+34 913 321 161 info@aptica.es

INFORMATION SECURITY POLICY

  1. INTRODUCTION

Information is a primary asset for APTICA, insofar as it is essential for the provision of a large proportion of its services, which depend on ICT systems (Information and Communication Technologies) in order to achieve their objectives. Notwithstanding this, the unquestionable improvements brought by such systems to the processing of information are accompanied by new risks and, therefore, it is necessary to introduce specific measures to protect both the information and the services that depend upon it. These systems must be managed with due diligence, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity and traceability of the information processed.

The objective of information security is to guarantee the quality of information and the continuous provision of services by acting preventively, monitoring daily activity and responding promptly to incidents, with a view to reducing the risks to which they are exposed to a level that is deemed acceptable.

ICT systems must be protected against rapidly evolving threats that may affect the confidentiality, integrity, availability, authenticity, traceability, intended use and value of information and services.

In order to defend against such threats, a strategy is required that adapts to changes in environmental conditions so as to ensure the continuous provision of services.

This implies that departments must apply the minimum security measures required by the National Security Framework (Esquema Nacional de Seguridad, ENS), as well as continuously monitor service provision levels, track and analyse reported vulnerabilities, and prepare an effective incident response in order to guarantee the continuity of the services provided.

The various departments must ensure that ICT security forms an integral part of every stage of the system life cycle, from its conception to its decommissioning, including development or procurement decisions and operational activities, and must be prepared to prevent, detect, respond to and recover from incidents, in accordance with the provisions of the National Security Framework.

Security requirements and funding needs must be identified and included in planning, requests for tenders and tender specifications for ICT projects.

Within each organisation, only its senior management has the necessary authority to set that level, order updates and enable the means required to carry them out.

In this regard, establishing an information security policy and the subsequent allocation of tasks and responsibilities are priority actions, as they are the principal instruments for the governance of security and constitute the framework of reference for all subsequent actions.

This document sets out APTICA’s Information Security Policy and shall be complemented by the development of the security organisation.

  1. PREVENTION, DETECTION, RESPONSE AND RECOVERY IN RELATION TO INCIDENTS

2.1. PREVENTION

Departments must avoid, or at least prevent insofar as possible, information or services from being adversely affected by security incidents.

To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment.

These controls, together with the security roles and responsibilities of all personnel, must be clearly defined and documented.

In order to ensure compliance with the policy, departments must:

  • Authorise systems before they enter into operation.
  • Regularly assess security, including assessments of configuration changes routinely made.
  • Request periodic third-party reviews in order to obtain an independent assessment.

2.2. DETECTION

Given that services may rapidly deteriorate as a result of incidents, ranging from simple slowdown to complete interruption, services must continuously monitor operations in order to detect anomalies in service provision levels and act accordingly, as established by the ENS, monitoring being especially relevant where lines of defence are established in accordance with the aforementioned ENS.

Detection, analysis and reporting mechanisms shall be established so that reports reach those responsible on a regular basis and whenever a significant deviation occurs from parameters previously established as normal.

2.3. RESPONSE

Departments must:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate a point of contact for communications regarding incidents detected in other departments or other bodies.
  • Establish protocols for the exchange of information related to the incident. This includes two-way communications with Computer Emergency Response Teams (CERTs).

2.4. RECOVERY

In order to guarantee the availability of critical services, departments must develop ICT systems continuity plans as part of their general business continuity and recovery activities plan.

  1. SCOPE

This policy applies to all APTICA ICT systems that support the following services:

  • Information systems that support the following services: Consultancy and Installation Services, Commissioning, Warranties, Development, Commercialisation and Maintenance of Hardware and Software.

In accordance with the current system categorisation, these services are carried out from Avda. de la Albufera 321, 1st Floor – Office 1, 28031 Madrid, Spain.

It also applies to all members of the organisation, without exception.

  1. MISSION

Within APTICA, and within the scope of the aforementioned services it provides, the organisation acts in accordance with the principles of effectiveness, hierarchy, decentralisation and coordination, promotes all kinds of activities and provides services that contribute to satisfying the needs and aspirations of its clients.

Accordingly, in each service, APTICA devotes every effort to providing a service characterised by being both functional and secure.

  1. REGULATORY FRAMEWORK

As the regulatory basis for preparing this security guide, the applicable and current legislation affecting the development of the organisation’s activities and requiring the explicit implementation of security measures in its information systems has been analysed.

