fbpx

Security policy

Signaturit Security Policy

 

Version Author Approved by Approval date Comment
1.0 Edwin Mata Coordination Committee 26 January 2018 Initial version of the document
2.0 Edwin Mata Coordination Committee 13 June 2018
  • Modification of section 3.1
  • Change from Information Security Committee to Coordination Committee.
2.1. Edwin Mata Coordination Committee 25 January 2019
  • Modification of section 1.1
  • Modification of section 3.2
  • Amendment of section 3.5
3.0 Pau Mestre Coordination Committee 30 April 2019
  • Modification of section 3.1
  • Change from Information Security Committee to Coordination Committee
3.1 Milagros Quintana Coordination Committee 8 April 2021
  • Modification of section 1.1
  • Modification of section 3.1
  • Modification of section 3.5

 

1. Introduction

 

The objective of this high-level Policy is to define the purpose, direction, principles and basic rules for information security management.

This Policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.

The users of this document are all Signaturit employees, as well as relevant external parties.

 

1.1        Reference documents

 

2. Basic information security terminology

 

Confidentiality – a characteristic of information whereby it is only available to authorised persons or systems.

Integrity – a characteristic of information whereby it is only modified by authorised persons or systems in a permitted manner.

Availability – characteristic of information whereby it can be accessed by authorised persons when needed.

Information security – preservation of confidentiality, integrity and availability of information.

Information security management system – part of the overall management processes responsible for planning, implementing, maintaining, reviewing and improving information security.

 

 

3. Information security management

 

3.1 Objectives and measurement

Signaturit shall establish and evaluate objectives on an annual basis. All objectives are detailed in the document ISMS and QMS Objectives Review Coordination Committee. Please refer to the specific document for the applicable objectives for each audited period.

Compliance with all objectives shall be measured by an independent expert. This measurement shall be carried out at least once a year and AENOR INTERNACIONAL, S.A.U., a company with registered offices at Calle Génova, nº 6, 28004 Madrid, incorporated for an indefinite period of time by public deed executed before the Notary Public of Madrid, Mr. Amalio MENÉNDEZ LORAS on 13 July 2001, under notarial deed number 2,024, and registered in the Companies Register of Madrid, volume 16,834, folio 79, page M-287,700, 1st entry, is the independent expert body appointed. Its evaluation report will be forwarded directly to the Coordination Committee for review.

 

3.2 Information security requirements

This Policy and the entire ISMS must comply with legal and regulatory requirements as well as relevant contractual obligations for the organisation and its cloud service customers in the field of information security and the protection of personally identifiable information (PII).

The list of legislation and technical standards applicable to the services provided by Signaturit is detailed in section 2.1 of the ISMS Scope Document. As for contractual obligations, Signaturit’s Legal Department has a file with all the contracts Signaturit has signed with third parties; access to this file is restricted. In addition, the Legal Department supervises the company’s day-to-day compliance with third parties and legislation, and issues recommendations to Signaturit’s governing body when necessary.

 

3.3 Information security controls

The process for selecting controls (safeguards) is defined in the Risk Assessment and Treatment Methodology.

The selected controls and their implementation status are listed in the statement of applicability.

 

3.4 Business Continuity

The Business Continuity management of Signaturit’s services is established in the following three documents:

  1. Business Continuity and Disaster Recovery Plan.
  2. Incident management procedure and response plan.
  3. PKI recovery plan

 

3.5 Responsibilities

The responsibilities of the ISMS are as follows

 

3.6 Policy communication

The Legal Department shall ensure that all Signaturit employees, as well as the appropriate external parties, are aware of this Policy. Therefore, this Policy is available to all Signaturit personnel in Confluence, together with all the policies that make up the documentary structure of the Information Security Management System.

In addition, new communications of this document shall be sent by email to all@signaturit.com, indicating that its content is mandatory for all Signaturit employees.

3.7 Support for the implementation of the ISMS

The Coordination Committee hereby declares that the implementation of the ISMS and continuous improvement shall be supported with adequate resources to achieve all the objectives established in this Policy, as well as to satisfy all the identified requirements of ISO 27001.

 

 

4. Validity and document management

 

The owner of this document is the Head of the Legal Department, who is required to check and, where appropriate, update the document at least every six months.

In assessing the effectiveness and adequacy of this document, the following criteria should be taken into account:

 

Ivnosys Security Policy

 

Version: v5
Approver: Address
Approval date: 14/02/2022

1. Approval and effective date

 

Text approved by the Management on 14 February 2022.

This Information Security Policy is effective as of that date and until it is superseded by a new Policy.

