Information Security Policy
For nearly all business processes carried out by the entities comprising PONS, information is the essential guiding principle for executing them with guarantees of efficiency and quality, thereby achieving the strategic objectives formally set forth by Management.
The main aspects of information security that must be guaranteed when executing any business process are the following:
- Confidentiality: Ensuring that information can only be accessed by authorised individuals, entities or processes.
- Integrity: Ensuring that information is generated, modified and deleted only by authorised individuals, entities or processes.
- Availability: Ensuring that information can be accessed when authorised individuals, entities or processes require it.
- Traceability Ensuring that information related to access and the activity carried out by individuals, entities or processes is available in order to conduct any necessary analysis of abnormal behaviour patterns.
Furthermore, other aspects of security are presented, such as the authentication of parties or non-repudiation, which must likewise be guaranteed when required by the security value of information in the business process that stores, processes or transmits it.
The Information Security Policy is based on clear, well-defined principles that ensure compliance with the strategic guidelines, legal requirements, as well as the contractual requirements formalised with third parties or stakeholders. As such, this Policy is established as the main instrument used by PONS to ensure the secure use of information and communications technologies.
The regulations (security standards, procedures and instructions) that originate or derive from the PONS Information Security Policy shall become part of the same once it has been disclosed, and all employees and third parties that use said information must abide by it.
Employees shall be responsible for guaranteeing the security of the information they process, store or transmit while they perform their duties, and they must know, understand and comply with the guidelines and rules related to information security, ensuring the correct application of the protective measures enabled.
Access to information by employees shall be limited to what is strictly required for them to correctly perform their formally assigned duties, thereby guaranteeing compliance with the principle of least privilege. Therefore, those responsible for information who are identified in the different entities that comprise PONS shall take into account all technical and organisational security measures to define and maintain the appropriate privileges for access to information, depending on the tasks of each position.
Failure to comply with the Information Security Policy guidelines could lead to internal administrative sanctions.
Management shall ensure that this Information Security Policy is understood and implemented in all entities belonging to PONS, providing the necessary resources to achieve the objectives defined in this framework for action.
he Information Security Policy is established as the high-level document that formalises the different security action guidelines adopted by PONS, and which shall be discussed in greater detail in the corresponding security regulations drawn up for such purposes.
Under this premise, the Information Security Policy therefore focuses on the following main objectives:
- Compliance with applicable legal regulations in the area of information security that has an impact on the context of the main activity carried out.
- Contributing to fulfilling the formally established mission and strategic objectives.
- Guaranteeing that the different information assets are suitably protected based on the degree of sensitivity and criticality achieved by the same (security value of the information assets according to the different aspects considered, and this security value being formalised in the corresponding Information Value Model).
- Aligning information security with the requirements of the business by formalising and executing the process of analysing and evaluating the risks to which the different information assets are exposed, defining a strategy to mitigate the risks related to the scope of information security
- Guaranteeing effective responsiveness to potential information security incidents, minimising the respective operational, financial and reputational impact.
- Facilitating the dimensioning of the resources required to correctly implement the technical and organisational security measures included in the security regulations documented for such purposes.
- Promoting the use of good practices in information security, as well as creating a culture of security in the context of the organisational structure.
- Advancing the definition, implementation and maintenance of a Business Continuity Plan for the critical processes identified.
- Establishing review, monitoring, auditing and continuous improvement mechanisms with the aim of maintaining the appropriate security levels required by the business model.
The scope of the Information Security Policy considers all information assets existing in the different entities that comprise PONS and which act as support infrastructure for potentially executing their business processes.
4. REGULATORY FRAMEWORK
The formalisation of the Information Security Policy, in addition to the security regulations derived from it, shall take into consideration and incorporate the following applicable legal regulations:
- Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter GDPR – General Data Protection Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Organic Law 3/2018 of 5 December 2018 on Protection of Personal Data and Guarantee of Digital Rights (hereinafter Law 3/2018).
- Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (hereinafter LSSICE).
The fundamental principles that must be considered when guaranteeing the aspects of information security are prevention, detection, response and recovery, so that potential existing threats do not occur or, if they do occur, they do not seriously affect the information required to execute business processes, remaining at acceptable levels in relation to the impact caused.
As a primary principle of security, it is necessary to prevent and avoid, to the extent possible, business information from being affected by security incidents. To do so, preventive security measures must be prioritised in the implementation strategy considered after executing the risk analysis and evaluation process. These controls, as well as the formalised roles and responsibilities relating to security which aim to be properly implemented, must be clearly defined and documented.
Given that, inevitably and regardless of the formalisation of a preventive security strategy, information assets may be affected by the occurrence of security threats (security incidents), it is essential to continuously monitor the operation to detect anomalies in the levels of service provision and to act accordingly.
This monitoring action is especially important when lines of defence are established in the terms considered by the good practices of reference in information security and, therefore, act as early warning mechanisms.
In the event that a failure is directly attributed to security incidents, the appropriate reporting mechanisms must be established, notifying the Security Manager so that he may analyse and investigate the root cause together with the incident response teams
Mechanisms must be established to effectively respond to security incidents. Thus, depending on the type of incident that has occurred, the appropriate response plan must be formalised.
To guarantee the continuity of critical processes, for which, in certain cases, incident response plans are not applicable, contingency plans for information and communications systems must be developed as part of the organisation’s general business continuity plan and recovery activities
6. RISK APPROACH
The information assets that make up the scope of this Security Policy are subject to a risk analysis and evaluation, with the aim of identifying the potential threats to which they are exposed, evaluating the impact associated with the possible occurrence of such threats and determining the risk situations that could arise.
The result of this risk analysis and evaluation will make it possible to identify and propose suitable security measures as a risk mitigation strategy.
This risk analysis addresses the following main characteristics:
- It is based on the implementation of risk management rules and methodologies recognised as good practices at a national and international level.
- It establishes a reference valuation for the information (Information Value Model), so that consistent results are obtained when executing activities inherent to risk analysis
- It is carried out on a yearly basis, or when the following scenarios occur:
· Substantial modification of the managed information or assets that act as a support for business processes.
· Identification of new attack vectors, threats or vulnerabilities associated with the information asset.
The Information Security Committee shall lead the periodic execution of the risk analysis in the different affected entities, planning the technical, human and economic resources required for such purposes.
7. THIRD PARTIES
When any of the entities comprising PONS requires the participation of third parties to provide a service, they shall make them follow the security regulations that are relevant in the context of said collaboration, such that these third parties are subject to the obligations set forth in said regulations.
Specific procedures for reporting and resolving security incidents that may arise during service provision shall be formalised.
When any aspect of the security regulations cannot be fulfilled by a third party, authorisation of the Head of the ISMS shall be required prior to identifying the risks incurred and how they should be treated, such that the contract cannot be formalised prior to obtaining said authorisation. In any case, these authorisations, depending on their categorisation, shall be reported to the Security Committee in order for the appropriate decisions to be made.
Approved exceptions shall be duly recorded in the Register of Exceptions.
The Information Security Policy shall be reviewed annually by the Security Committee or when there is a significant change (security management approach, business circumstances, legal changes, changes in the technical environment, recommendations made by control authorities and trends related to threats and vulnerabilities) that requires it.
In the event that a new version of the Information Security Policy is created, formal approval by the Executive Committee shall be required prior to its disclosure.
9. ENTRY INTO FORCE
Text approved by the Executive Committee on 1 July 2021
Its entry into force repeals any other Policy that existed for such purposes, in addition to its publication on the corporate Intranet.