The applicable legal framework in the field of information security is established by the following legislation:

  • Law 11/2007 of 22 June on citizens’ electronic access to public services, which, in Article 42.2 regarding the National Security Framework, establishes as one of its principles that there must be a framework of reference setting out the conditions of trust necessary for the use of electronic means.
  • Royal Decree 311/2022 of 5 May, regulating the National Security Framework in the field of Electronic Administration, which lays down the basic principles and minimum requirements, as well as the protection measures to be implemented in Administration systems.
  • Royal Decree 951/2015 of 23 October, amending Royal Decree 3/2010 of 8 January, which regulates the National Security Framework in the field of Electronic Administration.
  • Royal Decree 311/2022 of 3 May 2022, regulating the National Interoperability Framework in the field of Electronic Administration, the purpose of which is to create the necessary conditions to guarantee an adequate level of technical, semantic and organisational interoperability of the systems and applications used by public administrations, thereby enabling the exercise of rights and fulfilment of obligations through electronic access to public services, while also contributing to effectiveness and efficiency.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights.
  • Royal Decree-Law 28/2020 of 22 September on remote working.

  1. SECURITY ORGANISATION

The management of information security requires the existence of an organisational structure which, in accordance with Article 10 of the ENS, defines distinct responsibilities in relation to information requirements, service requirements and security requirements.

This organisational structure regarding information security at APTICA is established as follows:

6.1. INDIVIDUAL ROLES

Information Owner:

  • Determines the security requirements of the information processed, in accordance with the parameters set out in Annex I of the ENS.
  • Approval of information security levels. (This activity is non-delegable.)
  • Assess the consequences of a negative impact on information security, taking into account the effect on the organisation’s ability to achieve its objectives, protect its assets, fulfil its service obligations, comply with the law and respect citizens’ rights.

Service Owner:

  • Determine the security levels of services, in accordance with the parameters set out in Annex I of the ENS.
  • Approval of service security levels. (This activity is non-delegable.)
  • Include security specifications in the life cycle of services and systems, together with the corresponding control procedures.
  • Assess the consequences of a negative impact on service security, taking into account the effect on the organisation’s ability to achieve its objectives, protect its assets, fulfil its service obligations, comply with the law and respect citizens’ rights.

Security Officer:

  • Determines the relevant security decisions required to satisfy the requirements established by the Information Owner and the Service Owner.
  • Objectively require those organisations that provide security services to have qualified professionals and appropriate levels of management and maturity in the services provided.
  • Assess and select, when acquiring security products related to information and communication technologies, those whose security functionality related to the purpose of their acquisition has been certified, in proportion to the system category and security level determined, except where proportionality requirements, in view of the risks assumed, do not justify this in the Security Officer’s opinion.
  • Extend the security measures provided for in Annex II of the ENS and any others necessary to ensure the proper processing of personal data.
  • Replace the security measures provided for in Annex II of the ENS whenever it is documented that they protect the risk to the assets equally well or better and satisfy the basic principles and minimum requirements set out in Chapters II and III of the Royal Decree.
  • Indicate in the Statement of Applicability, in detail, the correspondence between the compensatory measures implemented and the measures in Annex II of the ENS which they compensate for.
  • Formalise and sign the Statement of Applicability.
  • Analyse self-assessment and/or audit reports and submit the conclusions to the System Owner so that appropriate corrective measures may be adopted.
  • Promote training and awareness in the field of information security within his or her area of responsibility.

System Owner:

  • The principal function is to be responsible for the operation of the information system.
  • Implement the security measures determined by the Security Officer.
  • Adopt appropriate corrective measures on the basis of the conclusions received from the Security Officer arising from the analysis of self-assessment and/or audit reports.
  • In the case of HIGH-category systems, having considered the audit opinion, may agree to withdraw from operation certain information, a service or the system as a whole for such period as deemed prudent and until the prescribed modifications have been implemented.

Data Protection Officer:

  • Advise on the documentation necessary to demonstrate compliance with the GDPR and the LOPDGDD, including, among other things, policies, procedures, contracts, templates and forms, and ensure that such documentation is kept up to date.
  • Inform and provide expert advice to all personnel regarding their obligation to comply with the relevant provisions of the GDPR and the LOPDGDD concerning the processing of personal data.
  • Monitor compliance with the GDPR and the LOPDGDD and promptly inform the relevant stakeholders within the Company of any changes.
  • Act as the sole point of contact for the supervisory authority on matters related to the processing of personal data and consult with the supervisory authority, where necessary, on any other relevant issues concerning personal data.
  • Act as the principal point of contact for employees and all data subjects and cooperate with all staff members on data protection matters.
  • Provide advice and guidance on the Data Protection Impact Assessment (DPIA), including carrying out or supervising the performance of the DPIA.
  • Assist the System Owner when reporting personal data security breaches and in taking the necessary measures to inform the relevant stakeholders where required.
  • Monitor compliance with data protection policies and any other internal document relating to data protection.
  • Advise the organisation on the Privacy Policies to be provided to data subjects at the time their personal data are collected.
  • Perform all other inherent functions not expressly stated herein which arise from current legislation on the protection of personal data.

