SECURITY POLICY

1. Approval and entry into force

This Information Security Policy is effective from the date of signing and until it is replaced by a new Policy.

2. Organization’s mission

INFORTEC, aware of the importance of ICT (Information and Communications Technologies) systems to achieve its objectives and assuming its commitment to the quality and security of information, develops appropriate procedures in order to offer all its stakeholders the greatest guarantees regarding the quality and security of the information used.

These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, authenticity, traceability or confidentiality of the information processed or the services provided.

The objective of information security is to guarantee the quality of information and the continued provision of services, acting preventively, supervising daily activity and reacting promptly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use and value of information and services. Defending against these threats requires a strategy that adapts to changes in environmental conditions to ensure the continuous provision of services. This implies that departments must apply the minimum security measures required by the National Security Scheme, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of services provided.

The different departments must ensure that ICT quality and security is an integral part of each stage of the system lifecycle, from its conception to its decommissioning, including development or acquisition decisions and operating activities. Quality and security requirements, as well as funding needs, must be identified and included in planning, requests for proposals, and bidding documents for ICT projects.

3. Scope

This policy applies to all ICT systems of the entity and to all members of the organization, involved in Services and Projects aimed at the public sector, that require the application of ENS, without exceptions.

That is:

The information systems that support the outsourcing services of externalizing the selection and recruitment processes of profiles for the technological areas of companies

4. Objectives

For all the above, the Management establishes the following objectives for the quality and security of information:

  • Provide a framework to increase resilience to provide an effective response.
  • Ensure the rapid and efficient recovery of services, against any physical disaster or contingency that may occur and that puts at risk the continuity of operations.
  • Prevent information security incidents to the extent that it is technically and economically viable, as well as mitigate the information security risks generated by our activities.
  • Guarantee the confidentiality, integrity, availability, authenticity and traceability of information.

5. Regulatory framework

One of the objectives must be to comply with applicable legal requirements and with any other requirements that we subscribe to in addition to the commitments acquired with customers and other interested parties, as well as the continuous updating of the same. To this end, the legal and regulatory framework in which we develop our activities is related in our list of legal requirements in force, which is reviewed and updated according to the periodicity established in our management system.

6. Development

In order to achieve these objectives, it is necessary to:

  • Continuously improve our quality and information security system
  • Identify potential threats, as well as the impact on business operations that such threats, if materialized, may cause.
  • Preserve the interests of its main stakeholders (customers, employees and suppliers), reputation, brand and value creation activities.
  • Work jointly with our suppliers and subcontractors in order to improve the provision of IT services, the continuity of services and the security of information, which have an impact on a greater efficiency of our activity.
  • Evaluate and guarantee the technical competence of the personnel, as well as ensure the adequate motivation of the latter for their participation in the continuous improvement of our processes, providing the appropriate training and internal communication so that they develop good practices defined in the system.
  • Guarantee the correct state of the facilities and the adequate equipment, in such a way that they are in correspondence with the activity, objectives and goals of the company.
  • Guarantee a continuous analysis of all relevant processes, establishing the pertinent improvements in each case, depending on the results obtained and the objectives established.
  • Structure our management system in a way that is easy to understand. Our management system has the following structure:

The management of our system is entrusted to the Head of IT Systems and System Manager (Quality) and the system will be available in our information system in a repository, which can be accessed according to the access profiles granted according to our current access management procedure.

7. Security organization

The essential responsibility lies with the General Management of the organization, since it is responsible for organizing the functions and responsibilities and for providing the appropriate resources to achieve the objectives of the ENS and the UNE-EN ISO 9001:2015 and UNE-ISO/IEC 27001:2023 standards. Managers are also responsible for setting a good example by following the established quality and safety standards.

These principles are assumed by the Management, who provides the necessary means and provides its employees with sufficient resources for their compliance, expressing and making them public through this Integrated Management Systems Policy.

The defined security roles or functions are:

Function

Duties and responsibilities

Information Manager

– Make decisions regarding the information processed

Service Manager

– Coordinate the implementation of services

– Continuously improve services

Security Manager

– Determine the suitability of technical measures

– Provide the best technology for the service

System Manager

– Coordinate the implementation of the system

– Continuously improve the system

Management

– Provide the necessary resources for the system

– Lead the system

Security Administrator

– Implementation, management and maintenance of security measures

Implementation, management and maintenance of security measures.

This definition of duties and responsibilities is completed in the job profiles and in the system documents Register of managers, roles and responsibilities.

Conflict resolution

Differences of criteria that could lead to a conflict will be dealt with within the SIG Committee and the criteria of the General Management will prevail in any case.

