Equality Policy

The Management of Asseco Spain SA bases its equality policy on the following principles and commitments:

  • All employees have the right to respect for their dignity, as well as the obligation to treat those with whom they interact for work-related purposes (customers, suppliers, etc.) with respect. Therefore, the company’s management declares that sexual harassment and/or harassment based on gender will not be permitted or tolerated under any circumstances. They must not be ignored. And they will be severely punished.
  • Asseco is committed to establishing mechanisms for detecting new inequalities, as well as implementing the necessary procedures that contribute to continuous improvement in equality.
  • Asseco is part of the business community with more than 50 employees, and has therefore developed and is implementing an Equality Plan with the legally established scope and content, thereby expressing the regulatory, as well as moral and social, obligation to comply with it.
  • Asseco establishes compliance with legal regulations and internal company regulations regarding equality and combating gender-based violence as one of its priority objectives.
  • Asseco is committed to establishing a culture of continuous improvement by setting equality goals that will be periodically reviewed.

In order to continue advancing equality management, this policy will be reviewed periodically for continued relevance, communicated and shared with all employees, and made available to stakeholders.

Madrid, May 31, 2021

The Management

  1. Professionalism and security of human resources

This Policy applies to all Asseco Spain SA personnel and external personnel who perform tasks within the company.

HR will include information security responsibilities in employee job descriptions, inform all contracted personnel of their obligations regarding compliance with the Information Security Policy, manage Confidentiality Commitments with personnel, and coordinate user training regarding this Policy.

  • The Security Management Officer (SMO) is responsible for monitoring, documenting and analyzing reported security incidents, as well as communicating them to the Information Security Committee and information owners.
  • The Information Security Committee will be responsible for implementing the necessary means and channels for the Security Management Officer (SMO) to handle incident and system anomaly reports. The Committee will also monitor, oversee investigation, monitor the progress of information, and promote the resolution of information security incidents.
  • The Security Management Officer (SMO) will participate in the preparation of the Confidentiality Agreement to be signed by employees and third parties performing functions at Asseco Spain A., in advising on the sanctions to be applied for non-compliance with this Policy, and in the handling of information security incidents.
  • All Asseco Spain A. staff are responsible for reporting information security weaknesses and incidents that are detected in a timely manner.
  • Professionalism of human resources:
  • Determine the necessary staff competencies to carry out work affecting Information Security.
  • It is necessary to ensure that people are competent on the basis of appropriate education, training or experience.
  • Demonstrate through documented information that staff competency in Information Security is necessary.

The objectives of controlling staff safety are:

  • Reduce the risks of human error, the commission of irregularities, misuse of facilities and resources, and unauthorized handling of information.
  • Explain security responsibilities during the staff recruitment phase and include them in the agreements to be signed and verify compliance during the employee’s performance of duties.
  • Ensure that users are aware of information security threats and concerns and are trained to support Asseco Spain A.’s Information Security Policy in the course of their normal duties.
  • Establish confidentiality commitments with all staff and users outside of information processing facilities.
  • Establish the necessary tools and mechanisms to promote the communication of existing security weaknesses, as well as incidents, in order to minimize their effects and prevent their recurrence.
  1. Authorization and access control to Information Systems

The objective of access control to information systems is:

  • Prevent unauthorized access to information systems, databases and information services.
  • Implement user access security through authentication and authorization techniques.
  • Control security in the connection between the Asseco Spain A. network and other public or private networks.
  • Review critical events and activities performed by users on the systems.
  • Raise awareness about their responsibility for the use of passwords and equipment.
  • Ensure information security when using laptops and personal computers for remote work.
  1. Protection of facilities

The objectives of this policy regarding the protection of facilities are:

Prevent unauthorized access, damage, and interference to Asseco Spain SA’s headquarters, facilities, and information

  • Protect Asseco Spain A.’s critical information processing equipment by placing it in protected areas and protecting it within a defined security perimeter, with appropriate security measures and access controls. Also, consider protecting it during its transfer and ensuring it remains outside of protected areas for maintenance or other reasons.
  • Control environmental factors that could harm the proper functioning of the computer equipment that houses Asseco Spain SA’s information.
  • Implement measures to protect information handled by office staff, within the normal scope of their routine duties.
  • Provide protection proportional to the identified risks.

This Policy applies to all physical resources related to Asseco Spain SA’s information systems: facilities, equipment, cabling, files, storage media, etc.

It should be noted that in the case of Asseco Spain SA, all development, quality, and other environments are located externally on a secure hosting platform, so only laptops and peripherals need to be protected locally.

The Security Management Officer (SMO), together with the Information Owners, as appropriate, will define the physical and environmental security measures for the protection of critical assets, based on a risk analysis, and will oversee their implementation. They will also verify compliance with physical and environmental security provisions.

The heads of the various departments will define the levels of physical access for Asseco Spain SA personnel to the restricted areas under their responsibility. Information Owners will formally authorize off-site work with information about their business by Asseco Spain SA employees when they deem it appropriate.

All Asseco Spain SA staff are responsible for adhering to the clean screen and desk policy to protect information related to daily office work.

  1. Acquisition of products

Various departments must ensure that ICT security is an integral part of every stage of the system’s lifecycle, from conception to decommissioning, including development or procurement decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and bidding documents for ICT projects.

On the other hand, information security will be taken into account in the acquisition and maintenance of information systems, limiting and managing change.

  1. Security by default

Asseco Spain SA considers it strategic for the entity to integrate information security into its processes as part of their lifecycle. Information systems and services must include security by default from their creation to their retirement, including security in development and/or acquisition decisions and in all operational activities, establishing security as a comprehensive and cross-cutting process.

  1. System integrity and updating

Asseco Spain SA is committed to ensuring system integrity through a change management process that allows for the control of updates to physical or logical elements through authorization prior to their installation in the system. This assessment will be carried out primarily by technical management, which will evaluate the impact on system security before implementing changes and will document those changes that are assessed as significant or have implications for system security.

Through periodic security reviews, the security status of systems will be assessed in relation to manufacturers’ specifications, vulnerabilities, and updates that affect them, reacting diligently to manage the risk based on their security status.

  1. Protection of information stored and in transit

Asseco Spain SA establishes protective measures for the security of information stored or in transit through insecure environments. Insecure environments include laptops, peripheral devices, information media, and communications over open networks or with weak encryption.

  1. Prevention of interconnected information systems

Asseco Spain SA establishes information security protection measures, especially to protect the perimeter, particularly if connected to public networks, especially if they are used in whole or in part for the provision of publicly available electronic communications services.

In any case, the risks arising from the system’s interconnection with other systems through networks will be analyzed, and their connection point will be monitored. Electronic connections are available to the public.

  1. Activity logs

Asseco Spain SA will record user activities, retaining the information necessary to monitor, analyze, investigate, and document improper or unauthorized activities, allowing the individual responsible to be identified at all times.

The main objectives of Incident Management are:

  • Establish a system for detecting and responding to malicious code.
  • Have procedures in place to manage security incidents and weaknesses detected in information system elements.
  • These procedures will cover detection mechanisms, classification criteria, analysis and resolution procedures, as well as communication channels for stakeholders and the recording of actions.
  • This log is used for continuous improvement of system security.
  • Ensure IT services return to optimal performance.
  • Reduce the potential risks and impacts that the incident may cause.
  • Ensure the integrity of systems in the event of a security incident.
  • Communicate the impact of an incident as soon as it’s detected to raise the alarm; and implement an appropriate corporate communications plan.
  • Promote business efficiency.
  1. Continuity of activity

Asseco Spain SA, with the aim of ensuring business continuity, establishes measures to ensure system backups and establishes the necessary mechanisms to guarantee operational continuity in the event of the loss of normal work resources.

  1. Continuous improvement of the security process

Asseco Spain SA establishes a process of continuous improvement in information security by applying the criteria and methodology established in the National Security Framework.

In Madrid, May 20, 2024

General Directorate