore, it may be additionally reviewed when there are significant changes that affect security, the services provided by the organisation, regulatory changes or any other relevant issue.
The personal data, both of clients and of other workers and collaborators of the company, will be treated by Ivnosys Soluciones pursuant to personal data protection regulations.
When Ivnosys Soluciones needs to access personal data in order to provide the services requested by the client, for whose storage in files and processing the client is responsible (conditions of data access according to processing order). The conditions included in the documents “Processing activities to be performed” of each requested service will be applied, which will be sent to the client as ANNEXES to the “Conditions Applicable to Personal Data Accesses”.
Ivnosys Soluciones, S.L., boasts a system for the management of information security (ISMS), implementing the best practices for the management of information security, in accordance with the UNE-ISO/IEC 27001 Standard, and applying to all data processing carried out, within the framework of the agreements entered into with clients, the controls and measures aimed at guaranteeing the security of personal data, which is the clients’ responsibility, to which it has access under the contract.
The organisation guarantees that it will carry out the regular checks and security audits needed to verify that the controls and security measures implemented are effective for the risk treatment for which they have been implemented in each case.
All systems subject to this Policy must perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be done regularly, i.e. at least once a year. Furthermore, it may be repeated in the following cases:
In order to harmonise risk analyses, the SG Committee will establish a benchmark assessment for the different types of information handled and the different services provided.
The methodology used for risk assessment is MAGERIT, which allows effective management of incidents that could occur in the different information assets and affect any of the principles of confidentiality, integrity, availability, authenticity and traceability.
The SG Committee will boost the availability of resources to meet the security needs of the different systems, promoting horizontal investments.
This Information Security Policy complements the security policies of Ivnosys Soluciones S.L.U. in different matters:
This Policy will be developed by means of security regulations that address specific aspects. The security regulations will be available to all members of the organisation who need to know them and, in particular, to those who use, operate or manage information and communication systems.
These regulations (processes, procedures, work instructions and any other necessary documentation) will be published in the Confluence Management System, as well as on the Ivnosys corporate Wiki.
All members of Ivnosys Soluciones S.L.U. have the obligation to know and comply with this Information Security Policy and Security Regulations, whereas the SG Committee is in charge of providing the necessary means for the information to reach those affected.
All members of Ivnosys Soluciones S.L.U., within the framework of the Annual Training Plan, will attend an awareness session on ICT security at least once a year. An ongoing awareness programme will be set up, based on the regular dissemination of mails regarding information security, to cater for all members of Ivnosys Soluciones S.L., particularly new recruits. Moreover, for these staff, specific training and evaluation of the knowledge acquired will be carried out as part of the process of joining the organisation.
People in charge of the use, operation or administration of ICT systems will be trained in the safe handling of the systems to the extent they need to carry out their work. Training will be mandatory before taking on a responsibility, whether it is their first assignment or a change in job or responsibilities.
When Ivnosys Soluciones S.L.U. provides services to other organisations or handles information from other organisations, they will be made aware of this Information Security Policy, channels for reporting and coordinating the respective managers will be established, as well as procedures, in accordance with the organisation’s Incident Management Procedure, to respond to possible security incidents that may occur.
When Ivnosys Soluciones S.L.U. uses third-party services or gives information to third parties, they will be included in this Security Policy and the Security Regulations that pertain to such services or information. This third party will be subject to the obligations established in these regulations, while being able to develop its own operational procedures to meet them. Specific procedures will be established for reporting and resolving incidents. It shall be guaranteed that third-party personnel are adequately aware of security matters, at least at the same level as that established in this Policy. If any aspect of the Policy cannot be met by a third party, as set out in the previous paragraphs, the Security Manager, together with the Service Manager, will meet to define and specify the risks incurred and how to deal with them.