Security policy

Version: v5
Approver: Address
Approval date: 14/02/2022

1. Approval and effective date

Text approved by the Management on 14 February 2022.

This Information Security Policy is effective as of that date and until it is superseded by a new Policy.

2. Introduction

This document sets out the Information Security Policy of Ivnosys Soluciones S.L. as the set of basic principles and lines of action to which the organisation is committed, within the framework of the ISO 27001 Standard and the National Security Scheme (ENS).

The organisation depends on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

Information is a critical, essential asset of great value for the development of the company’s activity. This asset must be properly protected, regardless of the formats, supports, transmission means, systems or people handling its dissemination, processing or treatment.

The aim of information security is to ensure information quality and the continuous provision of services by acting preventively, supervising daily activity and reacting promptly to incidents, in order to ensure information quality and business continuity, as well as minimise the risk and allow the return on investment and business opportunities to be maximised.

ICT systems must be protected against rapidly evolving threats that may affect the confidentiality, integrity, availability, intended use and value of information and services. To cope with these threats, a strategy that adapts to changing environmental conditions is required to ensure the continuous provision of services. This implies that departments must apply the minimum security measures required by the National Security Scheme and the ISO/IEC 27001 Information Security Systems Standard, as well as continuously monitor the levels of service provision, follow up on and analyse reported vulnerabilities and prepare an effective response to incidents, so as to ensure continuity of the services provided.

Different departments must ensure that ICT security is an integral part of every stage of the system’s life cycle, from design to decommissioning, through development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, in the request for proposals to suppliers and in technical reports for ICT projects.

Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS and the Business Continuity System of the ISO 22301 Standard.

This article states the following:

Article 7. Prevention, reaction and recovery.

  1. System security must take into account aspects like prevention, detection and correction to ensure that threats to the system do not materialise or seriously affect the information handled as well as the services provided.
  2. Preventive measures must eliminate or at least reduce the possibility that threats will materialise to the detriment of the system. These preventive measures will include deterrence and reducing exposure, among others.
  3. Detection measures will be accompanied by reaction measures, so that security incidents are addressed in a timely manner.
  4. Recovery measures will allow information and services to be restored, so that situations where a security incident disables the usual means can be addressed.
  5. Without prejudice to the other basic principles and minimum requirements, the system will ensure that data and information are kept in electronic format.

Similarly, the system will keep services available throughout the life cycle of digital information, via a design and procedures that are the basis for the preservation of digital assets.

The company’s management, aware of the value of information, is deeply committed to the policy described in this document.

2.1. Prevention

Departments should avoid or at least prevent to the extent possible information or services from being damaged by security incidents. To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. Furthermore, with the clear aim of improving such prevention, departments must also implement all the necessary requirements to comply with the ISO 27001 Standard. These controls, as well as the security roles and responsibilities of the whole staff, must be clearly defined and documented.

To ensure compliance with the policy, departments must:

  • Authorise the systems before they become operational.
  • Regularly assess security, including evaluations of configuration changes made on a routine basis.
  • Request regular reviews by third parties for independent assessment.

2.2. Detection

Since services can rapidly deteriorate due to incidents, ranging from a simple slowdown to a halt, services must continuously monitor operation to detect anomalies in service levels and act accordingly, as provided for in Article 9. Regular reassessment of the ENS, which suggests the following: “The security measures shall be reassessed and updated on a regular basis, to adapt their effectiveness to the constant evolution of risks and protection systems, even rethinking security, if need be.”

Monitoring is particularly relevant when establishing defence lines, in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that will reach those responsible regularly and whenever a significant deviation from the parameters that have been pre-set as normal occurs.

Article 8 establishes:

Article 8. Defence lines:

    1. The system must feature a protection strategy made up of multiple security layers, arranged in such a way that, when one layer fails, it allows us to:
      • a) Gain time for a proper reaction to incidents that could not be avoided.
      • b) Reduce the probability that the system as a whole will be compromised.
      • c) Minimise the final impact on the system.
    2. The defence lines must consist of measures of an organisational, physical and logical nature.

2.3. Response

Departments must:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate a contact point for communications regarding incidents detected in other departments or other agencies.
  • Establish protocols for the exchange of information related to the incident.

For any type of communication, be it internal or external, the provisions of the Communications Plan, published in the Ivnosys Management System, prepared by the organisation, must be followed.

2.4. Recovery

In order to guarantee the availability of critical services, the organisation has set up a General Business Continuity Plan (PCN), published in the Management System, assessing possible disaster scenarios and a recovery strategy, and establishing emergency plans that are reviewed periodically.

3. Scope

This Security Policy applies to the information systems that support the installation and operation processes of the following trust services in cloud mode:

    1. System for managing the receipt of electronic notifications automatically, connecting with the electronic headquarters of different bodies. It is a desktop application with a centralised cloud server that supports the applications (database, file system, etc.).
    2. Electronic communications platform between organisations with electronic evidence of the different transactions. It is a web system marketed in SaaS mode.
    3. Interoperability system between public administrations. An administration may, with prior consent, consult data on citizens and companies held by other administrations, for use in their procedures, avoiding that the interested parties have to resort to another administration to obtain the data.
    4. System for centralised management on an HSM server of cryptographic keys (digital certificates) and a web services API for electronic communications and evidence, as well as issuance and management of time stamps.
    5. Management of the life cycle of digital certificates (issuance, validation, maintenance and revocation).

The Information Security Policy is approved by the company’s Management, whereas its content and that of the rules and procedures set out is mandatory:

    • All users with access to the information processed, managed or owned by the company have the obligation and duty to safeguard and protect it.
    • The Information Security Policy and Standards will be adapted to the evolution of systems and technology, as well as to organisational changes, and will be aligned with the ISO/IEC 27001 Standard and the National Security Scheme.
    • The security measures and checks established shall be proportional to the criticality of the information to be protected and its classification.
    • The necessary disciplinary action will be taken against people who seriously violate the content of the Information Security Policy or complementary rules and procedures.

4. Purpose

As has been mentioned above, the purpose of this Information Security Policy is to protect the information assets of Ivnosys Soluciones, ensuring the availability, integrity, confidentiality, authenticity and traceability of the information and the facilities, systems and resources that process, manage, convey and store them, always in accordance with business requirements and current legislation.

5. Mission and framework objectives

Information must be protected throughout its life cycle, from its creation to its eventual deletion or destruction. To this end, the following minimum principles are established:

  • Information systems must be accessible only to those users, bodies and entities or processes expressly authorised to do so.
  • A commitment to continuous improvement of the ISMS will be established.
  • A level of availability in the information systems will be guaranteed, and the necessary plans and measures will be provided to ensure continuity of services and recovery in the event of serious contingencies.
  • A continuous process of risk analysis and treatment will be set up as a mechanism on which the management of information systems security must be based.
  • Lines of work aimed at preventing incidents related to ICT security will be developed.
  • Services will be continuously monitored to detect anomalies in the levels of service provision and act accordingly.
  • The degree of compliance with the security improvements, planned annually, and the degree of effectiveness of the ICT security controls implemented will be analysed, with the idea of proactively proposing new improvement actions.
  • All the organisation’s staff will be made aware of their duties and obligations with regard to the secure processing of information, and all those who manage and administer information and telecommunications systems will be trained in specific ICT security matters.

6. Regulatory framework

  • Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations.
  • Law 40/2015, of 1 October, on the Legal System of the Public Sector.
  • Royal Decree 1671/2009, of 6 November [partially implementing Law 11/2007].
  • Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of Electronic Administration.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/CE (General Data Protection Regulation).
  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights.
  • The different CCN-STIC-400/800 series, by means of which appropriate policies, procedures and recommendations are established for the implementation of the measures envisaged in the National Security Scheme (RD 3/2010).
  • ISO/IEC 27001 Standard.
  • Royal Legislative Decree 1/1996, of 12 April, which approves the revised text of the Intellectual Property Law, regularising, clarifying and harmonising the legal provisions in force on the subject.
  • Law 2/2019, of 1 March, which modifies the revised text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of 12 April, and which incorporates into the Spanish legal system Directive 2014/26/EU of the European Parliament and of the Council, of 26 February 2014, and Directive (EU) 2017/1564 of the European Parliament and of the Council, of 13 September 2017.
  • Royal Decree-Law 14/2019 of 31 October, by which urgent measures are taken for reasons of public security in the field of e-government, public sector procurement and telecommunications.
  • Law 6/2020, of 11 November, regulating certain aspects of electronic trust services.
  • Regulation (EU) no. 910/2014 of the European Parliament and of the Council, of 23 July 2014, on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

7. Security organisation

7.1. Committees: roles and responsibilities

Ivnosys boasts a procedure for the management and organisation of both internal and external responsibilities in the field of information security, which determines the Management System Committee, whose main mission is the approval, supervision of compliance, management and dissemination of the organisation’s standards and policies, as well as the monitoring and management of present incidents and risks, in the field of information security.

