1. APPROVAL AND ENTRY INTO FORCE
Text (excerpt) approved on October 14, 2021. This Information Security Policy is effective from that date and until superseded by a new Policy.
2. INTRODUCTION
SOLUCIONES Y SERVICIOS TELEMÁTICOS SL depends on ICT (Information and Communications Technology) systems to achieve its objectives. These systems must be managed with diligence, taking the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.
The objective of information security is to guarantee the quality of information and the continued provision of services, acting preventively, supervising daily activity and reacting promptly and diligently to incidents.
ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. To defend against these threats, a strategy that adapts to changes in environmental conditions is required to ensure the continuous provision of services. This implies that the departments must apply the minimum security measures required by the UNE ISO/IEC 27001 standard, as well as carry out continuous monitoring of the levels of service provision, monitor and analyze the reported vulnerabilities, and prepare an effective response to the incidents to guarantee the continuity of the services provided.
The different departments must ensure that ICT security is an integral part of each stage of the system’s life cycle, from conception to decommissioning, through development or acquisition decisions and operational activities. Security requirements and financing needs must be identified and included in planning, request for proposals, and bidding documents for ICT projects.
Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with security regulations.
3. SCOPE
The General Scope of the information systems associated with the business processes that are subject to certification of the UNE ISO/IEC 27001 standard is as follows: “ Proactive maintenance and monitoring service of the telecommunications infrastructure of its clients ”.
4. MISSION, COMMITMENT AND LEADERSHIP
The Management of SOLUCIONES Y SERVICIOS TELEMÁTICOS SL undertakes to facilitate and provide the necessary resources for the establishment, implementation, maintenance and improvement of the Information Security Management System, as well as to demonstrate leadership and commitment with respect to it, through of the constitution of the Security Committee, of its functions and responsibilities. It is the mission of this Directorate:
- Maintain full legal compliance
- Promote training and awareness plans
- Maintain optimum reputational levels
- Efficiently and effectively manage security incidents
- Develop an adequate communicative and transparent policy
- In general, preserve the confidentiality, integrity and availability of the information
This commitment extends to the interested parties described in the context of the ISMS, to satisfy their interests and expectations in information security.
5. REGULATORY FRAMEWORK
SOLUCIONES Y SERVICIOS TELEMÁTICOS SL is subject, by way of example and not limitation, to the following rules and regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which repeals Directive 95/46/EC (General Data Protection Regulation)
- Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights
- Law 34/2002, of July 11, on services of the information society and electronic commerce
- Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law
- Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism
- Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration
- Law 9/2014, of May 9, General Telecommunications
- Law 25/2007, of October 18, on the conservation of data related to electronic communications and public communications networks
6. ISMS SECURITY OBJECTIVES
SOLUCIONES Y SERVICIOS TELEMÁTICOS SL, in order to achieve compliance with its main body and its annex A, which include the basic principles and minimum requirements, has implemented various security measures proportional to the nature of the information and services to be protected and taking into account your risk analysis and your statement of applicability.
7. OBLIGATIONS OF STAFF
All members of SOLUCIONES Y SERVICIOS TELEMÁTICOS SL have the obligation to know and comply with this Information Security Policy and the Security Regulations, the Security Committee being responsible for providing the necessary means for the information to reach those affected.
All members of SOLUCIONES Y SERVICIOS TELEMÁTICOS SL will attend an ICT security awareness session at least once a year. A continuous awareness program will be established to attend to all members of SOLUCIONES Y SERVICIOS TELEMÁTICOS SL, particularly those who have recently joined.
People with responsibility for the use, operation or administration of ICT systems will receive training in the safe handling of the systems to the extent that they need it to carry out their work. The training will be mandatory before assuming a responsibility, whether it is your first assignment or if it is a change of job or responsibilities in it.
8. THIRD PARTIES
When SOLUCIONES Y SERVICIOS TELEMÁTICOS SL provides services to third parties, they will be made participants of this Information Security Policy, channels will be established for reporting and coordination of the respective Security Committees and action procedures will be established for reaction to security incidents. .
When SOLUCIONES Y SERVICIOS TELEMÁTICOS SL subcontracts services to third parties or transfers information to third parties, within the framework of a provision of services to third parties, they will be made participants of this Security Policy and the Security Regulations that pertain to said services or information. Said third party will be subject to the obligations established in said regulations, being able to develop its own operating procedures to satisfy it. Specific incident reporting and resolution procedures will be established. It will be guaranteed that third-party personnel are adequately aware of security matters, at least to the same level as that established in this Policy.
When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Manager will be required specifying the risks incurred and how to treat them. Approval of this report by those responsible for the affected information and services will be required before moving forward.