Date of approval: 04/10/2023
1. Approval and entry into force
Text approved on this date by Management.
This Information Security Policy is effective from that date onwards until a new Policy supersedes it.
This document sets out the Information Security Policy of the entities Ivnosys Soluciones S.L. (Unipersonal) and Signaturit Solutions S.L. (Unipersonal), which belong to the “Signaturit Group” and which assume this Information Security Policy as the set of basic principles and lines of action to which both organisations are committed, within the framework of the ISO 27001 Standard and the National Security Scheme (ENS). Hereinafter in this document we will refer to both entities as “the organisation”.
The organisation depends on ICT (Information and Communication Technology) systems to achieve its aims. These systems must be managed with diligence, the appropriate measures being taken to protect them against accidental or deliberate damage which may affect the availability, integrity or confidentiality of the information processed or the services provided.
Information is a critical, essential asset of great value for carrying out the organisation’s activity. This asset must be adequately protected, regardless of the formats, media, means of transmission, systems, or persons being aware of the same, processing or handling it.
The aim of information security is to guarantee the quality of information and the continuous provision of services by acting preventively, overseeing daily activity, and reacting promptly to any incidents, in order to ensure the information’s quality and the continuity of the business, minimise risk and maximise returns on investments and business opportunities.
ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. To defend against these threats, and ensure the continuous delivery of services, a strategy that adapts to changes in environmental conditions is required. This implies that departments must apply the minimum security measures required by the Spanish National Security Framework (ENS) and ISO/IEC 27001 standard for Information Security Systems, as well as continuously follow up service delivery levels, monitor, and analyse any vulnerabilities reported and prepare an effective response to incidents to ensure continuity of the services provided.
Different departments must ensure that ICT security is an integral part of every stage of the system’s life cycle, from conception to decommissioning, development or procurement decisions and operational activities. Security requirements and funding needs should be identified and included in planning, when requesting bids from suppliers, and in technical reports for ICT projects. In accordance with Article 7 of ENS and the Business Continuity system of ISO 22301, departments must be prepared to prevent, detect, react to, and recover from any incidents.
Article 7. Prevention, reaction and recovery.
- The security of the system must contemplate the aspects of prevention, detection and correction, to ensure that threats on it do not materialize, do not seriously affect the information it handles, or the services that are provided.
- Preventive measures should eliminate or, at least, reduce the possibility that threats may materialize to the detriment of the system. These preventive measures will include, among others, deterrence and reduction of exposure.
- The detection measures will be accompanied by reaction measures, so that security incidents are dealt with in time.
- The recovery measures will allow the restoration of information and services, so that situations in which a security incident disables the usual means can be dealt with.
- Without prejudice to the other basic principles and minimum requirements established, the system will guarantee the conservation of data and information in electronic format.
Likewise, the system will keep services available throughout the life cycle of the digital information, using concepts and procedures that act as the foundation for the preservation of digital assets.
The organisation’s management, aware of the value of information, is deeply committed to the policy described in this document.
Departments should avoid, or at least prevent insofar as is possible, information or services from being harmed by security incidents. To do this, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. Furthermore, and with the clear intention of improving such prevention, departments must also implement all the necessary requirements to comply with ISO 27001. These controls, and the safety roles and responsibilities of all personnel, must be clearly defined and documented.
To ensure compliance with the policy, departments must:
- Authorise systems prior to becoming operational.
- Regularly assess security, including assessing routine configuration changes.
- Request periodic review by third parties in order to obtain an independent assessment.
Since services can degrade rapidly due to incidents, ranging from simple slowdowns to stoppages, any services should monitor their operation on an ongoing basis to detect any anomalies in service delivery levels and act accordingly as provided for in Article 9. Periodic re-assessment, of the ENS, which sets out the following: “Security measures will be reassessed and updated periodically, so that their effectiveness can adapt to the constant evolution of risks and protection systems, this would even cover a rethinking of security, if required.”
Monitoring is especially relevant when establishing lines of defence in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be set to reach those responsible on a regular basis and when there is a significant deviation from pre-set normal parameters.
Article 8 provides:
Article 8. Lines of defence:
- The system must have a multi-layered security protection strategy, arranged in such a way that when one of the layers fails, it allows:
a) Time to be gained for an appropriate reaction to unavoidable incidents.
b) Reduce the likelihood that the system as a whole will be compromised.
c) Minimise the final impact on it.
- The lines of defence must consist of organisational, physical, and logical measures.
- Establish mechanisms to respond effectively to security incidents.
- Designate a point of contact for communications regarding incidents detected in other departments or in other agencies.
- Set protocols for the exchange of information relating to the incident.
For any type of internal and/or external communication, the indications in the Communications Plan, published over the Ivnosys Management System, prepared by the organisation, must be followed.
To ensure the availability of critical services, the organisation has equipped itself with a General Business Continuity Plan (PCN), published over the Management System, which assesses possible disaster scenarios and recovery strategies, and sets periodically reviewed emergency plans.
This Security Policy applies to those information systems supporting the installation and operation processes of the following reliable cloud services:
- The system for managing the receipt of automatic electronic notifications, connecting with the electronic sites belonging to different organisations. It is a desktop application with a centralised cloud server supporting applications (database, file system, …)
- Electronic communication platforms between organisations providing electronic evidence of different transactions. It is a web system marketed in software as a service mode.
- An interoperability system between public administrations. An administration can, with prior consent, consult the data of citizens and companies held by other administrations, for use in their own procedures, thus preventing the interested parties from having to travel to obtain them from another administration.
