1. APPROVAL AND ENTRY INTO FORCE

Text (excerpt) approved on October 14, 2021. This Information Security Policy is effective from that date and until it is replaced by a new Policy.

2. INTRODUCTION

SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. depends on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or services provided.

The objective of information security is to ensure the quality of information and the continued provision of services, acting preventively, monitoring daily activity and reacting promptly and diligently to incidents.

ICT systems must be protected against rapidly evolving threats that have the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure the continued delivery of services. This implies that departments must implement the minimum security measures required by the UNE ISO/IEC 27001 standard, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.

The different departments must ensure that ICT security is an integral part of every stage of the system’s life cycle, from its conception to its decommissioning, through development or procurement decisions and operational activities. Security requirements and funding needs should be identified and included in planning, request for bids, and bidding documents for ICT projects.

Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with security regulations.

3. SCOPE

The General Scope of the information systems associated with the business processes that are subject to certification under the UNE ISO/IEC 27001 standard is as follows: “Maintenance service and proactive monitoring of the telecommunications infrastructure of its customers.Maintenance service and proactive monitoring of the telecommunications infrastructure of its customers.“.

4. MISSION, COMMITMENT AND LEADERSHIP

The Management of SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. is committed to facilitate and provide the necessary resources for the establishment, implementation, maintenance and improvement of the Information Security Management System, as well as to demonstrate leadership and commitment to this, through the constitution of the Security Committee, its functions and responsibilities. It is the mission of this Management:

  • Maintain full legal compliance
  • Promote training and awareness plans.
  • Maintain optimal reputational levels
  • Efficiently and effectively manage security incidents.
  • Develop an adequate and transparent communication policy.
  • In general, preserving the confidentiality, integrity and availability of information

This commitment extends to the interested parties described in the context of the ISMS, to satisfy their interests and expectations in information security.

5. REGULATORY FRAMEWORK

SOLUCIONES Y SERVICIOS TELEMATICOS S.L. is subject, but not limited to, to the following rules and regulations:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Organic Law 3/2018 of December 5, 2018, on the Protection of Personal Data and guarantee of digital rights.
  • Law 34/2002, of July 11, 2002, on information society services and electronic commerce.
  • Royal Legislative Decree 1/1996, of April 12, 1996, Intellectual Property Law.
  • Law 10/2010, of April 28, 2010, on the prevention of money laundering and financing of terrorism.
  • Royal Decree 3/2010, of January 8, 2010, which regulates the National Security Scheme in the field of Electronic Administration.
  • Law 9/2014, of May 9, 2014, General Telecommunications Law.
  • Law 25/2007, of October 18, 2007, on the conservation of data relating to electronic communications and public communications networks.

6. SGSI SAFETY OBJECTIVES

SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L., to achieve compliance with its main body and its annex A, which contain the basic principles and minimum requirements, has implemented various security measures proportional to the nature of the information and services to be protected and taking into account its risk analysis and its statement of applicability.

7. PERSONNEL OBLIGATIONS

All members of SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the Security Committee to provide the necessary means to ensure that the information reaches those affected.

All members of SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. will attend an ICT security awareness session at least once a year. A continuous awareness program will be established to attend all members of SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L., in particular new members.

Persons with responsibility for the use, operation or administration of ICT systems shall be trained in the safe operation of the systems to the extent that they need it to perform their work. Training shall be mandatory prior to assuming a responsibility, whether it is their first assignment or a change of job or job responsibilities.

8. THIRD PARTIES

When SOLUCIONES Y SERVICIOS TELEMÁTICOS S.L. provides services to third parties, they will be made participants of this Information Security Policy, channels will be established for reporting and coordination of the respective Security Committees and procedures will be established to react to security incidents.

When SOLUCIONES Y SERVICIOS TELEMATICOS S.L. subcontracts services to third parties or transfer information to third parties, in the context of providing services to third parties, they will be made participants of this Security Policy and the Security Regulations relating to such services or information. Said third party shall be subject to the obligations set forth in said regulations, and may develop its own operating procedures to comply with them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that the personnel of third parties are adequately security-aware, at least to the same level as that established in this Policy.

Where any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer will be required specifying the risks incurred and how they will be addressed. Approval of this report will be required from those responsible for the information and services affected before proceeding further.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.