ENS Information Security Policy

1. Approval and Entry into Effect

Text approved on Sept 06, 2024 by the Management of nettaro. This Information Security Policy is effective from that date until it is replaced by a new policy.

2. Introduction

nettaro relies on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them from accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity, or traceability of the information processed or the services provided.

The objective of Information Security is to guarantee the quality of information and the continuous provision of services, acting preventively, monitoring daily activity and reacting promptly to incidents. 

ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, authenticity, and traceability of the intended use and value of the information and services. To defend against these threats, a strategy is required that adapts to changing environmental conditions to ensure the continuous delivery of services.

This implies implementing the security measures required by the National Security Scheme and the Organic Law on Data Protection and the European Data Protection Regulation, as well as continuous monitoring of service provision levels, tracking and analyzing reported vulnerabilities, and preparing an effective response to incidents to ensure the continuity of the services provided. 

nettaro must ensure that information security is an integral part of every stage of the system’s life cycle, from its conception to its decommissioning, through development or procurement decisions and operational activities. Security requirements and funding needs should be identified and included in planning, request for bids, and bidding documents for ICT projects.  

nettaro must be prepared to prevent, detect, react and recover from incidents, in accordance with the National Security Scheme and the Organic Law on Data Protection. 

This Security Policy follows the indications of the guide CCN-STIC-805 of the National Cryptologic Center, a center attached to the National Intelligence Center. 

2.1. Prevention

nettaro must avoid, or at least prevent as far as possible, that the information or services are damaged by security incidents. To this end, the minimum security measures determined by the ENS, RGPD and LOPD must be implemented, as well as any additional control identified through an evolution of threats and risks.   

These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented. 

To ensure compliance with the policy, nettaro must:

  • Authorize systems before going into operation.
  • Regularly assess security, including assessments of configuration changes made on a routine basis.
  • Request periodic review by third parties in order to obtain an independent assessment. 

2.2. Detection

Since services can degrade rapidly due to incidents, ranging from a simple slowdown to stoppage, the services must monitor the operation on a continuous basis to detect anomalies in service delivery levels and act accordingly as established in Article 9 of the ENS. 

Monitoring is especially relevant when establishing lines of defense in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms shall be established that reach those responsible regularly and when there is a significant deviation from the parameters that have been pre-established as normal. 

2.3. Answer

nettaro:

  • Establishes mechanisms to respond effectively to security incidents.
  • Designates a point of contact for communications regarding detected incidents.
  • Establishes protocols for the exchange of incident-related information with customers and suppliers.

2.4. Recovery

To ensure the availability of critical services, nettaro develops ICT systems continuity plans as part of its overall business continuity plan and recovery activities. 

3. Scope

“The information systems that support the provision of IT Services: Application Monitoring and Monitoring (APM), Software Asset Management (SAM), Cybersecurity, Architecture and CLOUD Managed Services” . According to the current categorization document. 

4. Mission

The Management of nettaro, aware of its commitment to its customers and the importance of taking care of the integral security, has established in its organization an Information Security Management System based on the Royal Decree 311/2022, of May 3, which regulates the National Security Scheme, meeting the following objectives: 

  • Information must receive an adequate level of protection based on classification guidelines (according to its value, legal requirements, sensitivity and criticality).
  • Information security takes into account compliance with current legislation and contractual requirements.
  • Security measures must be applied with a risk management-oriented approach, with the goal of meeting security requirements across its five dimensions (confidentiality, integrity, availability, authenticity, and traceability)
  • Information Security is the responsibility of all nettaro personnel, who must be trained and made aware of the need to successfully fulfill their responsibilities.
  • All company personnel must maintain confidentiality of the information to which they may have access, as well as the obligation to comply with the implemented security standards and established controls.
  • The Management establishes the necessary resources for an effective maintenance of the Information Security Management System.
  • nettaro’s Information Security is periodically evaluated and reviewed to contribute to the minimization of risks and continuous improvement of the security process, and audits are conducted to ensure the effectiveness of the Information Security Management System.

