Security policy

Version Author Approved by Approval date Comment
1.0 Edwin Mata Coordination Committee 26 January 2018 Initial version of the document
2.0 Edwin Mata Coordination Committee 13 June 2018
  • Modification of section 3.1
  • Change from Information Security Committee to Coordination Committee.
2.1. Edwin Mata Coordination Committee 25 January 2019
  • Modification of section 1.1
  • Modification of section 3.2
  • Amendment of section 3.5
3.0 Pau Mestre Coordination Committee 30 April 2019
  • Modification of section 3.1
  • Change from Information Security Committee to Coordination Committee
3.1 Milagros Quintana Coordination Committee 8 April 2021
  • Modification of section 1.1
  • Modification of section 3.1
  • Modification of section 3.5

 

1. Introduction

 

The objective of this high-level Policy is to define the purpose, direction, principles and basic rules for information security management.

This Policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.

The users of this document are all Signaturit employees, as well as relevant external parties.

 

1.1        Reference documents

 
 

2. Basic information security terminology

 

Confidentiality – a characteristic of information whereby it is only available to authorised persons or systems.

Integrity – a characteristic of information whereby it is only modified by authorised persons or systems in a permitted manner.

Availability – characteristic of information whereby it can be accessed by authorised persons when needed.

Information security – preservation of confidentiality, integrity and availability of information.

Information security management system – part of the overall management processes responsible for planning, implementing, maintaining, reviewing and improving information security.

 

 

3. Information security management

 

3.1 Objectives and measurement

Signaturit shall establish and evaluate objectives on an annual basis. All objectives are detailed in the document ISMS and QMS Objectives Review Coordination Committee. Please refer to the specific document for the applicable objectives for each audited period.

Compliance with all objectives shall be measured by an independent expert. This measurement shall be carried out at least once a year and AENOR INTERNACIONAL, S.A.U., a company with registered offices at Calle Génova, nº 6, 28004 Madrid, incorporated for an indefinite period of time by public deed executed before the Notary Public of Madrid, Mr. Amalio MENÉNDEZ LORAS on 13 July 2001, under notarial deed number 2,024, and registered in the Companies Register of Madrid, volume 16,834, folio 79, page M-287,700, 1st entry, is the independent expert body appointed. Its evaluation report will be forwarded directly to the Coordination Committee for review.

 

3.2 Information security requirements

This Policy and the entire ISMS must comply with legal and regulatory requirements as well as relevant contractual obligations for the organisation and its cloud service customers in the field of information security and the protection of personally identifiable information (PII).

The list of legislation and technical standards applicable to the services provided by Signaturit is detailed in section 2.1 of the ISMS Scope Document. As for contractual obligations, Signaturit’s Legal Department has a file with all the contracts Signaturit has signed with third parties; access to this file is restricted. In addition, the Legal Department supervises the company’s day-to-day compliance with third parties and legislation, and issues recommendations to Signaturit’s governing body when necessary.

 

3.3 Information security controls

The process for selecting controls (safeguards) is defined in the Risk Assessment and Treatment Methodology.

The selected controls and their implementation status are listed in the statement of applicability.

 

3.4 Business Continuity

The Business Continuity management of Signaturit’s services is established in the following three documents:

  1. Business Continuity and Disaster Recovery Plan.
  2. Incident management procedure and response plan.
  3. PKI recovery plan

 

3.5 Responsibilities

The responsibilities of the ISMS are as follows

 

3.6 Policy communication

The Legal Department shall ensure that all Signaturit employees, as well as the appropriate external parties, are aware of this Policy. Therefore, this Policy is available to all Signaturit personnel in Confluence, together with all the policies that make up the documentary structure of the Information Security Management System.

In addition, new communications of this document shall be sent by email to [email protected], indicating that its content is mandatory for all Signaturit employees.
 

3.7 Support for the implementation of the ISMS

The Coordination Committee hereby declares that the implementation of the ISMS and continuous improvement shall be supported with adequate resources to achieve all the objectives established in this Policy, as well as to satisfy all the identified requirements of ISO 27001.

 

 

4. Validity and document management

 

The owner of this document is the Head of the Legal Department, who is required to check and, where appropriate, update the document at least every six months.

In assessing the effectiveness and adequacy of this document, the following criteria should be taken into account: