ENS Information Security Policy

1. APPROVAL AND ENTRY INTO FORCE

Text approved on 21 July 2022 by the General Management. This Information Security Policy is effective from that date until it is replaced by a new Policy.

2. INTRODUCTION

SICOMORO SERVICIOS INTEGRALES, S.L. depends on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

The objective of information security is to ensure the quality of information and the continued provision of services by acting preventively, monitoring daily activity and reacting promptly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. Defending against these threats requires a strategy that adapts to changing environmental conditions to ensure continuous service delivery. This implies that departments must implement the minimum security measures required by the National Security Scheme, as well as continuously monitor service delivery levels, track and analyse reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.

The different departments must ensure that ICT security is an integral part of every stage of the system lifecycle, from its conception to its decommissioning, through development or procurement decisions and operational activities. Security requirements and funding needs should be identified and included in planning, request for tenders, and tender documents for ICT projects.

Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS (Article 8. Prevention, detection, response and preservation. Royal Decree 311/2022, of 3 May, which regulates the National Security Scheme).

2.1. PREVENTION

Departments must avoid, or at least prevent as far as possible, information or services from being damaged by security incidents. To this end, departments should implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all staff, should be clearly defined and documented. To ensure compliance with the policy, departments should: Authorise systems before they go into operation.

– Regularly assess security, including assessments of configuration changes made on a routine basis.

– Request periodic review by third parties in order to obtain an independent assessment.

2.2. DETECTION

Since services can degrade rapidly due to incidents, ranging from simple slowdowns to shutdowns, services should continuously monitor the operation to detect anomalies in service delivery levels and act accordingly as set out in Article 10 of the ENS. (Article 9. Continuous monitoring and periodic reassessment).

Monitoring is especially relevant when establishing lines of defence in accordance with Article 9 of the ENS. (Article 8. Existence of Lines of Defence).

Detection, analysis and reporting mechanisms shall be established that reach those responsible on a regular basis and when there is a significant deviation from the parameters that have been pre-established as normal.

2.3. RESPONSE

The Entity has established mechanisms to respond effectively to security incidents.

A point of contact has been designated for communications regarding incidents detected in other departments or other bodies.

Protocols are in place for the exchange of incident-related information. This includes two-way communications with the Emergency Response Teams (CERTs).

2.4. RECOVERY

To ensure the availability of critical services, the entity has developed ICT systems continuity plans as part of its overall business continuity plan and recovery activities.


Translated with www.DeepL.com/Translator (free version)

3. SCOPE

This policy applies to all the entity’s ICT systems and to all members of the organisation involved in Services and Projects for the public sector that require the application of ENS, without exceptions.

4. MISSION

The main objectives pursued are:

– To promote the electronic relationship between the user and the Entity or its Clients.

– To reduce waiting times for user service.

– To shorten waiting times in the resolution of procedures requested by the user.

– To develop a documentary information management system that facilitates rapid access by service personnel to the information requested by the user.

5. REGULATORY FRAMEWORK

This policy is framed within the following legislation:

1. RD 311/2022 Royal Decree 311/2022, of 3 May, which regulates the National Security Scheme. BOE of 04 May 2022.

2. Law 30/1992, of 26 November, on the Legal Regime of Public Administrations and Common Administrative Procedure.

3. Law 40/2015, of 1 October, on the Public Sector Legal System.

4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

5. Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.

6. Law 11/2007, of 22 June, on citizens’ electronic access to Public Services.

7. Law 7/1985, of 2 April 1985, Regulating the Bases of the Local Regime, modified by Law 11/1999, of 21 April 1999.

6. ORGANISATION OF SECURITY
6.1. COMMITTEES: ROLES AND RESPONSIBILITIES

The ICT Security Committee shall be made up of:

– The Managing Director of the Company= Holder, Data Controller, Information Officer (RINFO), Service Manager (RSER).

– The Technical Manager = System Manager (RSIS).

– The Systems Manager = Security Administrator and Delegated Security Administrator (AS & AS-D).

– The Management Systems Manager = Information Security Manager (RSEG), Chief Information Security Officer (CISO), Corporate Security Officer (CSO).

– The Support Manager = System Manager (RSIS).

– The Head of Administration = Head of Specific Security Measures (HR), Secretary of the ICT Security Committee.

Translated with www.DeepL.com/Translator (free version)

The Secretary of the ICT Security Committee shall be the Head of Administration, who shall be responsible for convening the Committee’s meetings and taking minutes of them.

The ICT Security Committee shall report to the Entity’s Management.

The ICT Security Committee shall have the following functions:

– Coordinate and approve actions in the area of information security.

– Promote the information security culture.

– Participate in the categorisation of systems and risk analysis.

– Review documentation related to system security.

– Resolve discrepancies and problems that may arise in security management.

6.2. ROLES: FUNCTIONS AND RESPONSIBILITIES

The responsibilities of senior management are:

– It is responsible for setting the strategic objectives, properly organising its constituent elements, its internal and external relations, and directing its activity, including the approval of the Information Security Policy, as well as, where appropriate, the Data Protection Policy, providing the appropriate resources to achieve the proposed objectives, ensuring compliance with them.

– Responsible for the Processing of Personal Data.

– Data Controller; has the ultimate responsibility for the use made of certain information and, therefore, for its protection. The Data Controller is ultimately responsible for any error or negligence leading to an incident of confidentiality or integrity (in terms of data protection) and availability (in terms of information security).

– Service manager: This person has the power to determine the security levels of the services, and may be a specific individual or a collegiate body.

The responsibilities of the ICT Security Committee are:

– To coordinate and approve information security actions.

– To promote the culture of information security.

– To participate in the categorisation of systems and risk analysis.

