ENS Security Policy

  1. Approval and entry into force

This Information Security Policy is effective from the date of signature until replaced by a new Policy.

  1. Mission of Asseco Spain SA

To achieve its objectives, Asseco Spain  is committed to information security and undertakes proper management of this information in order to offer all its stakeholders the highest guarantees regarding the security of the information used.

Our mission is to offer high-impact 360 technological solutions and services with a high level of customization.

These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that could affect the availability, integrity, or confidentiality of the information processed or the services provided.

The objective of information security is to ensure the quality of information and the continued provision of services by acting proactively, monitoring daily activity, and reacting promptly to incidents.

ICT systems must be protected against rapidly evolving threats that have the potential to impact the confidentiality, integrity, availability, intended use, and value of information and services. Defending against these threats requires a strategy that adapts to changing environmental conditions to ensure the continued provision of services. This means that departments must implement the minimum security measures required by the National Security Framework, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective incident response to ensure the continuity of the services provided.

The various departments must ensure that IT security is an integral part of every stage of the system’s lifecycle, from conception to decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified for both the products they develop and their associated services, as well as for the underlying software acquired from third parties.

Departments must be prepared to prevent, detect, react to, and recover from incidents, in accordance with Article 8 of the ENS (Article 8. Prevention, detection, response, and conservation).

  1. Scope

This policy applies to all the entity’s ICT systems and to all members of Asseco Spain SA, involved in Services and Projects for the public sector, which require the application of ENS, without exception. That is: THE INFORMATION SYSTEMS THAT SUPPORT THE Monitoring Service and Management and Maintenance Services for IT systems, networks, communications and security according to the Current Declaration of Applicability

  1. Goals

For all the above reasons, the Management establishes the following information security objectives:

  • Provide a framework for increasing resilience to respond effectively.
  • Ensure the rapid and efficient recovery of services in the event of any physical disaster or contingency that could jeopardize the continuity of operations.
  • Prevent information security incidents to the extent technically and economically feasible, as well as mitigate information security risks generated by our activities.
  • Ensure the confidentiality, integrity, availability, authenticity and traceability of information.
  1. Regulatory framework

One of our objectives must be to comply with applicable legal requirements and any other requirements we sign, in addition to our commitments to clients, as well as to continually update them. To this end, the legal and regulatory framework within which we conduct our activities is:

  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights.
  • Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law.
  • Law 2/2019, of March 1, amending the consolidated text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12, and incorporating into Spanish law Directive 2014/26/EU of the European Parliament and of the Council, of February 26, 2014, and Directive (EU) 2017/1564 of the European Parliament and of the Council, of September 13, 2017.
  • Royal Decree 311/2022, of May 3, regulating the National Security Scheme.
  • Law 34/2002 of July 11 on Information Society Services and Electronic Commerce (LSSI).
  • Law 40/2015, of October 1, on the Legal Regime of the Public Sector.
  • Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations.
  1. Development

In order to achieve these objectives it is necessary:

  • Continuously improve our information security system.
  • Identify potential threats, as well as the impact on business operations that such threats, if they materialize, could cause.
  • Preserve the interests of its key stakeholders (customers, shareholders, employees, and suppliers), reputation, brand, and value-creating activities.
  • Working together with our suppliers and subcontractors to improve IT service delivery, service continuity, and information security, resulting in greater efficiency in our operations.
  • Evaluate and guarantee the technical competence of our staff, as well as ensure their adequate motivation to participate in the continuous improvement of our processes, providing appropriate training and internal communication to help them develop the best practices defined in the system.
  • Ensure the proper condition of the facilities and appropriate equipment, so that they are in line with the company’s activity, objectives, and goals.
  • Ensure ongoing analysis of all relevant processes, establishing appropriate improvements in each case based on the results obtained and the established objectives.
  • Structure our management system in a way that is easy to understand. Our management system has the following structure:

Our system is managed by the Security Officer, and the system will be available in our information system in a repository, which can be accessed according to the access profiles granted in accordance with our current access management procedure.

  1. Security organization

The primary responsibility lies with the General Management of Asseco Spain SA, which is responsible for organizing the functions and responsibilities and providing the appropriate resources to achieve the ENS’s objectives. Managers are also responsible for setting a good example by following established safety standards.

These principles are assumed by the Management, which provides the necessary means and provides its employees with sufficient resources for their compliance, reflecting and making them public through these Security Policies.

