Information Security Policy

 

Object

 

The main objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, supervising daily activity and reacting promptly to incidents.

 

This Policy is developed with the aim of establishing a single framework for action that allows each of the business areas to be aligned and the Management's commitment to provide the necessary resources for implementation and continuous improvement.

 

The security of information assets is a commitment that affects all SIA personnel. Consequently, all personnel, whether they belong to the organisation or to subcontracted third parties, are co-participants in this responsibility, and must work, from the position they occupy and independently of the responsibility explicitly assigned to them, towards the achievement of adequate information security.

 

This Policy shall be communicated, disseminated and followed by all the personnel of the Organisation and other interested parties (clients, contractors and suppliers) and compliance with it shall be mandatory within their sphere of responsibility.

 

Failure to comply with it may lead to the initiation of the appropriate disciplinary measures and, where appropriate, the corresponding legal responsibilities.

 

Mission

 

SIA's mission is to provide IT solutions and digital signature to its Clients and to collaborate in their evolution. Its Management has developed and implemented a set of objectives and guidelines, subject to a continuous improvement process, in accordance with the legislation, the National Security Scheme, the Personal Data Protection and the eIDAS regulations applicable to entities that provide trust services in the digital signature field (Trust Service Provider), as is the case of SIACERT.

 

The Information Security Policy is a high-level public declaration of intent on the part of SIA's Management, which, by virtue of the same, expresses its commitment to adopt all organisational, technical, physical and legal measures aimed at protecting the information and systems within its scope, in such a way as to achieve compliance with the applicable laws, regulations and standards in force, and to guarantee the security of the information at all times in relation to its integrity, confidentiality, availability, traceability and authentication.

 

Applicable Legislation

 

The following applicable legislation and regulations shall be the basis for compliance with the regulations for the creation of this security policy:

 

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.
• Royal Legislative Decree 1/1996, of 12 April, Law on Intellectual Property.
• Royal Decree-Law 2/2018, of 13 April, amending the revised text of the Law on Intellectual Property.
• Royal Decree 311/2022, of 3 May, regulating the National Security Scheme
• The ISO 27001 Information Security Management System.
• Principles of Information Security

 

Therefore, the SIA Management assumes the following principles as strategic commitments:

 

• Implement a documented and measurable management system, ensuring continuous improvement of processes, procedures, products and services, in order to provide services that meet customer requirements.
• Assign roles and responsibilities, based on the corresponding procedures for their designation, reinforcing the premise of least privilege.
• Develop personnel management, training and staff awareness programmes that ensure the level of training, competence and implications appropriate to their functions.
• Comply with applicable legislation in force, especially that which arises from the provision of services to citizens by public administrations.
• Analyse and manage the risks to which the Organisation is exposed by means of internationally recognised methodologies.
• Establish adequate levels of integrity, confidentiality, availability, traceability and authentication of our own, suppliers' and customers' information systems.
• Preventing incidents and planning an effective reaction and subsequent analysis in the event of their occurrence. As well as ensuring the continuity of the organisation's critical operations in the event of such incidents.
• To orientate the activity of the Organisation and its suppliers towards the Client by complying with the explicit and implicit requirements of the agreed terms and conditions.
• To achieve the appropriate levels of IT services offered by the Organisation to its customers, and to demand the same from its suppliers, so that they certify and guarantee quality, satisfaction and mutual cooperation.
• Contribute to the prevention of pollution and establish an adequate management of environmental waste, whether generated internally or through our suppliers.
• Guarantee operational continuity in the event of disruptive incidents.
• To provide digital signature services in accordance with ETSI standards and legal regulations applicable to TSPs.

 

The Policy will be in force from the date of its approval and will be reviewed annually regardless of significant changes, remaining unchanged if no changes are applied.