– Review documentation related to system security.

– Resolve discrepancies and problems that may arise in the management of security.

The responsibilities of the Information Security Officer are:

– Maintain the appropriate level of security of the information handled and the services provided by the systems.

– To carry out or promote the periodic audits required by the ENS to verify compliance with its requirements.

– Manage ICT security training and awareness-raising.

– Check that the existing security measures are adequate for the entity’s needs.

– Review, complete and approve all documentation related to system security.

– Monitor the security status of the system provided by the security event management tools and audit mechanisms implemented in the system.

– Support and supervise the investigation of security incidents from notification to resolution, issuing periodic reports on the most relevant incidents to the Committee.

The responsibilities of the System Manager are:

– Manage the System throughout its life cycle, from specification, installation to monitoring of its operation.

– Defining the criteria for use and the services available in the system.

– Defining the policies for user access to the system.

– Approve changes affecting the security of the system’s mode of operation.

– Determine the authorised hardware and software configuration to be used in the system and approve major modifications to this configuration.

– Carrying out the analysis and management of risks in the system.

– Prepare and approve the system’s security documentation.

– Determine the category of the system according to the procedure described in Annex I of the ENS and determine the security measures to be applied as described in Annex II of the ENS.

– Implement and control the specific security measures of the system.

– Establish contingency and emergency plans, conducting frequent drills to familiarise staff with them.

– Suspending the handling of certain information or the provision of a certain service if serious deficiencies are detected.

The responsibilities of the Security Administrator are:

– Implementation, management and maintenance of security measures.

– Management, configuration and updating, where appropriate, of security hardware and software, as well as their supervision.

– Management of authorisations and privileges granted to system users.

– Implementation of security procedures and verification of compliance.

– Approving changes to security settings.

– Ensuring that security controls are complied with.

– Monitoring the security status of the system.

– Report any anomalies to the RSEG and RSIS.

– Assist in the investigation and resolution of security incidents.

– Log, account for and manage security incidents.

– Isolate the incident to prevent propagation.

– Make short-term decisions if information has been compromised in a way that could have serious consequences.

– Ensure the integrity of critical elements of the system if their availability has been affected.

– Maintain and recover the information stored by the System and its associated services.

– Investigate the incident: Determine the manner, means, reasons and origin of the incident.

The responsibilities of the Head of specific HR Security Measures are:

– Communicate the registration and deregistration of users, through the procedure described.

The responsibilities of the Users are:

– Apply the security measures described in the regulations.

6.3. APPOINTMENT PROCEDURES

The Information Security Officer shall be appointed by the Entity’s Management, at the proposal of the ICT Security Committee. The appointment shall be reviewed every 2 years or when the post becomes vacant. The Department responsible for a service provided electronically in accordance with Law 11/2007 shall designate the System Manager, specifying his or her functions and responsibilities within the framework established by this Policy. This designation must be approved by the Entity’s management.

6.4. INFORMATION SECURITY POLICY

The ICT Security Committee shall be responsible for the annual review of this Information Security Policy and for proposing its revision or maintenance. The Policy shall be approved by the Entity’s management and disseminated so that all affected parties are aware of it.

7. PERSONAL DATA

The Entity processes personal data. The “Personal Data Protection Manual”, to which only authorised persons shall have access, lists the processing operations concerned and those responsible for them. All the Entity’s information systems shall comply with the security measures required by its risk analysis and by the regulations for the nature and purpose of the personal data included in the aforementioned manual and the documentation of said system. 

8. RISK MANAGEMENT

All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated:

– Regularly, at least once a year when the information handled changes.

– When the services provided change.

– When a serious security incident occurs.

– When serious vulnerabilities are reported.

For the harmonisation of risk analyses, the ICT Security Committee shall establish a baseline assessment for the different types of information handled and the different services provided. The ICT Security Committee will streamline the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

9. DEVELOPMENT OF THE INFORMATION SECURITY POLICY


This Information Security Policy complements the Entity’s security policies in different areas:

– Personal Data Protection security policies, available in the document “Privacy Policy Data Protection Law”.

This Policy will be developed by means of security regulations that address specific aspects. The security policy will be available to all members of the organisation who need to know it, in particular to those who use, operate or administer the information and communications systems. The security policy shall be available on the intranet: https://helpdesk.iacpos.com.

10. STAFF OBLIGATIONS

All members of the organisation are obliged to know and comply with this Information Security Policy and the Security Regulations, and the ICT Security Committee is responsible for arranging the necessary means to ensure that the information reaches those affected.

All members of the organisation shall attend an ICT security awareness session at least once a year. An ongoing awareness programme shall be set up for all members of the organisation, in particular new recruits.

Persons with responsibility for the use, operation or administration of ICT systems shall be trained in the secure operation of the systems to the extent that they need it to perform their work. Training shall be mandatory before taking up a responsibility, whether it is their first assignment or a change of job or job responsibilities.

11. THIRD PARTIES

When the Entity provides services to other organisations or handles information from other organisations, they shall be made aware of this Information Security Policy, channels shall be established for reporting and coordination of the respective ICT Security Committees, and procedures shall be established for reacting to security incidents.

When the Entity uses third-party services or transfers information to third parties, they shall be made aware of this Security Policy and of the Security Regulations applicable to such services or information. Such third party shall be subject to the obligations set forth in such regulations, and may develop its own operating procedures to comply with them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that third party personnel are adequately security-aware to at least the same level as set out in this Policy.

Where any aspect of the Policy cannot be satisfied by a third party as required in the above paragraphs, a report from the Security Officer specifying the risks incurred and how they will be addressed shall be required. Approval of this report will be required from those responsible for the information and services concerned before proceeding further.