The roles of the SG Committee are set out in the organisation’s Management System.

The SG Committee meets at least every six months, whereas its mandatory members are the General Director, the IT Director, the Management System Manager and the Security Manager.

Ivnosys has an internal Data Protection Delegate, appointed to the AEPD, a position held by a professional who meets the requirements of experience and training necessary for the functions to be performed.

Moreover, at the request of the Committee, any other person in charge/role, whose intervention is required due to their being affected by the National Security Scheme, the GDPR or any other standard related to information security, such as, among others, the person in charge of the service and the security manager, may attend.

7.2. Roles: functions and responsibilities

Since security must involve all members of the organisation, as set out in Article 12 of the ENS and Annex II of the ENS, in section 3.1, the Security Policy must identify clear responsible parties for ensuring compliance and conveying it to all members of the organisation.

In the Ivnosys Management System, there is a section to identify the people who hold the roles that make up the SG Committee and include their specific functions.

7.3. Appointment procedures

The management will assign, renew and communicate the responsibilities, authorities and roles with regard to information security, while determining in each case the reasons and the term of validity, and will manage any conflict that may arise. It will also ensure that users know, assume and exercise the responsibilities, authorities and roles assigned to them.

7.4. Review and approval of the Information Security Policy

The SG Committee will be responsible for the annual review of this Information Security Policy and the proposal for its revision or maintenance.

The policy will be approved by the company’s Management and, as it is a public document in accordance with the Ivnosys Information Classification Policy (available in the Management System), it will be disseminated by the Communications Department, so that all affected parties are aware of it, and made available to third parties through the company’s website:

Furthermore, it may be additionally reviewed when there are significant changes that affect security, the services provided by the organisation, regulatory changes or any other relevant issue.

8. Personal data

In accordance with the provisions of the applicable data protection regulations (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data or RGPD and the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights) Ivnosys Soluciones SLU in its capacity as Data Controller and Data Processor of its clients’ data undertakes to:

– that personal data, both customers and other employees and collaborators of this will be treated in accordance with the principles of legality, fairness and transparency. The data collected and used will be collected for explicit and legitimate purposes. The data collected will be relevant, adequate and limited in relation to the purposes established for such processing. The principle of accuracy shall be complied with and all necessary steps shall be taken to rectify the data where necessary. The data shall not be kept longer than necessary in relation to the purposes of the processing except for compliance with legal purposes.

– that all security measures referred to in this Information Security Policy will take into account the protection of the privacy of the information.

– that the personal data whose processing is carried out in its capacity as Data Processor, employees undertake to comply with and enforce, in accordance with their responsibilities, all those measures set forth in this Policy that may affect the personal data to which they may have access as a result of their work activity. In the same way of personal data whose treatment is carried out by Ivnosys Soluciones SLU in its capacity as Data Controller.

– that both Ivnosys and its employees and external collaborators when, in order to provide the services contracted by its customers, need access to personal data, whose storage in files and treatment is responsible for the client (conditions of access to data by order of treatment), shall apply the conditions contained in the documents “Processing activities to be performed” of each contracted service, which will be sent to the client, as ANNEXES to the “Conditions Applicable to Access to Personal Data”.

– that both Ivnosys Soluciones SLU and its staff and external partners will participate proactively and communicate according to internal and external communication channels established in the Communications Plan any incident or security gap of which they are aware with special relevance of those that may affect personal data and collaborate in its management and resolution according to the degree of responsibility assigned to them.

Similarly in everything not expressly stated in this policy Ivnosys Soluciones SLU is committed and that of all staff that integrates the strictest compliance with all provisions and principles established in the data protection regulations currently in force, cited at the beginning of this section, and those regulations that modify or replace it.

Ivnosys Soluciones, S.L, has a system for the management of information security (ISMS) implementing best practices for the management of information security in accordance with the standard UNE-ISO/IEC 27001 and applying to all data processing carried out in the framework of contracts with customers, controls and measures to ensure the security of personal data, responsibility of customers, to which it has access because of the contract.

The organisation guarantees that it will carry out the periodic controls and security audits necessary to verify that the security controls and measures implemented are effective for the processing of the risks for which they have been implemented in each case.

9. Risk management

All systems subject to this Policy must perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be done regularly, i.e. at least once a year. Furthermore, it may be repeated in the following cases:

  • When the information handled changes;
  • When the services provided change;
  • When a serious security incident occurs;
  • When serious vulnerabilities are reported.

In order to harmonise risk analyses, the SG Committee will establish a benchmark assessment for the different types of information handled and the different services provided.

The methodology used for risk assessment is MAGERIT, which allows effective management of incidents that could occur in the different information assets and affect any of the principles of confidentiality, integrity, availability, authenticity and traceability.

The SG Committee will boost the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

10. Information security policy development

This Information Security Policy complements the security policies of Ivnosys Soluciones S.L.U. in different matters:

  • Management System Policy
  • Statements of Practices and Policies of eIDAS services
  • Policy on acceptable use of assets
  • Security risk analysis
  • Incident Management
  • Asset Management
  • Physical and Environmental Safety
  • Access Control
  • Communications and Operations Security
  • Security Organisation
  • Continuity
  • Change management
  • Information classification
  • Safe development
  • Ongoing improvement

This Policy will be developed by means of security regulations that address specific aspects. The security regulations will be available to all members of the organisation who need to know them and, in particular, to those who use, operate or manage information and communication systems.

These regulations (processes, procedures, work instructions and any other necessary documentation) will be published in the Confluence Management System, as well as on the Ivnosys corporate Wiki.

11. Staff obligations

All members of Ivnosys Soluciones S.L.U. have the obligation to know and comply with this Information Security Policy and Security Regulations, whereas the SG Committee is in charge of providing the necessary means for the information to reach those affected.

All members of Ivnosys Soluciones S.L.U., within the framework of the Annual Training Plan, will attend an awareness session on ICT security at least once a year. An ongoing awareness programme will be set up, based on the regular dissemination of mails regarding information security, to cater for all members of Ivnosys Soluciones S.L., particularly new recruits. Moreover, for these staff, specific training and evaluation of the knowledge acquired will be carried out as part of the process of joining the organisation.

People in charge of the use, operation or administration of ICT systems will be trained in the safe handling of the systems to the extent they need to carry out their work. Training will be mandatory before taking on a responsibility, whether it is their first assignment or a change in job or responsibilities.

12. Third parties

When Ivnosys Soluciones S.L.U. provides services to other organisations or handles information from other organisations, they will be made aware of this Information Security Policy, channels for reporting and coordinating the respective managers will be established, as well as procedures, in accordance with the organisation’s Incident Management Procedure, to respond to possible security incidents that may occur.

When Ivnosys Soluciones S.L.U. uses third-party services or gives information to third parties, they will be included in this Security Policy and the Security Regulations that pertain to such services or information. This third party will be subject to the obligations established in these regulations, while being able to develop its own operational procedures to meet them. Specific procedures will be established for reporting and resolving incidents. It shall be guaranteed that third-party personnel are adequately aware of security matters, at least at the same level as that established in this Policy. If any aspect of the Policy cannot be met by a third party, as set out in the previous paragraphs, the Security Manager, together with the Service Manager, will meet to define and specify the risks incurred and how to deal with them.

This website uses own and third party cookies for the correct functioning and display of the website by the user, as well as the collection of statistics and analysis of their browsing habits, as it is manifested in the cookie policy in the “purpose” column. The treatment’s base is the consent, except in the case of technical cookies, required to be able to navigate. Click on Accept all cookies if you wish to accept them all. To change your cookie settings, click on Cookie settings. For more information about cookies you can access our Cookies Policy. You can consult the contact details of the website owner and data controller in the Legal Notice.
Política de cookies
Cookie settings
Accept all cookies
This website uses own and third party cookies for the proper functioning and display of the website by the user, as well as the collection of statistics and análisis of their browsing habits, as it is manifested in the cookie policy in the columna “purpose”. The treatment’s base is the consent, except in the case of technical cookies, required to be able to navigate.
Política de cookies
Cookie settings
Accept all cookies
Configuración de cookies