La información es un activo crítico, esencial y de un gran valor para el desarrollo de la actividad de INTELEQUIA. Este activo debe ser adecuadamente protegido, mediante las necesarias medidas de seguridad, frente a las amenazas que puedan afectarle, independientemente de los formatos, soportes, medios de transmisión, sistemas, o personas que intervengan en su conocimiento, procesado o tratamiento.
Information is a critical and essential asset of great value for the development of INTELEQUIA's activity. This asset must be adequately protected, by means of the necessary security measures, against the threats that may affect it, regardless of the formats, supports, transmission media, systems, or persons that intervene in its knowledge, processing or treatment.
The purpose of this Information Security Policy is to protect INTELEQUIA's information assets by ensuring the availability, integrity and confidentiality of the information and the facilities, systems and resources that process, manage, transmit and store it, always in accordance with business requirements and current legislation.
- SCOPE -
The scope of the Information Security Management System includes the information systems that support the development, infrastructure, support and training services that are carrried out at the headquarters located in Santa Cruz de Tenerife, Avenida Manuel Hermoso Rojas 4, Tower I, Office 8. Property of INTELEQUIA.
This Information Security Policy applies to all persons, systems and means that access, treat, store, transmit or use the information known, managed or owned by INTELEQUIA for the described processes.
The personnel subject to this policy includes all persons with access to the information described, regardless of whether or not the information is automated and whether or not the individual is an employee of INTELEQUIA. Therefore, it also applies to contractors, customers or any other third party that has access to INTELEQUIA's information systems.
To ensure that the implemented security process will be continuosly updated and improved, an Information Security Management System will be implemented and documented. In this way, the content of the Information Security Policy will be developed into complementary security standards and procedures.
- OBJECTIVES AND FOUNDATIONS OF THIS POLICY -
Information must be protected throughout its life cycle, from its creation or reception, during its processing, communication, transport, storage, dissemination and even its eventual deletion or destruction. Therefore, the following minimum principles are established:
- Principle of confidentiality: information systems must be accessible only to those users, bodies and entities or processes expressly authorised to do so, with respect of the obligations of professional secrecy and confidentiality.
- Principle of integrity and quality: the integrity and quality of the information must be guaranteed, as well as the processes for processing it, establishing mechanisms to ensure that the processes for creating, processing, storing and distributing the information contribute to preserving its accuracy and correctness.
- Principle of availability and continuity: a level of availability of information systems shall be guaranteed and the necessary plans and measures shall be put in place to ensure the continuity of services and recovery from possible serious contingencies.
- Risk management principle: a continuous process of risk analysis and treatment should be articulated as a basic mechanism on which information systems security management should be based.
- Principle of proportionality in cost: the implementation of measures that mitigate the security risks of information systems should be done under an approach of proportionality in economic and operational costs, without prejudice to ensuring that the necessary resources for the information security management system are available.
- Principle of awareness and training: initiatives will be articulated to allow users to know their duties and obligations regarding the safe processing of information. Similarly, specific training in ICT security will be promoted for all those people who manage and administer information and telecommunications systems.
- Prevention principle: specific plans and lines of work will be developed to prevent fraud, non-compliance or incidents related to ICT security.
- Principle of detection and response: the services must monitor the operation continuosly to detect anomalies in the levels of service provision and act accordingly by responding effectively, through the mechanisms established for this purpose, to security incidents.
- Principle of continuous improvement: the degree of compliance with the annually planned security improvement objectives and the degree of effectiveness of the implemented ICT security controls will be reviewed, in order to adapt them to the constant evolution of the risks and the technological environment of the Public Administration.
- ICT security principle in the life cycle of information systems: security specifications shall be included in all phases of the life cycle of services and systems, accompanied by appropriate control procedures.
- Differentiated function principle: responsibility for the security of information systems shall be differentiated from responsibility for the provision of services.
The Information Security Policy is approved by the Management of INTELEQUIA and its content and that of the rules and procedures that develop it is mandatory.
- All users with access to the information processed, managed or owned by INTELEQUIA have the obligation and duty to safeguard and protect it.
- The Information Security Policy and Standards will be adapted to the evolution systems and technology and to organizational changes and will be aligned with current legislation and with the standards and best practices of ISO/IEC 27001:2014.
- The security measures and applicable physical, administrative and technical controls will be detailed in the Applicability Document and INTELEQUIA shall establish a planning for their implementation and management.