 

2. Introduction

 

This document sets out the Information Security Policy of Ivnosys Soluciones S.L. as the set of basic principles and lines of action to which the organisation is committed, within the framework of the ISO 27001 Standard and the National Security Scheme (ENS).

The organisation depends on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

Information is a critical, essential asset of great value for the development of the company’s activity. This asset must be properly protected, regardless of the formats, supports, transmission means, systems or people handling its dissemination, processing or treatment.

The aim of information security is to ensure information quality and the continuous provision of services by acting preventively, supervising daily activity and reacting promptly to incidents, in order to ensure information quality and business continuity, as well as minimise the risk and allow the return on investment and business opportunities to be maximised.

ICT systems must be protected against rapidly evolving threats that may affect the confidentiality, integrity, availability, intended use and value of information and services. To cope with these threats, a strategy that adapts to changing environmental conditions is required to ensure the continuous provision of services. This implies that departments must apply the minimum security measures required by the National Security Scheme and the ISO/IEC 27001 Information Security Systems Standard, as well as continuously monitor the levels of service provision, follow up on and analyse reported vulnerabilities and prepare an effective response to incidents, so as to ensure continuity of the services provided.

Different departments must ensure that ICT security is an integral part of every stage of the system’s life cycle, from design to decommissioning, through development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, in the request for proposals to suppliers and in technical reports for ICT projects.

Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS and the Business Continuity System of the ISO 22301 Standard.

This article states the following:

Article 7. Prevention, reaction and recovery.

  1. System security must take into account aspects like prevention, detection and correction to ensure that threats to the system do not materialise or seriously affect the information handled as well as the services provided.
  2. Preventive measures must eliminate or at least reduce the possibility that threats will materialise to the detriment of the system. These preventive measures will include deterrence and reducing exposure, among others.
  3. Detection measures will be accompanied by reaction measures, so that security incidents are addressed in a timely manner.
  4. Recovery measures will allow information and services to be restored, so that situations where a security incident disables the usual means can be addressed.
  5. Without prejudice to the other basic principles and minimum requirements, the system will ensure that data and information are kept in electronic format.

Similarly, the system will keep services available throughout the life cycle of digital information, via a design and procedures that are the basis for the preservation of digital assets.

The company’s management, aware of the value of information, is deeply committed to the policy described in this document.

2.1. Prevention

Departments should avoid or at least prevent to the extent possible information or services from being damaged by security incidents. To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. Furthermore, with the clear aim of improving such prevention, departments must also implement all the necessary requirements to comply with the ISO 27001 Standard. These controls, as well as the security roles and responsibilities of the whole staff, must be clearly defined and documented.

To ensure compliance with the policy, departments must:

2.2. Detection

Since services can rapidly deteriorate due to incidents, ranging from a simple slowdown to a halt, services must continuously monitor operation to detect anomalies in service levels and act accordingly, as provided for in Article 9. Regular reassessment of the ENS, which suggests the following: “The security measures shall be reassessed and updated on a regular basis, to adapt their effectiveness to the constant evolution of risks and protection systems, even rethinking security, if need be.”

Monitoring is particularly relevant when establishing defence lines, in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that will reach those responsible regularly and whenever a significant deviation from the parameters that have been pre-set as normal occurs.

Article 8 establishes:

Article 8. Defence lines:

    1. The system must feature a protection strategy made up of multiple security layers, arranged in such a way that, when one layer fails, it allows us to:

2.3. Response

Departments must:

For any type of communication, be it internal or external, the provisions of the Communications Plan, published in the Ivnosys Management System, prepared by the organisation, must be followed.

2.4. Recovery

In order to guarantee the availability of critical services, the organisation has set up a General Business Continuity Plan (PCN), published in the Management System, assessing possible disaster scenarios and a recovery strategy, and establishing emergency plans that are reviewed periodically.

 

3. Scope

 

This Security Policy applies to the information systems that support the installation and operation processes of the following trust services in cloud mode:

    1. System for managing the receipt of electronic notifications automatically, connecting with the electronic headquarters of different bodies. It is a desktop application with a centralised cloud server that supports the applications (database, file system, etc.).
    2. Electronic communications platform between organisations with electronic evidence of the different transactions. It is a web system marketed in SaaS mode.
    3. Interoperability system between public administrations. An administration may, with prior consent, consult data on citizens and companies held by other administrations, for use in their procedures, avoiding that the interested parties have to resort to another administration to obtain the data.
    4. System for centralised management on an HSM server of cryptographic keys (digital certificates) and a web services API for electronic communications and evidence, as well as issuance and management of time stamps.
    5. Management of the life cycle of digital certificates (issuance, validation, maintenance and revocation).