Information System Owner:

  • Is responsible for the operation of the information system, in accordance with the security measures determined by the Security Officer.
  • Adopt appropriate corrective measures arising from the conclusions of self-assessment reports and/or audit reports analysed by the competent Security Officer.
  • In the case of HIGH-category systems, having considered the audit opinion, the system owner may agree to withdraw from operation certain information, a service or the system as a whole for such period as deemed prudent and until the prescribed modifications have been implemented.

  1. RISK MANAGEMENT

All systems subject to this Policy must undergo a risk analysis, assessing the threats and risks to which they are exposed.

This analysis shall be repeated:

  • regularly, at least once a year;
  • whenever the information handled changes;
  • whenever the services provided change;
  • whenever a serious security incident occurs;
  • whenever serious vulnerabilities are reported.

  1. DEVELOPMENT OF THE INFORMATION SECURITY POLICY

This Information Security Policy complements the security policies in different areas that apply within the organisation, such as:

  • Policy on the proper use of organisational resources.
  • Password policy.
  • Mobile devices policy.
  • Clean desk policy.
  • Clear screen policy.
  • Cryptography policy.
  • Social engineering policy.
  • Backup policy.
  • Remote access policy.
  • Remote working policy.
  • Metadata removal policy.

This Policy shall be developed by means of security regulations addressing specific aspects. The security regulations shall be made available to all members of the organisation who need to know them, in particular those who use, operate or administer information and communications systems.

  1. STAFF OBLIGATIONS

All members have an obligation to know and comply with this Information Security Policy and the Security Regulations, and it shall be the responsibility of the ICT Security Committee to provide the necessary means to ensure that the information reaches those concerned.

All members shall attend an ICT security awareness session at least once a year.

A continuous awareness programme shall be established for all members of the organisation, particularly new starters.

Persons with responsibility for the use, operation or administration of ICT systems shall receive training for the secure handling of such systems to the extent necessary for them to carry out their work.

Training shall be mandatory before assuming responsibility, whether this is the person’s first assignment or a change of role or responsibilities within the same position.

  1. THIRD PARTIES

Where APTICA provides services to other bodies and/or handles information belonging to other bodies, such bodies shall be informed of this Information Security Policy, channels shall be established for reporting and coordination between the respective ICT Security Committees, and procedures shall be established for responding to security incidents.

Where APTICA uses third-party services or discloses information to third parties, such third parties shall be informed of this Security Policy and of the Security Regulations relating to those services or that information.

Such third parties shall be subject to the obligations established in those regulations and may develop their own operational procedures in order to comply with them.

Specific procedures for incident reporting and resolution shall be established, ensuring that third-party personnel are suitably aware of security matters, at least to the same level as that established in this Policy.

Where any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report shall be required from the Security Officer specifying the risks incurred and the manner in which they are to be addressed.

That report must be approved by the owners of the affected information and services before proceeding further.

  1. PERSONAL DATA

APTICA processes personal data in its daily activities and is therefore subject to the compliance obligations imposed by the legislation in force, as specified in section 5, REGULATORY FRAMEWORK, of this Policy.

All processing of personal data shall comply with the requirements of current legislation, ensuring that such data are processed lawfully, fairly and transparently in relation to the data subject; collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date, with all reasonable measures being taken to ensure that personal data that are inaccurate with regard to the purposes for which they are processed are erased or rectified without delay; kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing of the personal data, and not retained for longer periods unless they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of the appropriate technical and organisational measures required by the applicable legislation in force in order to protect the rights and freedoms of the data subject; and processed in such a manner as to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures.

The Privacy Policies applicable to each specific case exist and are available to data subjects, who may request them, free of charge, by written request addressed to the following email address: info@aptica.es.

  1. APPROVAL AND ENTRY INTO FORCE

The Information Security Policy shall be reviewed by the Information Security Committee at planned intervals not exceeding one year, or whenever significant changes occur, in order to ensure that it remains suitable, adequate and effective.

This Information Security Policy shall be effective from that date until it is replaced by a new Policy.