- The security measures and controls established shall be proportional to the criticality of the information to be protected and its classification.
- Users who fail to comply with the Information Security Policy or complementary rules and procedures may be sanctioned in accordance with the provisions of the contracts covering their relationship with INTELEQUIA and with current and applicable legislation.
- LEGAL REQUIREMENTS -
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (RGPD).
- Organic Law 3/2018 of 5 December on Data Protection and Guarantee of Digital Rights (OLDDPGDR, LOPDGDD in Spanish).
- Real Legislative Decree 1/1996 of April 12, 1996, Law on Intellectual Property.
- Law 34/2002 of 11 July, on information society services and electronic commerce.
- Law 2/2019, of March 1, which amends the revised text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12, 1996, and which incorporates into Spanish law Directive 2014/26/EU of the European Parliament and COuncil, of February 26, 2014, and Directive (EU) 2017/1564 of the European Parliament and Council, of September 13, 2017.
- INFORMATION CLASSIFICATION -
The information shall be classified according to the sensitivity required in its processing and the levels of security and protection required.
- ROLES, RESPONSIBILITIES AND DUTIES -
The management assigns and communicates the responsibilities, authorities and roles regarding information security. It will also ensure that users are aware of, assume, and exercise the responsibilities, authorities, and roles assigned.
- SECURITY RISK ASSESSMENT -
Knowing the risks and developing a strategy to manage them properly is essential for INTELEQUIA, since only if the security status is known can appropriate decisions be taken to mitigate the risks it faces.
The Magerit methodology will be used to analyse the risks. Therefore, a detailed analysis of the risks affecting the assets listed in an asset inventory will be performed and documented in a Risk Analysis document.
The entity must determine the risk levels at which it will take treatment action on them. A Risk is considered acceptable when implementing more security controls is estimated to consume more resources than the possible associated impact.
Once the risk assessment process has been carried out, INTELEQUIA's management will be responsible for approving the residual risks and the risk treatment plans.
- PROJECTS -
All projects related to or affecting information systems should include, in their analysis process, an assessment of security requirements and define a security model agreed with the Information Security Officer.
In the design, development, installation and management of the information systems and in the projects, the security concepts will be taken into account and applied from the design, secure coding and the controls and security measures that are appropriate according to the applicability document approved by INTELEQUIA.
All contracts and acquisitions involving or requiring access to or treatment of information classified as non-public shall be made under a contract that includes clauses designed to ensure the safeguarding of the confidentiality, integrity and availability of information.
In those cases in which the contracted services involve access or processing by the provider of personal data, the contract must include the clauses required for a compliance with the Organic Law oon the Protection of Personal Data and its developments, as well as the future development of the European Data Protection Regulation.
Companies and persons who, for the purpose of contracting services or acquisitions of any kind, have access to confidential information or information for internal use, must be aware of the Information Security Policy and the complementary rules and procedures applicable to the object of the contract.
External companies and persons accessing INTELEQUIA's information must consider such information, by default, as confidential. The only information that may be considered as non-confidential is the one obtained through the public media.
- AWARENESS, DISSEMINATION AND TRAINING -
This Information Security Policy must be known by all internal and external users and by the companies that access, manage or process INTELEQUIA's data.
The set of policies, rules and procedures complementary to this Information Security Policy must also be adequately communicated and made known to the persons, companies and institutions affected or involved in each case.
Communication, awareness and training programmes will be defined periodically and users will be given a copy of the corresponding regulations.
- SECURITY INCIDENT RESPONSE -
Any commitment to the confidentiality, integrity or availability of INTELEQUIA's information is considered a security incident. This includes, but is not limited to, unauthorized access, deletion, destruction, modification or interrumption of availability. Mere attempts to compromise the above conditions, to prevent alter or modify security measures or violations or breaches of the Information Security Policy or complementary rules and procedures are also considered security incidents.
Users are responsible for reporting, immediately, any security incident, through the channels and procedures defined in the organization for the communication of incidents.
- REVIEW AND AUDITS -
The Safety Officer shall review this policy annually or when significant changes occur that make it advisable, and shall submit it again for management approval.
The reviews will check the effectiveness of the policy, assessing the effects of technological and business changes.
Management shall be responsible for approving the necessary amendments to the text when a change occurs that affects the risk situations set out in this document.
The safety management system shall be audited every year, according to an audit plan developed by the safety officer.