The Information Security Policy is approved by the company’s Management, whereas its content and that of the rules and procedures set out is mandatory:

 

4. Purpose

 

As has been mentioned above, the purpose of this Information Security Policy is to protect the information assets of Ivnosys Soluciones, ensuring the availability, integrity, confidentiality, authenticity and traceability of the information and the facilities, systems and resources that process, manage, convey and store them, always in accordance with business requirements and current legislation.

 

5. Mission and framework objectives

 

Information must be protected throughout its life cycle, from its creation to its eventual deletion or destruction. To this end, the following minimum principles are established:

 

6. Regulatory framework

 

 

7. Security organisation

 

7.1. Committees: roles and responsibilities

Ivnosys boasts a procedure for the management and organisation of both internal and external responsibilities in the field of information security, which determines the Management System Committee, whose main mission is the approval, supervision of compliance, management and dissemination of the organisation’s standards and policies, as well as the monitoring and management of present incidents and risks, in the field of information security.

The roles of the SG Committee are set out in the organisation’s Management System.

The SG Committee meets at least every six months, whereas its mandatory members are the General Director, the IT Director, the Management System Manager and the Security Manager.

Ivnosys has an internal Data Protection Delegate, appointed to the AEPD, a position held by a professional who meets the requirements of experience and training necessary for the functions to be performed.

Moreover, at the request of the Committee, any other person in charge/role, whose intervention is required due to their being affected by the National Security Scheme, the GDPR or any other standard related to information security, such as, among others, the person in charge of the service and the security manager, may attend.

7.2. Roles: functions and responsibilities

Since security must involve all members of the organisation, as set out in Article 12 of the ENS and Annex II of the ENS, in section 3.1, the Security Policy must identify clear responsible parties for ensuring compliance and conveying it to all members of the organisation.

In the Ivnosys Management System, there is a section to identify the people who hold the roles that make up the SG Committee and include their specific functions.

7.3. Appointment procedures

The management will assign, renew and communicate the responsibilities, authorities and roles with regard to information security, while determining in each case the reasons and the term of validity, and will manage any conflict that may arise. It will also ensure that users know, assume and exercise the responsibilities, authorities and roles assigned to them.

7.4. Review and approval of the Information Security Policy

The SG Committee will be responsible for the annual review of this Information Security Policy and the proposal for its revision or maintenance.

The policy will be approved by the company’s Management and, as it is a public document in accordance with the Ivnosys Information Classification Policy (available in the Management System), it will be disseminated by the Communications Department, so that all affected parties are aware of it, and made available to third parties through the company’s website: www.ivnosys.com.

Furthermore, it may be additionally reviewed when there are significant changes that affect security, the services provided by the organisation, regulatory changes or any other relevant issue.

 

8. Personal data

 

In accordance with the provisions of the applicable data protection regulations (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data or RGPD and the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights) Ivnosys Soluciones SLU in its capacity as Data Controller and Data Processor of its clients’ data undertakes to:

– that personal data, both customers and other employees and collaborators of this will be treated in accordance with the principles of legality, fairness and transparency. The data collected and used will be collected for explicit and legitimate purposes. The data collected will be relevant, adequate and limited in relation to the purposes established for such processing. The principle of accuracy shall be complied with and all necessary steps shall be taken to rectify the data where necessary. The data shall not be kept longer than necessary in relation to the purposes of the processing except for compliance with legal purposes.

– that all security measures referred to in this Information Security Policy will take into account the protection of the privacy of the information.

– that the personal data whose processing is carried out in its capacity as Data Processor, employees undertake to comply with and enforce, in accordance with their responsibilities, all those measures set forth in this Policy that may affect the personal data to which they may have access as a result of their work activity. In the same way of personal data whose treatment is carried out by Ivnosys Soluciones SLU in its capacity as Data Controller.

– that both Ivnosys and its employees and external collaborators when, in order to provide the services contracted by its customers, need access to personal data, whose storage in files and treatment is responsible for the client (conditions of access to data by order of treatment), shall apply the conditions contained in the documents “Processing activities to be performed” of each contracted service, which will be sent to the client, as ANNEXES to the “Conditions Applicable to Access to Personal Data”.

– that both Ivnosys Soluciones SLU and its staff and external partners will participate proactively and communicate according to internal and external communication channels established in the Communications Plan any incident or security gap of which they are aware with special relevance of those that may affect personal data and collaborate in its management and resolution according to the degree of responsibility assigned to them.

Similarly in everything not expressly stated in this policy Ivnosys Soluciones SLU is committed and that of all staff that integrates the strictest compliance with all provisions and principles established in the data protection regulations currently in force, cited at the beginning of this section, and those regulations that modify or replace it.