5. Regulatory Framework

According to current legislation, the laws applicable to nettaro regarding Information Security are: 

  • ISO/IEC 27001:2022 Information Security Management Systems. Requirements.
  • ISO/IEC 27002:2022 Information Security Control.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
  • Royal Decree 1720/2007, of December 21, 2007, on the Protection of Personal Data.
  • Royal Legislative Decree 1/1996, of April 12, 1996, approving the Revised Text of the Intellectual Property Law.
  • Royal Decree 311/2022, of May 3, regulating the National Security Scheme.

Additionally, nettaro has the R13-A Legal Requirements registry, where all the legal requirements applicable to the organization are identified and managed, ensuring its regulatory compliance in terms of information security and data protection.

6. Security Organization

6.1. Safety Committee

The Security Committee coordinates Information Security at nettaro:

The Safety Committee shall report to the organization and shall be formed by: 

  • Management (JR)
  • Information Manager (JR)
  • Systems Manager (DV)
  • Services Manager (IP)
  • Security Manager (IP)
  • Business Office Manager (CD)

The Security Committee shall have the following functions: 

  • Promote the continuous improvement of the Information Security Management System.
  • Ensure compliance with the applicable legal, regulatory and industry standards.
  • Ensure the alignment of security activities and the organization’s objectives.
  • Regularly review the Information Security Policy.
  • Regularly report on the status of information security.
  • Resolve any conflicts of responsibility that may arise.

6.2. Roles: Functional and Responsibilities

6.2.1. Person Responsible for the Information

  • Responsible for determining the security requirements of the information processed, approving the levels of information security.
  • The development, implementation and maintenance of an Information Security Management System (ISMS) in accordance with the provisions of the National Security Scheme.
  • The supervision and evaluation of information security risks.
  • Coordination of actions to ensure the confidentiality, integrity, availability, authenticity, and traceability of information.
  • Collaboration with the competent authorities and the contact point of the National Security Scheme.
  • Acceptance of residual risk

6.2.2. Information Security Officer

  • Determine the relevant security decisions to meet the requirements established by those responsible for the information and services.
  • Maintain the security of the information handled and the services provided by the information systems in its area of responsability, in accordane with the provisions of the organization’s Security Policy.
  • Determine the category of the system.
  • Elaborate the Declarations of Applicability
  • Additional security measures.
  • Elaborate the risk analysis.
  • Elaborate the security configuration.
  • System Security Documentation.
  • Approve security operating procedures.
  • Report system security status.
  • Develops security improvement plans.
  • Develops awareness and training plans.
  • Validate continuity plans. 

6.2.3. Systems Manager

  • Develop, operate and maintain the Information System throughout its life cycle, its specifications, installation and verification of its correct functioning.
  • Define the topology and Management System of the Information System establishing the criteria of use and the services available in it.
  • Ensure that the specific security measures are adequately integrated within the general security framework.
  • The System Manager may agree to suspend the handling of certain information or the provision of a certain service if he/she is informed of serious security deficiencies that could affect the satisfaction of the established requirements. This decision must be agreed with those responsible for the affected information, the affected service and the Security Manager, before being executed.
  • Elaborate the security operating procedures.
  • Elaborate security improvement plans and continuity plans.
  • Temporary suspension of the service.
  • Elaborate the life cycle.

6.2.4. Service Managers

  • It assesses the consequences of a negative impact on the security of services. This assessment is made according to its impact on the organization’s ability to achieve its objectives, the protection of its assets, the fulfillment of its service obligations, the respect of legality and the rights of citizens.
  • Coordinate the planning, execution and monitoring of the services provided in the organization.
  • Ensure that the services provided comply with the security standards established by the National Security Scheme.
  • Collaborate with the Information Security Manager in risk management and response to incidents related to services.
  • Determination of the security levels required in each dimension.
  • Acceptance of residual risk.

6.3. Designation Procedure

The appointment procedure is detailed below:

  • Information Manager, reporting to the Security Committee.
  • Security Manager, will report to the Management.
  • Systems Manager, will report to the Management.
  • Services Manager, will report to the Management.

6.4. Information Security Policy

It will be the mission of the Management and/or Security Committee to annually review this Information Security Policy and to propose its revision or maintenance. The policy will be approved by the organization and disseminated so that all affected persons are aware of it.

7. Personal Data

It will be the mission of the Management and/or Security Committee the annual review of this Information Security Policy and the proposal for its revision or maintenance. The Organic Law on Data Protection (LOPD) and the RGPD, seek to guarantee and protect, with regard to the processing of personal data, public freedoms and fundamental rights of individuals, and especially their honor, privacy and personal and family privacy, and applies to personal data recorded both electronically and on paper. 

The security document that regulates the data protection regulations “LOPD/RGPD Security Document” can be found in its corresponding folder. This document contains the corresponding treatments. 

All nettaro’s information systems shall comply with the security levels required by law for the nature and purpose of the personal data collected in the aforementioned Security Document.

In order to guarantee this protection, security measures have been adopted in accordance with the requirements of the applicable legislation.

Any internal or external user who, by virtue of their professional activity, may have access to personal data, is obliged to maintain secrecy about them, a duty that will be maintained indefinitely, even beyond the employment or professional relationship with nettaro

8. Risk Management

All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated: 

  • Regularly, at least once a year.
  • When the information handled changes.
  • When the services provided change.
  • When a serious security incident occurs.
  • When serious vulnerabilities are reported. 

For the harmonization of risk analyses, the Security Committee will establish a baseline assessment for the different types of information handled and the different services provided. 

The Security Committee will streamline the availability of resources to meet the security needs of the different systems, promoting horizontal investments. 

9. Development of the Information Security Policy

9.1. The Guidelines for Structuring System Safety Documentation, Management and Access

The management system documentation is structured in a pyramidal form, with this policy at the top.

A Manual, which describes how to comply with the different points of the National Security Scheme and refers to the documents that develop each section.

Technical Security Instructions, which describe the security policies applied to the organization’s systems.

The documents are shared with the relevant members of the organization through network folders that can be accessed in read-only mode and managed by the Security Systems Manager.

Finally, the records that serve as evidence to demonstrate compliance with the requirements established in the National Security Scheme.

This Information Security Policy complements nettaro’s security policies in different areas: 

  • POL-01 Information Security Policy (ISO 27001)

This Policy will be developed by means of security regulations that address specific aspects. The security regulations shall be available to all members of the organization who need to know them, in particular to those who use, operate or administer the information and communications systems. 

The safety regulations will be available on the website https://www.nettaro.com/ and printed on the information board at the organization’s offices. 

10. Personnel Obligations

All members of nettaro are obliged to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the Security Committee and/or the Management to arrange the necessary means to ensure that the information reaches those affected. 

All nettaro members will receive security awareness training at least once a year. An ongoing awareness program will be established to serve all nettaro members, particularly new members. 

Persons with responsibility for the use, operation or administration of systems shall receive training in the safe operation of the systems to the extent that they need it to perform their work. Training shall be mandatory prior to assuming a responsibility, whether it is their first assignment or a change of job or job responsibilities. 

11. Third Pastes

When nettaro provides services to other organizations or handles information from other organizations, they will be made aware of this Information Security Policy, channels will be established for reporting and coordination of the respective ICT Security Committees and procedures will be established to react to security incidents. 

When nettaro uses third party services or provides information to third parties, they will be made aware of this Security Policy and the Security Regulations that apply to such services or information. Such third party shall be subject to the obligations set forth in such regulations, and may develop its own operating procedures to satisfy them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that the personnel of third parties are adequately security-aware, at least to the same level as that established in this Policy. 

Where any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer will be required specifying the risks incurred and how they will be addressed. Approval of this report will be required from those responsible for the information and services affected before proceeding further. 

In Madrid, 06Th september 2024

 Managing Director de nettaro.