Security and ISMS Policy

1. APPROVAL AND EFFECTIVE DATE

Text (excerpt) approved on October 14, 2021. This Information Security Policy is effective from that date until it is replaced by a new Policy.

2. INTRODUCTION

SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. depends on ICT (Information and Communications Technologies) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, or confidentiality of the information processed or the services provided. The objective of information security is to ensure the quality of information and the continued provision of services, acting preventively, monitoring daily activity and reacting promptly and diligently to incidents. ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use, and value of information and services. Defending against these threats requires a strategy that adapts to changes in environmental conditions to ensure the continuous provision of services. This implies that departments must apply the minimum security measures required by the UNE ISO/IEC 27001 standard, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of services provided. The various departments must ensure that ICT security is an integral part of each stage of the system lifecycle, from conception to decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and bidding documents for ICT projects. Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with security regulations.

3. SCOPE

The General Scope of the information systems associated with the business processes that are subject to UNE ISO/IEC 27001 certification is as follows: “Service for maintenance and proactive monitoring of the telecommunications infrastructure of its clients”.

4. MISSION, COMMITMENT AND LEADERSHIP

The Management of SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. is committed to facilitating and providing the resources necessary for the establishment, implementation, maintenance, and improvement of the Information Security Management System, as well as demonstrating leadership and commitment to it, through the constitution of the Security Committee, its functions, and responsibilities. It is the mission of this Management:

• Maintain full legal compliance
• Promote training and awareness plans.
• Maintain optimal reputational levels
• Manage security incidents effectively and efficiently
• Develop an adequate and transparent communication policy.
• In general, preserving the confidentiality, integrity and availability of information

This commitment extends to the interested parties described in the context of the ISMS, to satisfy their interests and expectations in information security.

5. REGULATORY FRAMEWORK

SOLUCIONES Y SERVICIOS TELEMATICOS S.L. is subject, but not limited to, to the following rules and regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
• Organic Law 3/2018 of December 5, 2018, on the Protection of Personal Data and guarantee of digital rights.
• Law 34/2002, of July 11, 2002, on information society services and electronic commerce.
• Royal Legislative Decree 1/1996, of April 12, 1996, Intellectual Property Law.
• Law 10/2010, of April 28, 2010, on the prevention of money laundering and financing of terrorism.
• Royal Decree 3/2010, of January 8, 2010, which regulates the National Security Scheme in the field of Electronic Administration.
• Law 9/2014, of May 9, 2014, General Telecommunications Law.
• Law 25/2007, of October 18, 2007, on the conservation of data relating to electronic communications and public communications networks.

6. SGSI SAFETY OBJECTIVES

SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L., to achieve compliance with its main body and its annex A, which contain the basic principles and minimum requirements, has implemented various security measures proportional to the nature of the information and services to be protected and taking into account its risk analysis and its statement of applicability.

7. PERSONNEL OBLIGATIONS

All members of SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the Security Committee to provide the necessary means to ensure that the information reaches those affected. All members of SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. will attend an ICT security awareness session at least once a year. A continuous awareness program will be established to cater to all members of SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L., particularly new hires. Individuals with responsibility for the use, operation, or administration of ICT systems will receive training for the secure handling of systems to the extent that they need it to perform their work. Training will be mandatory before assuming a responsibility, whether it is their first assignment or a change of job or responsibilities in the same job.

8. THIRD PARTIES

When SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. provides services to third parties, they will be made participants of this Information Security Policy, channels will be established for reporting and coordination of the respective Security Committees and procedures will be established to react to security incidents. When SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. subcontracts services with third parties or transfers information to third parties, within the framework of a provision of services to third parties, they will be made aware of this Security Policy and the Security Regulations pertaining to said services or information. Said third party will be subject to the obligations established in said regulations, and may develop its own operating procedures to satisfy them. Specific incident reporting and resolution procedures will be established. It will be guaranteed that the personnel of third parties are adequately aware of security matters, at least to the same level as that established in this Policy. When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Manager will be required, specifying the risks incurred and how to address them. Approval of this report by those responsible for the information and services affected will be required before proceeding.