change to professionals

|
Política de Seguridad

Security Policy

Version updated on 16 October 2023

REPRODUCTION OF THIS DOCUMENT IN WHOLE OR IN PART WITHOUT AUTHORIZATION IS PROHIBITED

Organization and implementation of the security process (Art. 13)

This “Information Security Policy” is effective from its entry into force on October 16, 2023 by Insulcloud.

The Policy is reviewed by the Information Security Manager at planned intervals, not exceeding one year, or whenever significant changes occur, to ensure its suitability, adequacy, and effectiveness.

Information system security must involve all members of the organization and be communicated effectively.

Changes to this Information Security Policy shall be approved by Insulcloud Management and disseminated throughout the Organization.

The company’s management is aware of the value of information and is firmly committed to the policy described in this document.

Regulatory framework

The regulatory framework for information security under which Insulcloud operates includes, essentially:

  • Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights.
  • Royal Decree 311/2022, regulating the National Security Framework (ENS) in electronic administration.
  • ENS. Article 12. Organization and implementation of the security process.
  • Regulation (EU) 2016/679 (GDPR) on the protection of individuals regarding personal data processing and free movement of such data.
  • TIC Security Guide CCN-STIC 805 ENS. Information Security Policy.
  • TIC Security Guide CCN-STIC 801 ENS. Responsibilities and roles.
  • Applicable Collective Agreement: “National Collective Agreement for engineering companies; technical study offices; inspection, supervision and technical and quality control”.
  • Law 34/2002, on Information Society Services and Electronic Commerce (LSSI-CE).

Mission

The purpose of this Information Security Policy is to protect the information of Insulcloud services.

The policy and its associated Security Regulations will be communicated to all employees to ensure their understanding and compliance.

This policy applies to the information systems owned by Insulcloud for the provision of technical support services, through qualified personnel assigned to public organizations, managing and monitoring activities in the areas of:

  • IT and security consultancy, technical audits and compliance, in accordance with RD 311/2022, ISO/IEC 27001, and the current Statement of Applicability.

Security responsibilities

Insulcloud has appointed a Security Committee with defined Roles, Functions, and Responsibilities.

The establishment of this committee and the designation of roles are recorded in the Committee Constitution Act (11/06/2021) and the Appointment Act (11/06/2021).

The ENS Information Security Committee is composed of:

  • Security Manager
  • Systems Manager
  • Information Manager
  • Service Manager
  • Executive Management

Each role will have designated deputies, totaling five substitutes.

Clear responsibilities must be assigned and known by all organization members. These responsibilities shall be detailed in the organization's Security Policy.

Appointments are decided by the Management and reviewed every two years or when positions change. Disagreements will be resolved within the Committee, with executive management having final authority.

Roles and corresponding functions are as follows:

  • Management will be responsible for:

    • Setting objectives and ensuring they are achieved
    • Understanding all departments and ensuring synergy
    • Organizing functions and responsibilities and the Security Policy
    • Allocating resources, budget, and personnel to meet objectives

  • The Information Manager will be responsible for:

    • Accepting residual risks determined from the risk assessment.
    • Evaluating proposals from the Security and Systems Managers regarding risk levels.
    • Defining information requirements.
    • Ensuring protection of information (physical, service, privacy).
    • Monitoring applicable legislative or sector-specific changes.
    • Implementing technical and organizational measures to protect personal data.

  • The Service Manager will:

    • Define security requirements for services delivered to Clients.
    • Review and approve security levels of services.
    • Include security specifications during service lifecycle.
    • Evaluate potential impacts on service security.
    • Assume ownership of service risks.

  • System Manager responsibilities include:

    • Developing, operating, and maintaining the System.
    • Defining topology and system management policy.
    • Defining rules for system connection/disconnection.
    • Implementing specific system security measures.
    • Approving hardware/software configurations.
    • Approving significant configuration modifications.
    • Conducting risk analysis and management.
    • Defining security documentation for the System.
    • Investigating system security incidents.
    • Establishing contingency and emergency plans.