Ivnosys Soluciones, S.L, has a system for the management of information security (ISMS) implementing best practices for the management of information security in accordance with the standard UNE-ISO/IEC 27001 and applying to all data processing carried out in the framework of contracts with customers, controls and measures to ensure the security of personal data, responsibility of customers, to which it has access because of the contract.

The organisation guarantees that it will carry out the periodic controls and security audits necessary to verify that the security controls and measures implemented are effective for the processing of the risks for which they have been implemented in each case.

 

9. Risk management

 

All systems subject to this Policy must perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be done regularly, i.e. at least once a year. Furthermore, it may be repeated in the following cases:

In order to harmonise risk analyses, the SG Committee will establish a benchmark assessment for the different types of information handled and the different services provided.

The methodology used for risk assessment is MAGERIT, which allows effective management of incidents that could occur in the different information assets and affect any of the principles of confidentiality, integrity, availability, authenticity and traceability.

The SG Committee will boost the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

 

10. Information security policy development

 

This Information Security Policy complements the security policies of Ivnosys Soluciones S.L.U. in different matters:

This Policy will be developed by means of security regulations that address specific aspects. The security regulations will be available to all members of the organisation who need to know them and, in particular, to those who use, operate or manage information and communication systems.

These regulations (processes, procedures, work instructions and any other necessary documentation) will be published in the Confluence Management System, as well as on the Ivnosys corporate Wiki.

 

11. Staff obligations

 

All members of Ivnosys Soluciones S.L.U. have the obligation to know and comply with this Information Security Policy and Security Regulations, whereas the SG Committee is in charge of providing the necessary means for the information to reach those affected.

All members of Ivnosys Soluciones S.L.U., within the framework of the Annual Training Plan, will attend an awareness session on ICT security at least once a year. An ongoing awareness programme will be set up, based on the regular dissemination of mails regarding information security, to cater for all members of Ivnosys Soluciones S.L., particularly new recruits. Moreover, for these staff, specific training and evaluation of the knowledge acquired will be carried out as part of the process of joining the organisation.

People in charge of the use, operation or administration of ICT systems will be trained in the safe handling of the systems to the extent they need to carry out their work. Training will be mandatory before taking on a responsibility, whether it is their first assignment or a change in job or responsibilities.

 

12. Third parties

 

When Ivnosys Soluciones S.L.U. provides services to other organisations or handles information from other organisations, they will be made aware of this Information Security Policy, channels for reporting and coordinating the respective managers will be established, as well as procedures, in accordance with the organisation’s Incident Management Procedure, to respond to possible security incidents that may occur.

When Ivnosys Soluciones S.L.U. uses third-party services or gives information to third parties, they will be included in this Security Policy and the Security Regulations that pertain to such services or information. This third party will be subject to the obligations established in these regulations, while being able to develop its own operational procedures to meet them. Specific procedures will be established for reporting and resolving incidents. It shall be guaranteed that third-party personnel are adequately aware of security matters, at least at the same level as that established in this Policy. If any aspect of the Policy cannot be met by a third party, as set out in the previous paragraphs, the Security Manager, together with the Service Manager, will meet to define and specify the risks incurred and how to deal with them.

 

Ivnosys Management Policy

 

Version: v21
Approver: Management Area
Date of approval: 20/10/2021

Ivnosys is a company dedicated to the design and development of solutions based on electronic signatures, digital certification and electronic identity and operates these solutions as a Qualified Trusted Electronic Service Provider.

Our services and solutions enable our clients to develop their digital transformation processes by securing their online identity and facilitating interaction with their end users.

It is especially important for us to help companies and self-employed persons with the legal obligation to interact electronically with public administrations and to be able to fulfil all their legal obligations.

Our vision of customer relations is to offer our software solutions in a way that is close to the business. That is why Ivnosys is always looking for synergies through partnership agreements with different types of development or business consulting companies.

With these alliances, Ivnosys achieves even more innovative solutions that offer direct and effective responses to large corporations and, by intelligently applying the cloud services model, we reach thousands of SMEs and freelancers at the same time.

In addition, we offer a complete solution of trustworthy electronic services, becoming, together with our partners, a unique interlocutor in this type of solutions.

Ivnosys controls and monitors suppliers and partners involved in the provision of services to ensure compliance with the standards and requirements of the organisation in terms of quality, security and protection of personal data. The result of this evaluation is provided on request.

Our vocation is to provide a reliable, safe and quality service and continuous improvement is a priority for us.

Our company policy, established around safety, quality and continuous improvement, affects us all and is based on the following values: