|Made by: Nacho Gaitero Security Manager
|Date and signature: 16/10/2023
|Reviewed by: Miguel Uña Compliance Officer Angel Sotomayor Vázquez Software Manager
Date and signature: 16/10/2023
Date and signature: 16/10/2023
|Approved by: Nacho Gaitero Security Manager
|Date and signature: 16/10/2023
TOTAL OR PARTIAL REPRODUCTION OF THIS DOCUMENT WITHOUT AUTHORIZATION IS PROHIBITED.
- ORGANIZATION AND IMPLEMENTATION OF THE SECURITY PROCESS (ART.13)
- REGULATORY FRAMEWORK
- SECURITY FUNCTIONS
- RISK ANALYSIS AND MANAGEMENT (ART.14)
- PERSONNEL MANAGEMENT (ART.15)
- PROFESSIONALISM (ART. 16)
- AUTHORIZATION AND CONTROL OF ACCESS (ART. 17)
- PROTECTION OF FACILITIES (ART. 18)
- ACQUISITION OF SECURITY PRODUCTS AND CONTRACTING OF SECURITY SERVICES (ART. 19)
- MINIMUM PRIVILEGE (ART. 20)
- INTEGRITY AND UPDATING OF THE SYSTEM (ART. 21)
- PROTECTION OF STORED INFORMATION AND IN TRANSIT (ART. 22)
- PREVENTION AGAINST OTHER INTERCONNECTED INFORMATION SYSTEMS (ART. 23)
- REGISTRATION OF ACTIVITY AND DETECTION OF HARMFUL CODE (ART. 24)
- SECURITY INCIDENTS (ART. 25)
- CONTINUITY OF ACTIVITY (ART. 26)
- CONTINUOUS IMPROVEMENT OF THE SECURITY PROCESS (ART. 27)
- DOCUMENTARY REFERENCE
1. ORGANIZATION AND IMPLEMENTATION OF THE SECURITY PROCESS (ART.13)
This “Information Security Policy” is effective from its entry into force on October 16, 2023 by Insulcloud .
The Policy is reviewed by the person responsible for Information Security at planned intervals, not exceeding one year in duration, or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness are maintained.
The security of information systems must involve all members of the organization, communicating effectively.
Changes to the Information Security Policy will be approved by Insulcloud Management . Any change to it must be disseminated for the knowledge of the entire Organization.
The company's management is aware of the value of information and is deeply committed to the policy described in this document.
2. REGULATORY FRAMEWORK
The regulatory framework regarding information security in which Insulcloud carries out its activity, essentially, is the following:
- Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
- RD 311/2022, of May 3, which regulates the National Security Scheme in the field of Electronic Administration.
- ENS. Article 12. Organization and implementation of the security process.
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (General Data Protection Regulation ), applicable to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file.
- ICT Security Guide CCN-STIC 805 ENS. Information security policy.
- ICT Security Guide CCN-STIC 801 ENS. Responsibilities and functions.
- The applicable collective agreement, corresponding to “Consulting companies, and market and public opinion studies.”
- Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI-CE).
The purpose of this Information Security Policy is to protect the information of Insulcloud services .
The Safety Policy, together with the Safety Regulations, will be carried out through communication to all workers, so that the document can be analyzed, understood and read.
This policy applies to the information system owned by Insulcloud , for the adequate provision of technical assistance services, through the assignment of qualified personnel to public organizations, carrying out its management and monitoring in the areas of:
- Likewise, ICT and security consulting, along with technical and compliance audits, all in accordance with the provisions of RD 311/2022, ISO/IEC 27001 and the current Declaration of Applicability.
4. SECURITY FUNCTIONS
Insulcloud has appointed a Security COMMITTEE with its Functions and Responsibilities.
The establishment of this committee, as well as the designation of the different roles, are recorded in the Committee's Constitution Minutes: Insulcloud dated 06/11/2021 and in the Appointments Minutes: Insulcloud dated 06/11/2021
The ENS Information Security Committee is made up of:
- Security Manager
- Systems Manager
- Information Manager
- Responsable of the service
- Management Responsible
And this Security Committee will have Alternates for each of those responsible for the Security Committee, that is, 5 alternates.
Clear responsible parties must be identified to ensure compliance and be known by all members of the organization. The responsibilities of each person responsible will be detailed in the organization's security policy.
Appointments are established by the Organization's Management and are reviewed every 2 years or when a position becomes vacant. Differences in criteria that could lead to a conflict will be dealt with within the Security Committee and the criteria of the Executive Management will prevail in all cases.
The different roles along with their respective functions and responsibilities:
The Head of Management will have the following functions:
- Determine the objectives you intend to achieve and be responsible for ensuring that they are achieved
- Understand what each department does and how they coordinate with each other.
- Organize functions and responsibilities, the Agency's Security Policy
- Provide adequate resources, budget and personnel to achieve objectives
The Information Responsible will have the following functions:
- Accept the residual risks regarding the information, calculated in the risk analysis.
- Although the formal approval of the levels corresponds to the Information Manager , a proposal can be obtained from the Security Manager and it is advisable that the opinion of the System Manager be heard.
- Determine the requirements of the information processed.
- Ensure the security of information in its different aspects: physical protection, protection of services and respect for privacy.
- Be aware of regulatory changes (laws, regulations or sectoral practices) that affect the Organization
- Adopt the necessary technical and organizational measures to guarantee the security of personal data and prevent its alteration, loss, unauthorized processing or access, taking into account the state of technology, the nature of the data stored and the risks to it. that are exposed, whether they come from human action or the physical or natural environment
The person responsible for the service will have the functions:
- Determine the Security requirements of the services provided to Clients.
- Review and approve the security levels of the services.
- Include security specifications in the life cycle of services and systems, accompanied by the corresponding control procedures.
- It will assess the consequences of a negative impact on the security of the services, it will be carried out taking into account its impact on the organization's ability to achieve its objectives, the protection of its assets, the fulfillment of its service obligations, the respect of legality and the rights of Clients.
- Assume ownership of the risks on the services.
The System Manager will have the functions:
- Develop, operate and maintain the System throughout its life cycle, its specifications, installation and verification of its correct operation.
- Define the topology and management policy of the System, establishing the use criteria and the services available therein.
- Define the connection or disconnection policy for new computers and users in the System.
- Implement and control the specific security measures of the System and ensure that these are adequately integrated within the general security framework.
- Determine the authorized hardware and software configuration to use in the System.
- Approve any substantial modification to the configuration of any element of the System.
- Carry out the risk analysis and management process in the System.
- Determine the category of the system and determine the security measures that must be applied. Prepare and approve the security documentation of the System.
- Investigate security incidents that affect the System, and, if applicable, communicate to the Security Manager .
- Establish contingency and emergency plans, carrying out frequent exercises so that staff become familiar with them.
The security manager will have the functions:
- Responsible for Security is the person designated by the Management of the Organization.
- Determine decisions to satisfy information and service security requirements.
- Work to achieve total security of the company's data, as well as its privacy.
- Supervise, control and manage access to information about the company and its workers.
- Develop a set of response measures for information security incidents, including disaster recovery.
- Guarantee compliance with regulations related to information security.
- In the case of outsourced services, the ultimate responsibility always lies with the Organization receiving the services, even though the immediate responsibility may correspond (via contract) to the organization providing the service.
- Maintain the security of the information managed and the services provided by the information systems in their area of responsibility, in accordance with the provisions of the organization's Information Security policy.
- Promote training and awareness in information security.
- Guarantee the proper use of computer equipment
- within their scope of responsibility.
- Supervise and coordinate the team in charge of carrying out response measures in case of security breaches.
- POC (Information Security Contact Person) Will be responsible for security with the Clients, in which Insulcloud provides services .
- Carry out security operations to fight fraud and information theft.
- Design the training plan, within the scope of the ENS, for Insulcloud people who provide services in AA.PP projects.
The DPD will have the functions
- Inform and advise the controller or processor and the employees responsible for the processing of their obligations under this Regulation and other Union or Member State data protection provisions.
- Monitor compliance with this Regulation, other data protection provisions of the Union or Member States and the policies of the controller or processor on the protection of personal data, including the assignment of responsibilities , awareness and training of personnel participating in treatment operations, and the corresponding audits.
- Provide advice as requested on the data protection impact assessment and monitor its implementation in accordance with Article 35.
- Cooperate with the supervisory authority.
- Act as a contact point for the supervisory authority for issues relating to processing, including the prior consultation referred to in article 36, and make consultations, where appropriate, on any other matter.
- It will carry out its functions paying due attention to the risks associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.
In addition, the person responsible for the system may agree to suspend the handling of certain information or the provision of a certain service if they are informed of serious security deficiencies that could affect the satisfaction of the established requirements. This decision must be agreed upon with those responsible for the affected information, the affected service and the person responsible for security, before being executed .
The security administrator reports to the System Manager or the Security Manager, depending on their functional dependency:
- Incidents related to system security or configuration, update or correction actions.
- The System Manager informs the Information Manager of functional incidents related to the information that concerns him.
- The System Manager informs the Service Manager of functional incidents related to the service that concerns him.
- The System Manager reports to the Security Manager:
Security actions, particularly regarding system architecture decisions
Consolidated summary of security incidents.
7. RISK ANALYSIS AND MANAGEMENT (ART.14)
A risk analysis will be carried out, evaluating the threats and risks to which they are exposed. This analysis will be the basis for determining the security measures that must be adopted, in addition to the minimums established as provided for in articles 7 and 14 of the BOE, it will be repeated:
- Regularly, at least once a year.
- When the information handled changes.
- When the services provided change.
- When a serious security incident occurs.
- When serious vulnerabilities are reported.
- When there is a security incident related to the LOPDGDD regulations
- When there is a security breach related to a user's processed information according to the LOPDGDD regulations.
- The risk assessment criteria will be specified in the risk and security incident assessment methodology that will be developed by the organization, based on standards, recognized good practices and legal norms.
At a minimum, all risks that could seriously impede the provision of services or the fulfillment of the organization's mission must be addressed. Particular priority will be given to risks that imply a cessation in the provision of services, or that have an impact on said information processed during the service.
The risk assessment criteria will be specified in the risk assessment methodology that the organization will develop, based on recognized standards and good practices. At a minimum, all risks that could seriously impede the provision of services or the fulfillment of the organization's mission must be addressed. Particular priority will be given to risks that imply a cessation of the provision of Insulcloud services to Clients.
The owner of a risk must be informed of the risks that affect his property and the residual risk to which it is subject. When an information system comes into operation, the residual risks must have been formally accepted by its corresponding owner.
8. PERSONNEL MANAGEMENT (ART.15)
Personnel, whether their own or others, related to the information systems subject to the provisions of this Royal Decree 311/2022, must be trained and informed of their duties, obligations and responsibilities in terms of security.
Their actions must be supervised to verify that the established procedures are followed, they will apply the approved safety standards and operating procedures in the performance of their duties.
The meaning and scope of the safe use of the system will be specified and reflected in the Security Regulations document that will be approved by the management of Insulcloud . It will be disseminated to the entire Organization, its dissemination being mandatory for each incorporation into Insulcloud.
8. PROFESSIONALISM (ART. 16)
The security of information systems will be attended to and will be reviewed and audited by qualified, dedicated and instructed personnel in all phases of their life cycle: planning, design, acquisition, deployment, exploitation, maintenance, incident management and decommissioning.
The entities within the scope of application of this royal decree will require, in an objective and non-discriminatory manner, that the organizations that provide them with security services have qualified professionals with suitable levels of management and maturity in the services provided.
Insulcloud will determine the training and experience requirements necessary for the staff to perform their job.
9. AUTHORIZATION AND CONTROL OF ACCESS (ART. 17)
Controlled access to the information systems included in the scope of application of this royal decree must b e limited to duly authorized users, processes, devices or other information systems, and exclusively to the permitted functions.
The access privileges of a resource (person) to the Insulcloud information system are restricted by default t o the minimum necessary for the development of its functions.
Insulcloud information system will always remain configured in such a way as to prevent a resource (person) f rom accidentally accessing resources with rights other than those authorized.
10. PROTECTION OF FACILITIES (ART. 18)
The information systems and their associated communications infrastructure must remain in controlled areas and have appropriate and proportional access mechanisms based on the risk analysis, without prejudice to the provisions of Law 8/2011, of April 28, by which establishes measures for the protection of critical infrastructures and in Royal Decree 704/2011, of May 20, which approves the Regulation for the protection of critical infrastructures.
11. ACQUISITION OF SECURITY PRODUCTS AND CONTRACTING OF SECURITY SERVICES (ART. 19)
In the acquisition of security products or contracting of information and communication technology security services that are going to be used in the information systems within the scope of application of this royal decree, they will be used, in a manner proportionate to the category. of the system and the level of security determined, those that have the security functionality related to the object of their acquisition certified .
The Certification Body of the National Information Technology Security Assessment and Certification Scheme of the National Cryptological Center (hereinafter, CCN), established under the provisions of article 2.2.c) of Royal Decree 421/2004, of March 12, which regulates the National Cryptological Center, taking into account the national and international evaluation criteria and methodologies recognized by this body and depending on the intended use of the specific product or service within its powers, it will determine the following aspects:
- The functional security and assurance requirements of the certification.
- Other additional security certifications that are required by regulations.
- Exceptionally, the criteria to follow in cases where there are no certified products or services.
For the contracting of security services, the provisions of the previous sections and the provisions of article 16 will apply.
12. MINIMUM PRIVILEGE (ART. 20)
Information systems must be designed and configured granting the minimum privileges necessary for their correct performance, which implies incorporating the following aspects:
- The system will provide the essential functionality for the organization to achieve its competency or contractual objectives.
- The operation, administration and activity registration functions will be the minimum necessary, and it will be ensured that they are only carried out by authorized people, from locations or equipment that are also authorized.
- Functions that are unnecessary or inappropriate for the intended purpose will be eliminated or deactivated by controlling the settings. Ordinary use of the system must be simple and safe, so that unsafe use requires a conscious act on the part of the user.
- Security configuration guides will be applied for the different technologies, adapted to the categorization of the system, in order to eliminate or disable functions that are unnecessary or inappropriate.
13. INTEGRITY AND UPDATING OF THE SYSTEM (ART. 21)
The inclusion of any physical or logical element in the updated catalog of system assets, or its modification, will require formal authorization from the Insulcloud Security Manager .
Permanent evaluation and monitoring will make it possible to adapt the security status of the systems based on configuration deficiencies, identified vulnerabilities and updates that affect them, as well as early detection of any incident that occurs on them. Responsibility will be borne by the security manager of Insulcloud.
14. PROTECTION OF STORED INFORMATION AND IN TRANSIT (ART. 22)
In the organization and implementation of security, special attention will be paid to the information stored or in transit through portable or mobile equipment or devices, peripheral devices, information carriers and communications over open networks, which must be analyzed especially to achieve adequate protection.
Procedures will be applied that guarantee the recovery and long-term conservation of electronic documents produced by the information systems included in the scope of application of this royal decree, when this is required.
All information in non-electronic support that has been a direct cause or consequence of the electronic information referred to in this royal decree must be protected with the same degree of security as this. To do this, the measures that correspond to the nature of the support will be applied, in accordance with the applicable regulations.
15. PREVENTION AGAINST OTHER INTERCONNECTED INFORMATION SYSTEMS (ART. 23)
The perimeter of the information system will be protected, especially if it is connected to public networks, as defined in Law 9/2014, of May 9, General Telecommunications, reinforcing the tasks of prevention, detection and response to incidents. of security.
16. REGISTRATION OF ACTIVITY AND DETECTION OF HARMFUL CODE (ART. 24)
With the purpose of satisfying the purpose of this royal decree, with full guarantees of the right to honor, personal and family privacy and the self-image of those affected, and in accordance with the regulations on the protection of personal data, public functions or labor, and other applicable provisions, the activities of the users will be recorded, retaining the information strictly necessary to monitor, analyze, investigate and document improper or unauthorized activities, allowing the person acting to be identified at all times.
In order to preserve the security of information systems, guaranteeing and in accordance with the provisions of the General Data Protection Regulation and respect for the principles of limitation of purpose, minimization of data and limitation of the retention period there. stated, the subjects included in article 2 may, to the extent strictly necessary and proportionate, analyze incoming or outgoing communications, and solely for the purposes of information security, so that it is possible to prevent unauthorized access to networks. and information systems, stop denial-of-service attacks, prevent the malicious distribution of harmful code as well as other damage to the aforementioned networks and information systems.
To correct or, where appropriate, demand responsibilities, each user who accesses the information system must be uniquely identified, so that it is known, at all times, who receives access rights, what type they are, and who has carried out a certain activity.
17. SECURITY INCIDENTS (ART. 25)
The entity that owns the information systems within the scope of this royal decree will have security incident management procedures in accordance with the provisions of article 33, the corresponding Technical Security Instruction and, in the case of a service operator essential or a digital service provider, in accordance with the provisions of the annex to Royal Decree 43/2021, of January 26, which develops Royal Decree-Law 12/2018, of September 7, on security of networks and information systems.
Likewise, there will be detection mechanisms, classification criteria, analysis and resolution procedures, as well as communication channels to interested parties and a record of actions. This log will be used for continuous improvement of system security.
18. CONTINUITY OF ACTIVITY (ART. 26)
The systems will have backup copies and the necessary mechanisms will be established to guarantee the continuity of operations in the event of loss of the usual means.
19. CONTINUOUS IMPROVEMENT OF THE SECURITY PROCESS (ART. 27)
The comprehensive security process implemented must be continually updated and improved. To this end, the criteria and methods recognized in national and international practice relating to information technology security management will be applied.
20. DOCUMENTARY REFERENCE
- IC_Policy Inventory_v1
- IC_Security Regulations_v1
21. CHANGE CONTROL
|ISO 27001 update - ENS
|Miguel Uña Vázquez
|Initial version of the procedure