  • The Security Manager will:

    • Be designated by the Organization Management.
    • Make decisions to meet information security requirements.
    • Protect organizational data and privacy.
    • Oversee and control access to information.
    • Prepare incident response and disaster recovery measures.
    • Ensure compliance with information security regulations.
    • Coordinate with external service providers.
    • Maintain security of information and services.
    • Promote training and awareness on information security.
    • Ensure proper use of IT equipment.
    • Supervise response teams in case of security breaches.
    • Act as Information Security Point of Contact (POC) for Clients.
    • Conduct security operations against fraud and data theft.
    • Develop training plans under ENS for Insulcloud personnel in public sector projects.

  • The Data Protection Officer (DPO) will:

    • Inform and advise on the GDPR obligations.
    • Monitor GDPR compliance and conduct audits.
    • Advise on Data Protection Impact Assessments (DPIA).
    • Act as point of contact with supervisory authorities.
    • Perform duties with attention to risks based on nature, scope, context, and purposes of processing.

Additionally, the System Manager may suspend certain services or processing if informed of severe security deficiencies affecting compliance. Such decisions must involve the Information, Service and Security Managers before execution.

Reporting

The security administrator reports to the System Manager or the Security Manager, depending on their functional dependency:

  • Incidents related to system security or configuration, update or correction actions.

The System Manager informs the Information Manager of functional incidents related to the information within their scope.

The System Manager informs the Service Manager of functional incidents related to the service within their scope.

The System Manager reports to the Security Manager:

  • Security-related actions, particularly regarding system architecture decisions
  • Consolidated summary of security incidents.

Risk analysis and management (Art. 14)

A risk analysis will be carried out, assessing threats and the risks to which they are exposed. This analysis will be the basis for determining the security measures to be adopted, in addition to the minimums established as provided in articles 7 and 14 of the BOE, and it will be repeated:

  • Regularly, at least once a year.
  • When the information being processed changes.
  • When the services provided change.
  • When a serious security incident occurs.
  • When critical vulnerabilities are reported.
  • When a security incident occurs related to LOPDGDD regulations.
  • When there is a data breach involving user information under LOPDGDD regulations.

The risk assessment criteria will be specified in the risk and security incident assessment methodology prepared by the organization, based on standards, recognized best practices, and legal norms.

At a minimum, all risks that could seriously impede the provision of services or the fulfillment of the organization’s mission must be addressed. Priority will be given to risks that may lead to a cessation of services or affect the processed information.

The risk assessment criteria will be specified in the risk assessment methodology prepared by the organization, based on recognized standards and best practices. At a minimum, all risks that could seriously impede the provision of services or the fulfillment of Insulcloud’s mission for its Clients must be addressed, giving special priority to those involving service interruption.

The risk owner must be informed of the risks affecting their asset and of the residual risk to which it is subject. When an information system enters into operation, the residual risks must have been formally accepted by its respective owner.

Personnel management (Art. 15)

Personnel, internal or external, related to the information systems subject to this Royal Decree 311/2022, must be trained and informed about their duties, obligations and responsibilities in terms of security.

Their work must be supervised to verify that established procedures are followed, applying the approved security standards and operating procedures in the performance of their duties.

The meaning and scope of the safe use of the system will be defined and reflected in the Security Regulations document, which will be approved by the management of Insulcloud. It will be disseminated throughout the Organization and must be communicated to each new member joining Insulcloud.

Professionalism (Art. 16)

The security of information systems shall be handled, reviewed and audited by qualified, dedicated, and trained personnel in all phases of its lifecycle: planning, design, acquisition, deployment, operation, maintenance, incident management, and decommissioning.

Entities within the scope of this royal decree shall demand, objectively and non-discriminatorily, that organizations providing security services have qualified professionals and appropriate levels of management and maturity in the services they provide.

Insulcloud will determine the training and experience requirements for personnel to perform their role.

Authorization and access control (Art. 17)

Controlled access to the information systems covered by this royal decree shall be limited to users, processes, devices, or other information systems, duly authorized and only to permitted functions.

Access privileges of a resource (person) to Insulcloud’s information system are restricted by default to the minimum required for their role.

Insulcloud’s information system will always be configured in such a way that it prevents a resource (person) from accidentally accessing resources with different rights than those authorized.

Facilities protection (Art. 18)

Information systems and their associated communications infrastructure must remain in controlled areas and have appropriate and proportional access mechanisms in accordance with the risk analysis, without prejudice to the provisions of Law 8/2011 of April 28, on critical infrastructure protection and Royal Decree 704/2011 of May 20.

Procurement of security products and services (Art. 19)

When acquiring security products or contracting information and communication technology security services to be used in information systems within the scope of this royal decree, those with certified security functionality relevant to their intended use will be used, proportionate to the system category and determined security level.

The Certification Body of the National Scheme for the Evaluation and Certification of Information Technology Security of the National Cryptologic Center (CCN), established under Article 2.2.c) of Royal Decree 421/2004, considering nationally and internationally recognized evaluation criteria and methodologies, will determine the following aspects:

  • The security and assurance functional requirements of the certification.
  • Other security certifications required by law.
  • Exceptionally, the criterion to be followed when no certified products or services exist.

The contracting of security services will be subject to the provisions of the previous sections and Article 16.

Minimum privilege (Art. 20)

Information systems must be designed and configured with the minimum privileges necessary for proper performance, incorporating the following aspects:

  • The system will provide only the essential functionality for the organization to achieve its objectives.
  • Operation, administration and logging functions will be the minimum necessary and will only be carried out by authorized personnel, from authorized locations or equipment.
  • Unnecessary or inappropriate functions will be removed or disabled through configuration control. Ordinary system use must be simple and secure, so that unsafe use requires a conscious action by the user.
  • Security configuration guidelines will be applied for different technologies, adapted to the system categorization, to remove or disable unnecessary or inappropriate functions.

System integrity and updates (Art. 21)

The inclusion of any physical or logical element in the updated system asset catalog, or its modification, will require formal authorization from the Insulcloud Security Manager.

Permanent evaluation and monitoring will allow the security status of the systems to be adapted to configuration deficiencies, identified vulnerabilities, and updates, as well as early detection of any incidents affecting them. Responsibility will lie with the Insulcloud Security Manager.

Protection of stored and in-transit information (Art. 22)

In the organization and implementation of security, special attention will be paid to data stored or in transit via portable or mobile devices, peripheral devices, information supports, and communications over open networks, which must be specially analyzed to ensure adequate protection.

Procedures will be applied to guarantee the recovery and long-term preservation of electronic documents produced by information systems covered by this royal decree, when required.

Any information in non-electronic format that has been caused by or directly linked to the electronic information referred to in this royal decree must be protected with the same level of security. The appropriate measures will be applied according to the nature of the support.

Prevention in interconnected information systems (Art. 23)

The perimeter of the information system will be protected, especially if it connects to public networks, as defined in Law 9/2014 of May 9, General Telecommunications Law, enhancing prevention, detection, and response to security incidents.

Activity logging and malicious code detection (Art. 24)

To meet the purpose of this royal decree, and in full compliance with personal data protection laws, user activities will be logged, retaining only the information strictly necessary to monitor, analyze, investigate, and document improper or unauthorized activities, and enabling identification of the person at all times.

To preserve information systems security, strictly as allowed by GDPR and respecting purpose limitation, data minimization, and retention limitation principles, analysis of incoming or outgoing communications may be carried out, solely for information security purposes, allowing prevention of unauthorized access, denial-of-service attacks, or malicious code distribution.

To correct or, where appropriate, assign responsibilities, each system user must be uniquely identified so that access rights, types of access, and actions taken can be known at all times.

Security incidents (Art. 25)

The entity owning the information systems subject to this royal decree will have security incident management procedures as provided in Article 33, the corresponding Technical Security Instruction, and in the case of an operator of essential services or digital service provider, according to the annex of Royal Decree 43/2021 of January 26.

Detection mechanisms, classification criteria, analysis and resolution procedures, as well as communication channels with stakeholders and action logs, will be available. These logs will be used to improve system security.

Business continuity (Art. 26)

Systems will have backup copies and the necessary mechanisms to ensure continuity of operations in case of loss of the usual means.

Continuous improvement of the security process (Art. 27)

The comprehensive security process implemented must be continually updated and improved. Recognized national and international practices and methodologies for information security management will be applied.

Documentary reference

  • IC_Inventory of Policies_v1
  • IC_Security Regulations_v1
  • IC_Privacy Policy_v1

Change Control

VERSIONDATEAUTHORDESCRIPTION
0116/10/2023Nacho GaiteroISO 27001 - ENS Update
0026/10/2020Miguel Uña VázquezInitial version of the procedure

Security certificate

The information security management system of Insulcloud is certified under: