The purpose of this Information Security Policy is to protect INTELEQUIA's information assets by ensuring the availability, integrity and confidentiality of the information and the facilities, systems and resources that process, manage, transmit and store it, always in accordance with business requirements and current legislation.

 

- SCOPE -

 

 

Information must be protected throughout its life cycle, from its creation or reception, during its processing, communication, transport, storage, dissemination and even its eventual deletion or destruction. Therefore, the following minimum principles are established:

 

• Principle of confidentiality: information systems must be accessible only to those users, bodies and entities or processes expressly authorised to do so, with respect of the obligations of professional secrecy and confidentiality.

• Principle of integrity and quality: the integrity and quality of the information must be guaranteed, as well as the processes for processing it, establishing mechanisms to ensure that the processes for creating, processing, storing and distributing the information contribute to preserving its accuracy and correctness.

• Principle of availability and continuity: a level of availability of information systems shall be guaranteed and the necessary plans and measures shall be put in place to ensure the continuity of services and recovery from possible serious contingencies.

• Risk management principle: a continuous process of risk analysis and treatment should be articulated as a basic mechanism on which information systems security management should be based.

• Principle of proportionality in cost: the implementation of measures that mitigate the security risks of information systems should be done under an approach of proportionality in economic and operational costs, without prejudice to ensuring that the necessary resources for the information security management system are available.

• Principle of awareness and training: initiatives will be articulated to allow users to know their duties and obligations regarding the safe processing of information. Similarly, specific training in ICT security will be promoted for all those people who manage and administer information and telecommunications systems.

• Prevention principle: specific plans and lines of work will be developed to prevent fraud, non-compliance or incidents related to ICT security.

• Principle of detection and response: the services must monitor the operation continuosly to detect anomalies in the levels of service provision and act accordingly by responding effectively, through the mechanisms established for this purpose, to security incidents.

• Principle of continuous improvement: the degree of compliance with the annually planned security improvement objectives and the degree of effectiveness of the implemented ICT security controls will be reviewed, in order to adapt them to the constant evolution of the risks and the technological environment of the Public Administration.

• ICT security principle in the life cycle of information systems: security specifications shall be included in all phases of the life cycle of services and systems, accompanied by appropriate control procedures.

• Differentiated function principle: responsibility for the security of information systems shall be differentiated from responsibility for the provision of services.

The Information Security Policy is approved by the Management of INTELEQUIA and its content and that of the rules and procedures that develop it is mandatory.

• All users with access to the information processed, managed or owned by INTELEQUIA have the obligation and duty to safeguard and protect it.

• The Information Security Policy and Standards will be adapted to the evolution systems and technology and to organizational changes and will be aligned with current legislation and with the standards and best practices of ISO/IEC 27001:2014.

• The security measures and applicable physical, administrative and technical controls will be detailed in the Applicability Document and INTELEQUIA shall establish a planning for their implementation and management.
  

• The security measures and controls established shall be proportional to the criticality of the information to be protected and its classification.
  

• Users who fail to comply with the Information Security Policy or complementary rules and procedures may be sanctioned in accordance with the provisions of the contracts covering their relationship with INTELEQUIA and with current and applicable legislation.
  

 

- LEGAL REQUIREMENTS -

 

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (RGPD).

• Organic Law 3/2018 of 5 December on Data Protection and Guarantee of Digital Rights (OLDDPGDR, LOPDGDD in Spanish).

• Real Legislative Decree 1/1996 of April 12, 1996, Law on Intellectual Property.
  

• Law 34/2002 of 11 July, on information society services and electronic commerce.

• Law 2/2019, of March 1, which amends the revised text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12, 1996, and which incorporates into Spanish law Directive 2014/26/EU of the European Parliament and COuncil, of February 26, 2014, and Directive (EU) 2017/1564 of the European Parliament and Council, of September 13, 2017.
  

 

- INFORMATION CLASSIFICATION -

 

The information shall be classified according to the sensitivity required in its processing and the levels of security and protection required.

 

 

- ROLES, RESPONSIBILITIES AND DUTIES -

 

The management assigns and communicates the responsibilities, authorities and roles regarding information security. It will also ensure that users are aware of, assume, and exercise the responsibilities, authorities, and roles assigned.

 

 

- SECURITY RISK ASSESSMENT -

 

 

- PROJECTS -

 

 

 

 

 

- AWARENESS, DISSEMINATION AND TRAINING -

 

 

 

 

- SECURITY INCIDENT RESPONSE -