8. Information Security Committee

The procedure for its designation and renewal will be the ratification in the security committee.

The committee for the management and coordination of security is the body with the greatest responsibility within the information security management system, so that all the most important decisions related to security are agreed by this committee.

The members of the information security committee are:

  • Information Manager
  • Service Manager
  • Security Manager
  • System Manager

These members are appointed by the committee, the only body that can appoint, renew and dismiss them.

The security committee is an autonomous, executive body with autonomy for decision-making and that does not have to subordinate its activity to any other element of our company.

The organization of Information Security is developed in the document complementary to this Security Organization Policy

This policy is complemented by the rest of the Policies, procedures and documents in force to develop our management system.

9. Risk Management

All systems subject to this Policy must carry out a risk analysis, evaluating the threats and risks to which they are exposed. This analysis is reviewed regularly:

  • At least once a year;
  • When the information handled changes;
  • When the services provided change;
  • When a serious security incident occurs;
  • When serious vulnerabilities are reported.

For the harmonization of risk analyses, the ICT Security Committee will establish a reference assessment for the different types of information handled and the different services provided. The ICT Security Committee will promote the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

For the realization of the risk analysis, the risk analysis methodology developed in the Risk Analysis procedure will be taken into account.

10. Personnel Management

All members of Our Organization have the obligation to know and comply with this Quality and Information Security Policy and the Security Regulations, being the responsibility of the ICT Security Committee to provide the necessary means for the information to reach those affected.

All members of Our Organization will attend an awareness session on ICT quality and security at least once a year. A continuous awareness program will be established to serve all members of Our Organization, in particular those newly incorporated.

People with responsibility in the use, operation or administration of ICT systems will receive training for the safe handling of systems to the extent that they need it to perform their work. The training will be mandatory before assuming a responsibility, whether it is their first assignment or if it is a change of job or responsibilities in it.

11. Professionalism and security of human resources

This Policy applies to all personnel of Our Organization and external personnel who perform tasks within the company.

HR will include information quality and security functions in employee job descriptions, inform all personnel they hire of their obligations regarding compliance with the Information Security Policy, manage Confidentiality Commitments with personnel, and coordinate user training tasks regarding this Policy.

The Security Manager is responsible for monitoring, documenting, and analyzing reported security incidents, as well as communicating to the Information Security Committee and information owners.

The Information Security Committee will be responsible for implementing the means and channels necessary for the Security Manager to handle reports of incidents and system anomalies. The Committee will also be aware of, monitor the investigation, monitor the evolution of information, and promote the resolution of information security incidents.

The Security Manager will participate in the preparation of the Confidentiality Commitment to be signed by employees and third parties performing functions in Our Organization, in advising on the sanctions to be applied for non-compliance with this Policy, and in the handling of information security incidents.

All personnel of Our Organization are responsible for reporting weaknesses and information security incidents that are detected in a timely manner.

Professionalism of human resources:

  • Determine the necessary competence of personnel to carry out the work that affects Information Security
  • Ensure that people are competent on the basis of adequate education, training or experience
  • Demonstrate through the documented information that the competence of personnel in matters of Information Security is necessary

The objectives of controlling personnel security are:

  • Reduce the risks of human error, implementation of irregularities, misuse of facilities and resources, and unauthorized handling of information.
  • Explain the security responsibilities in the personnel recruitment stage and include them in the agreements to be signed and verify their compliance during the performance of the employee’s tasks.
  • Ensure that users are aware of the threats and information security concerns and are trained to support the organization’s Quality and Information Security Policy in the course of their normal tasks.
  • Establish confidentiality commitments with all personnel and users outside the information processing facilities.
  • Establish the necessary tools and mechanisms to promote the communication of existing security weaknesses, as well as incidents, in order to minimize their effects and prevent their recurrence.

12. Authorization and control of access to Information Systems

The objective of controlling access to information systems is:

  • Prevent unauthorized access to information systems, databases and information services.
  • Implement security in user access through authentication and authorization techniques.
  • Control security in the connection between our Organization’s network and other public or private networks.
  • Review critical events and activities carried out by users in the systems.
  • Raise awareness about their responsibility for the use of passwords and equipment.
  • Ensure information security when laptops and personal computers are used for remote work.

13. Protection of facilities

The objectives of this policy regarding the protection of facilities are:

  • Prevent unauthorized access, damage and interference to the headquarters, facilities and information of our organization.
  • Protect the critical information processing equipment of Our Organization, placing it in protected areas and protected by a defined security perimeter, with appropriate security measures and access controls. Likewise, contemplate the protection of the same in its transfer and remain outside the protected areas, for maintenance or other reasons.
  • Control the environmental factors that could harm the proper functioning of the computer equipment that houses the information of our Organization.
  • Implement measures to protect the information handled by personnel in offices, within the normal framework of their usual tasks.
  • Provide protection proportional to the risks identified.
  • This Policy applies to all physical resources related to the information systems of our Organization: facilities, equipment, cabling, records, storage media, etc.
  • The Security Manager, together with the Information Owners, as appropriate, will define the physical and environmental security measures for the protection of critical assets, based on a risk analysis, and will supervise their implementation. They will also verify compliance with physical and environmental security provisions.
  • The heads of the different departments will define the levels of physical access for Our Organization’s personnel to the restricted areas under their responsibility. The Information Owners will formally authorize off-site work with information about their business to Our Organization’s employees when they deem it appropriate.
  • All personnel of Our Organization are responsible for complying with the clean screen and desk policy, for the protection of information related to daily work in the offices.

14. Product acquisition

The different departments must ensure that ICT Quality and security is an integral part of each stage of the system lifecycle, from conception to decommissioning, including development or acquisition decisions and operating activities. Security requirements and funding needs must be identified and included in planning, in requests for proposals, and in bidding documents for ICT projects.

On the other hand, the quality and security of information will be taken into account in the acquisition and maintenance of information systems, limiting and managing change.

The information system development and acquisition policy is developed in the Acquisition, Development and Maintenance of Systems Policy document

15. Security by default

Our Organization considers it strategic for the entity that processes integrate information security as part of their lifecycle. Information systems and services must include security by default from creation to decommissioning, including security in development and/or acquisition decisions and in all operating activities, establishing security as an integral and transversal process.

16. System integrity and updating

Our Organization is committed to ensuring system integrity through a change management process that allows control of the updating of physical or logical elements through prior authorization for their installation in the system. This evaluation will be carried out mainly by the systems management, which will evaluate the impact on system security before making changes and will control in a documented manner those changes that are evaluated as important or with implications for system security.

Through periodic security reviews, the security status of the systems will be evaluated, in relation to the manufacturers’ specifications, the vulnerabilities and the updates that affect them, reacting diligently to manage the risk in view of the security status of these.

17. Protection of information stored and in transit

Our Organization establishes protection measures for the Security of Information stored or in transit through insecure environments. Portable equipment, personal digital assistants (PDAs), peripheral devices, information media and communications over open networks or with weak encryption will be considered insecure environments.

18. Prevention of interconnected information systems

Our Organization establishes protection measures for Information Security, especially to protect the perimeter, in particular, if it connects to public networks, especially if they are used in whole or mainly, for the provision of electronic communications services available to the public

In any case, the risks derived from the interconnection of the system, through networks, with other systems will be analyzed, and its point of union will be controlled. Electronic connections available to the public.

19. Activity logs

Our Organization will record user activities, retaining the information necessary to monitor, analyze, investigate and document improper or unauthorized activities, allowing the identification at all times of the person acting.

The main objectives of Incident Management are to:

  • Establish a system for detecting and reacting to malicious code.
  • Have procedures for managing security incidents and weaknesses detected in the elements of the information system.
  • These procedures will cover the detection mechanisms, the classification criteria, the analysis and resolution procedures, as well as the communication channels to the interested parties and the recording of the actions.
  • This record is used for the continuous improvement of system security.
  • Ensure that IT services return to optimal performance.
  • Reduce the possible risks and impacts that the incident may cause.
  • Ensure the integrity of the systems in the event of a security incident.
  • Communicate the impact of an incident as soon as it is detected to activate the alarm; and implement an appropriate business communication plan.
  • Promote business efficiency.

20. Business continuity

Our Organization, with the objective of guaranteeing the continuity of activities, establishes measures so that the systems have backup copies and establish necessary mechanisms to guarantee the continuity of operations, in case of loss of the habitual means of work.

21. Continuous improvement of the security process

Our Organization establishes a process of continuous improvement of information security applying the criteria and methodology established in international standards and that are integrated into this Quality and Information Security Management System.

22. Minimum Privileges

Access to the organization’s systems, data, and resources will be granted under the principle of least privilege, ensuring that each user, process, or device only has the permissions strictly necessary to perform their functions. Role-based access controls and periodic reviews will be implemented to ensure compliance with this policy, minimizing the risk of improper access or malicious use of information.

23. Security Incidents

All security incidents must be identified, reported, analyzed, and managed in a timely manner to mitigate their impact on the organization. A formal incident response procedure will be established, including classification, containment, eradication, recovery, and communication. In addition, staff training will be promoted for the early recognition of incidents and the continuous improvement of security management processes.

Approved by Management