1. Approval and Entry into Force
This Information Security Policy is effective from the date of signature and shall remain in force until replaced by a new Policy.
2. Mission of the Organization
COMPASSDIGITAL S.L., in order to achieve its objectives, assumes its commitment to information security, undertaking the proper management of information in order to provide all stakeholders with the highest guarantees regarding the security of the information used.
These systems must be managed diligently, adopting the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, or confidentiality of the information processed or the services provided.
The objective of information security is to guarantee the quality of information and the continuous delivery of services by acting preventively, monitoring daily activity, and responding promptly to incidents.
ICT systems must be protected against rapidly evolving threats that may affect the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy adaptable to changes in environmental conditions is required in order to guarantee the continuous provision of services. This implies that departments must apply the minimum security measures required by the National Security Framework (ENS), continuously monitor service levels, follow and analyse reported vulnerabilities, and prepare an effective response to incidents to ensure service continuity.
The different departments must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, procurement requests, and tender specifications for ICT projects.
Departments must be prepared to prevent, detect, respond to, and recover from incidents in accordance with Article 8 of the ENS (Prevention, Detection, Response, and Preservation).
3. Scope
This policy applies to all ICT systems of the organisation and to all members of the company involved in Services and Projects intended for the public sector that require compliance with the ENS, without exceptions.
4. Objectives
Based on the above, Management establishes the following information security objectives:
Provide a framework to increase resilience and ensure an effective response capability.
Ensure the rapid and efficient recovery of services in the event of any physical disaster or contingency that may jeopardise operational continuity.
Prevent information security incidents whenever technically and economically feasible, as well as mitigate the information security risks generated by our activities.
Guarantee the confidentiality, integrity, availability, authenticity, and traceability of information.
5. Regulatory Framework
One of the objectives is to comply with applicable legal requirements and any other subscribed obligations, in addition to commitments made to clients, while ensuring their continuous updating. The legal and regulatory framework under which we operate includes:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR).
Organic Law 3/2018 of 5 December on Personal Data Protection and Guarantee of Digital Rights.
Royal Legislative Decree 1/1996 of 12 April, Intellectual Property Law.
Law 2/2019 of 1 March amending the consolidated text of the Intellectual Property Law approved by Royal Legislative Decree 1/1996.
Royal Decree 311/2022 of 3 May regulating the National Security Framework (ENS).
Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI).
Law 39/2015 of 1 October on the Common Administrative Procedure of Public Administrations.
Law 40/2015 of 1 October on the Legal Regime of the Public Sector.
Resolution of 7 October 2016 approving the Security Technical Instruction on the State Security Report.
Resolution of 13 October 2016 approving the Security Technical Instruction on Compliance with the ENS.
Resolution of 27 March 2018 approving the Security Technical Instruction on Information Systems Security Audits.
Resolution of 13 April 2018 approving the Security Technical Instruction on Security Incident Notification.
AI Regulation: Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence.
6. Development
In order to achieve these objectives, it is necessary to:
Continuously improve our Information Security Management System.
Identify potential threats, as well as the impact such threats could have on business operations if materialised.
Preserve the interests of key stakeholders (clients, shareholders, employees, and suppliers), the company’s reputation, brand, and value-creation activities.
Work jointly with suppliers and subcontractors to improve IT service delivery, service continuity, and information security, resulting in greater operational efficiency.
Assess and ensure the technical competence of personnel, as well as their motivation to participate in the continuous improvement of processes by providing adequate training and internal communication.
Ensure the proper condition of facilities and adequate equipment aligned with the company’s activities, objectives, and goals.
Continuously analyse all relevant processes and establish improvements based on results obtained and defined objectives.
Structure our management system so that it is easy to understand.
The management of the system is entrusted to the IT Systems Manager, and the system will be available within the company’s information system repository, accessible according to the access profiles granted under the current access management procedure.
Security documentation is structured within folders on the company’s file server, organised by standard sections and operational frameworks, containing procedures, records, and evidence. Access is restricted to authorised company personnel, preventing unauthorised external access.
Security documentation is structured as follows:
Security Policy.
Security regulations: documents describing the use of equipment, services, and facilities, including improper use, personnel responsibilities, rights, duties, and disciplinary measures according to current legislation.
Specific documents: security documentation developed according to applicable CCN-STIC guidelines.
Security procedures: documents detailing how to operate system elements.
This policy is complemented by all other current policies, procedures, and documents developed as part of our management system.
7. Security Organisation
The primary responsibility lies with the General Management of the organisation, as it is responsible for organising functions and responsibilities and providing adequate resources to achieve ENS objectives. Managers are also responsible for setting an example by complying with established security standards.
These principles are assumed by Management, which provides the necessary means and sufficient resources to employees for compliance, making them publicly known through this Integrated Management Systems Policy.
The defined security roles and functions are:
Function | Duties and Responsibilities |
|---|---|
Information Owner (RINFO) | Make decisions regarding the information processed |
Service Owner (RSER) | Coordinate system implementation and continuous improvement |
Security Manager (RSEG or CISO) | Determine the suitability of technical measures and provide the best technology for the service |
System Owner (RSIS) | Coordinate system implementation and continuous improvement |
Management | Provide the necessary resources and lead the system |
Security Administrator (AS) | Implement, manage, and maintain security measures |
This definition of duties and responsibilities is complemented by job profiles and the system documents related to roles and responsibilities.
Conflict Resolution
Any differences of opinion that may lead to conflict shall be addressed within the Security Committee, and the General Management’s decision shall prevail in all cases.
8. Security Committee
The procedure for appointment and renewal shall be ratification within the Security Committee.
The Security Management and Coordination Committee is the body with the highest responsibility within the Information Security Management System, where all major security-related decisions are agreed upon.
Members of the Information Security Committee include:
Security Manager
System Owner
Service Owner
Information Owner
These members are appointed, renewed, and dismissed exclusively by the Committee itself.
The Security Committee is an autonomous executive body with decision-making authority and is not subordinate to any other element within the company.
The Information Security Organisation is further developed in the complementary document: Security Organisation Policy.
This policy is complemented by all other policies, procedures, and documents currently in force for the development of our management system.
9. Risk Management
All systems subject to this Policy must carry out a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be reviewed regularly:
At least once a year.
Whenever the information handled changes.
Whenever the services provided change.
Whenever a serious security incident occurs.
Whenever serious vulnerabilities are reported.
For the harmonisation of risk analyses, the ICT Security Committee shall establish reference values for the different types of information handled and services provided. The Committee shall also promote the availability of resources to address the security needs of different systems through horizontal investments.
Risk analyses shall be carried out according to the methodology defined in the Risk Analysis Procedure.
10. Personnel Management
All members of COMPASSDIGITAL S.L. are required to know and comply with this Information Security Policy and the Security Regulations. The ICT Security Committee is responsible for ensuring that the necessary means are available for this information to reach all affected parties.
All members of COMPASSDIGITAL S.L. shall attend an ICT security awareness session at least once a year. A continuous awareness programme shall also be established for all members of the company, especially new employees.
Individuals responsible for the use, operation, or administration of ICT systems shall receive appropriate training for the secure handling of systems according to their responsibilities. Training shall be mandatory before assuming responsibilities, whether for a first assignment or a change of role.
11. Professionalism and Human Resources Security
This Policy applies to all COMPASSDIGITAL S.L. personnel and external personnel performing tasks within the company.
Human Resources shall include information security functions within job descriptions, inform all personnel of their obligations regarding compliance with the Information Security Policy, manage confidentiality agreements, and coordinate user awareness and training activities.
The Information Security Manager (CISO) is responsible for monitoring, documenting, and analysing reported security incidents, as well as communicating with the Information Security Committee and information owners.
The Information Security Committee shall implement the necessary channels and mechanisms for incident reporting and management and oversee investigations and incident resolution.
All personnel are responsible for promptly reporting weaknesses and security incidents.
The objectives of personnel security controls are:
Reduce risks of human error, irregularities, misuse of facilities and resources, and unauthorised handling of information.
Explain security responsibilities during recruitment and verify compliance throughout employment.
Ensure users are aware of threats and trained to support the Information Security Policy.
Establish confidentiality commitments with all personnel and external users.
Provide mechanisms for reporting security weaknesses and incidents to minimise their impact and prevent recurrence.
12. Authorisation and Access Control to Information Systems
The objective of access control is to:
Prevent unauthorised access to information systems, databases, and information services.
Implement secure user access through authentication and authorisation techniques.
Control security in connections between the COMPASSDIGITAL S.L. network and other public or private networks.
Review critical events and activities carried out by users in systems.
Raise awareness of responsibilities regarding password and equipment usage.
Ensure information security when laptops and personal devices are used for remote work.
13. Product Acquisition
Departments must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, procurement requests, and tender specifications.
Information security shall also be considered in the acquisition and maintenance of information systems by limiting and managing change.
The policy governing development and acquisition of information systems is detailed in the document: Information Systems Acquisition, Development, and Maintenance Policy.
14. Security by Default
COMPASSDIGITAL S.L. considers it strategic for information security to be integrated into all processes throughout their lifecycle. Information systems and services must incorporate security by default from creation to retirement, including development and acquisition decisions and all operational activities, making security an integral and transversal process.
15. System Integrity and Updating
COMPASSDIGITAL S.L. is committed to ensuring system integrity through a change management process that controls updates to physical or logical elements through prior authorisation before installation. This evaluation shall mainly be carried out by the Systems Management department, which will assess the impact on system security before changes are implemented and document those changes considered significant or security-related.
Periodic security reviews shall assess the security status of systems in relation to manufacturer specifications, vulnerabilities, and relevant updates, responding diligently to manage risks accordingly.
16. Protection of Stored and Transmitted Information
COMPASSDIGITAL S.L. establishes protection measures for information stored or transmitted through insecure environments. Insecure environments include portable devices, PDAs, peripheral devices, storage media, and communications over open networks or networks using weak encryption.
17. Prevention in Interconnected Information Systems
COMPASSDIGITAL S.L. establishes protection measures for information security, especially to protect the perimeter when connected to public networks, particularly when such networks are used mainly for the provision of electronic communication services available to the public.
Risks arising from system interconnections through networks with other systems shall always be analysed, and connection points shall be controlled.
18. Business Continuity
To guarantee business continuity, COMPASSDIGITAL S.L. establishes measures to ensure systems have backup copies and the mechanisms necessary to maintain operational continuity in the event of the loss of usual working resources.
19. Continuous Improvement of the Security Process
COMPASSDIGITAL S.L. establishes a process for the continuous improvement of information security by applying the criteria and methodology established in international standards such as ISO 27001.