The defined security roles or functions are:

FunctionDuties and responsibilities
Responsible for information (RINFO)· Make decisions regarding the information processed
Service Manager (RSER)· Coordinate the implementation of the system· Continuously improve the system
Security Officer (RSEG)· Determine the suitability of technical measures· Provide the best technology for the service
System Manager (RSIS)· Coordinate the implementation of the system· Continuously improve the system
Address· Provide the necessary resources for the system· Lead the system

This definition of duties and responsibilities is completed in the job profiles and in the Personnel, Roles and Responsibilities Record system documents.

 CONFLICT RESOLUTION

Any differences of opinion that could lead to a conflict will be addressed within the Security Committee, and the opinion of the Directorate General will prevail in all cases.

  1. Security Committee

The procedure for their appointment and renewal will be ratification by the security committee.

The Security Management and Coordination Committee is the body with the greatest responsibility within the information security management system, so all major security-related decisions are agreed upon by this committee.

The members of the information security committee are:

  • Information Officer
  • Responsible for Services
  • Security Officer
  • System Manager
  • Company Address

These members are appointed by the committee, the only body that can appoint, renew and remove them.

The Safety Committee is an autonomous, executive body with decision-making authority and is not subordinate to any other element of our company.

Asseco Spain SA’s information security policy is developed in the complementary document to this Information Security Organization Policy.

This policy complements the rest of the policies, procedures and documents in force to develop our management system.

  1. Risk Management

All systems subject to this Policy must undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis is reviewed regularly:

  • at least once a year;
  • when the information handled changes;
  • when the services provided change;
  • when a serious security incident occurs;
  • when serious vulnerabilities are reported.

To harmonize risk analyses, the ICT Security Committee will establish a baseline assessment for the different types of information handled and the different services provided. The ICT Security Committee will streamline the availability of resources to address the security needs of the various systems, promoting horizontal investments.

To carry out the risk analysis, the risk analysis methodology developed in the Risk Analysis procedure will be taken into account.

  1. Personnel Management

All members of Asseco Spain SA are required to understand and comply with this Information Security Policy and the Security Regulations. The ICT Security Committee is responsible for ensuring that information reaches those affected.

All Asseco Spain SA members will attend an ICT security awareness session at least once a year. An ongoing awareness program will be established for all Asseco Spain SA members, particularly new recruits.

Individuals responsible for the use, operation, or administration of ICT systems will receive training in the secure use of these systems to the extent necessary to perform their work. Training will be mandatory before assuming any responsibility, whether it is their first assignment or a change in job or responsibilities.

  1. Professionalism and security of human resources

This Policy applies to all Asseco Spain SA personnel and external personnel who perform tasks within the company.

HR will include information security responsibilities in employee job descriptions, inform all contracted personnel of their obligations regarding compliance with the Information Security Policy, manage Confidentiality Commitments with personnel, and coordinate user training regarding this Policy.

  • The Security Management Officer (SMO) is responsible for monitoring, documenting and analyzing reported security incidents, as well as communicating them to the Information Security Committee and information owners.
  • The Information Security Committee will be responsible for implementing the necessary means and channels for the Security Management Officer (SMO) to handle incident and system anomaly reports. The Committee will also monitor, oversee investigation, monitor the progress of information, and promote the resolution of information security incidents.
  • The Security Management Officer (SMO) will participate in the preparation of the Confidentiality Agreement to be signed by employees and third parties performing functions at Asseco Spain A., in advising on the sanctions to be applied for non-compliance with this Policy, and in the handling of information security incidents.
  • All Asseco Spain A. staff are responsible for reporting information security weaknesses and incidents that are detected in a timely manner.
  • Professionalism of human resources:
  • Determine the necessary staff competencies to carry out work affecting Information Security.
  • It is necessary to ensure that people are competent on the basis of appropriate education, training or experience.
  • Demonstrate through documented information that staff competency in Information Security is necessary.

The objectives of controlling staff safety are:

  • Reduce the risks of human error, the commission of irregularities, misuse of facilities and resources, and unauthorized handling of information.
  • Explain security responsibilities during the staff recruitment phase and include them in the agreements to be signed and verify compliance during the employee’s performance of duties.
  • Ensure that users are aware of information security threats and concerns and are trained to support Asseco Spain A.’s Information Security Policy in the course of their normal duties.
  • Establish confidentiality commitments with all staff and users outside of information processing facilities.
  • Establish the necessary tools and mechanisms to promote the communication of existing security weaknesses, as well as incidents, in order to minimize their effects and prevent their recurrence.
  1. Authorization and access control to Information Systems

The objective of access control to information systems is:

  • Prevent unauthorized access to information systems, databases and information services.
  • Implement user access security through authentication and authorization techniques.
  • Control security in the connection between the Asseco Spain A. network and other public or private networks.
  • Review critical events and activities performed by users on the systems.
  • Raise awareness about their responsibility for the use of passwords and equipment.
  • Ensure information security when using laptops and personal computers for remote work.
  1. Protection of facilities

The objectives of this policy regarding the protection of facilities are:

Prevent unauthorized access, damage, and interference to Asseco Spain SA’s headquarters, facilities, and information

  • Protect Asseco Spain A.’s critical information processing equipment by placing it in protected areas and protecting it within a defined security perimeter, with appropriate security measures and access controls. Also, consider protecting it during its transfer and ensuring it remains outside of protected areas for maintenance or other reasons.
  • Control environmental factors that could harm the proper functioning of the computer equipment that houses Asseco Spain SA’s information.
  • Implement measures to protect information handled by office staff, within the normal scope of their routine duties.
  • Provide protection proportional to the identified risks.

This Policy applies to all physical resources related to Asseco Spain SA’s information systems: facilities, equipment, cabling, files, storage media, etc.

It should be noted that in the case of Asseco Spain SA, all development, quality, and other environments are located externally on a secure hosting platform, so only laptops and peripherals need to be protected locally.

The Security Management Officer (SMO), together with the Information Owners, as appropriate, will define the physical and environmental security measures for the protection of critical assets, based on a risk analysis, and will oversee their implementation. They will also verify compliance with physical and environmental security provisions.

The heads of the various departments will define the levels of physical access for Asseco Spain SA personnel to the restricted areas under their responsibility. Information Owners will formally authorize off-site work with information about their business by Asseco Spain SA employees when they deem it appropriate.

All Asseco Spain SA staff are responsible for adhering to the clean screen and desk policy to protect information related to daily office work.

  1. Acquisition of products

Various departments must ensure that ICT security is an integral part of every stage of the system’s lifecycle, from conception to decommissioning, including development or procurement decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and bidding documents for ICT projects.

On the other hand, information security will be taken into account in the acquisition and maintenance of information systems, limiting and managing change.

  1. Security by default

Asseco Spain SA considers it strategic for the entity to integrate information security into its processes as part of their lifecycle. Information systems and services must include security by default from their creation to their retirement, including security in development and/or acquisition decisions and in all operational activities, establishing security as a comprehensive and cross-cutting process.

  1. System integrity and updating

Asseco Spain SA is committed to ensuring system integrity through a change management process that allows for the control of updates to physical or logical elements through authorization prior to their installation in the system. This assessment will be carried out primarily by technical management, which will evaluate the impact on system security before implementing changes and will document those changes that are assessed as significant or have implications for system security.

Through periodic security reviews, the security status of systems will be assessed in relation to manufacturers’ specifications, vulnerabilities, and updates that affect them, reacting diligently to manage the risk based on their security status.

  1. Protection of information stored and in transit

Asseco Spain SA establishes protective measures for the security of information stored or in transit through insecure environments. Insecure environments include laptops, peripheral devices, information media, and communications over open networks or with weak encryption.

  1. Prevention of interconnected information systems

Asseco Spain SA establishes information security protection measures, especially to protect the perimeter, particularly if connected to public networks, especially if they are used in whole or in part for the provision of publicly available electronic communications services.

In any case, the risks arising from the system’s interconnection with other systems through networks will be analyzed, and their connection point will be monitored. Electronic connections are available to the public.

  1. Activity logs

Asseco Spain SA will record user activities, retaining the information necessary to monitor, analyze, investigate, and document improper or unauthorized activities, allowing the individual responsible to be identified at all times.

The main objectives of Incident Management are:

  • Establish a system for detecting and responding to malicious code.
  • Have procedures in place to manage security incidents and weaknesses detected in information system elements.
  • These procedures will cover detection mechanisms, classification criteria, analysis and resolution procedures, as well as communication channels for stakeholders and the recording of actions.
  • This log is used for continuous improvement of system security.
  • Ensure IT services return to optimal performance.
  • Reduce the potential risks and impacts that the incident may cause.
  • Ensure the integrity of systems in the event of a security incident.
  • Communicate the impact of an incident as soon as it’s detected to raise the alarm; and implement an appropriate corporate communications plan.
  • Promote business efficiency.
  1. Continuity of activity

Asseco Spain SA, with the aim of ensuring business continuity, establishes measures to ensure system backups and establishes the necessary mechanisms to guarantee operational continuity in the event of the loss of normal work resources.

  1. Continuous improvement of the security process

Asseco Spain SA establishes a process of continuous improvement in information security by applying the criteria and methodology established in the National Security Framework.

In Madrid, May 20, 2024

General Directorate