- A system for the centralised management on a cryptographic key (digital certificates) HSM server and a web services API for communications and electronic evidence and issuing and managing time stamps.
- Management of the life cycle of digital certificates (issuance, validation, maintenance and revocation).
- Authentication and identity verification using biometric data
The Information Security Policy is approved by the organisation’s Management and its contents and that of the rules and procedures developing it, are mandatory:
- All users with access to the information processed, managed, or owned by the organisation have the obligation and duty to safeguard and protect it.
- The Information Security Policy and Standards will be adapted to the evolution of the systems and technology and organisational changes and will be aligned with ISO/IEC 27001 and the National Security Framework.
- The security measures and controls set will be proportional to the criticality and classification of the information to be protected.
- The necessary disciplinary actions will be established to apply to persons who seriously breach the wording of the Information Security Policy or the supplementary rules and procedures.
Signaturit’s information assets, ensuring its availability, integrity, confidentiality, authenticity, and traceability and that of the facilities, systems and resources that process, manage, transmit and store them, always in accordance with business requirements and current legislation.
5. Mission and objectives framework
Information must be protected throughout its life cycle, from its creation to its eventual erasure or destruction. To this end, the following minimum principles are set:
- Information systems must be accessible only to those users, bodies and entities or processes expressly authorised to do so.
- A commitment to the continuous improvement of the ISMS will be set.
- A certain information system availability level will be guaranteed, and the necessary plans and measures will be provided to ensure the continuity of services and recovery from possible serious contingencies.
- A continuous risk analysis and processing procedure will be assembled as a mechanism on which the management of information systems security must rest.
- Courses of action aimed at preventing incidents related to ICT security will be developed.
- Services will be monitored continuously to detect provision level anomalies of the same and act accordingly.
- The degree of compliance with the security improvements, planned annually, and the degree of effectiveness of the ICT security controls implemented will be analysed, with the idea of proactively proposing new improvement actions.
- All the organisation’s personnel will be made aware of their duties and obligations regarding the secure treatment of information and all those who manage and administer information and telecommunications systems will be trained in specific ICT security matters.
6. Regulatory framework
- Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations.
- Law 40/2015, of October 1, on the Legal Regime of the Public Sector.
- RD 1671/2009, of November 6, [of partial development of Law 11/2007].
- RD 3/2010, of January 8, which regulates the National Security Scheme in the field of the Electronic Administration.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data protection Regulation).
- Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
- The different series CCN-STIC-400/800 through which appropriate policies, procedures and recommendations are established for the implementation of the measures contemplated in the National Security Policy (RD 3/2010).
- ISO/IEC 27001 standard.
- Royal Legislative Decree 1/1996, of April 12, approving the revised text of the Law of Intellectual Property, regularizing, clarifying and harmonizing the legal provisions in force on the matter.
- Law 2/2019, of March 1, amending the revised text of the Property Law Intellectual, approved by Royal Legislative Decree 1/1996, of April 12, and by which Directive 2014/26/EU of the European Parliament and of the Council, of February 26, 2014, and Directive (EU) 2017/1564 of the European Parliament and of the Council, of September 13, 2017, are incorporated into the Spanish legal system.
- Royal Decree-Law 14/2019 of October 31, which adopts urgent measures for public security reasons in the field of digital administration, public sector contracting and telecommunications.
- Law 6/2020, of November 11, regulating certain aspects of electronic trust services.
- Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
- – Order ETD/465/2021, of 6 May, regulating remote video identification methods for issuing qualified electronic certificates.
- – Royal Decree 311/2022, of 3 May, regulating the National Security Scheme.
7. Organisation of security
7.1 Committees: roles and responsability
Signaturit has a procedure for managing and organising both internal and external responsibilities in the field of information security, establishing the System Management Committee, whose main mission is approving and overseeing compliance, managing, and circulating the organisation’s rules and policies, as well as monitoring and managing any current incidents and risks, in terms of information security.
The role of the System Management Committee is reflected in the organisation’s Management System.
The System Management Committee meets at least every six months and the mandatory members sitting on it are the Director General, the Director of IT, the person in charge of the Management System and the security manager.
Signaturit has an internal Data Protection Representative, registered with the Spanish Data Protection Agency, a position held by a professional who meets the experience and training requirements necessary to carry out the role.
Furthermore, any other managers/post-holders whose intervention is necessary because they are affected by the National Security Framework, the GDPR or any other regulation related to information security, such as, among others, the service manager, and the security administrator, may attend at the Committee’s request.
7.2 Committees: roles and responsability
Because security must involve all members of the organisation, as reflected in Article 12 and Annex II of the ENS, in section 3.1 of the same, the Security Policy must clearly identify those responsible for ensuring compliance with it and this must be made known to all members of the organisation.
In the Ivnosys Management System there is a section identifying the people who hold the roles comprising the System Management Committee and covering their specific roles.
7.3 Appointment procedures
Management will assign, renew, and communicate the responsibilities, authority, and roles regarding information security, determining in every case the grounds and the term of validity, and will manage any conflicts that may arise. It will also ensure that users are aware of, assume and exercise their assigned responsibilities, authority, and roles.
7.4 Review and approval of the Information Security Policy
The mission of the System Management Committee will be the annual review of this Information Security Policy and making proposals to review or uphold it.
The policy will be approved by organisation Management and, since it is a public document in accordance with the Ivnosys Information Classification Policy (available over the Management System), it will be circulated by the Communications Department so that all affected parties become aware of it and made available to third parties through the organisation’s website www.signaturit.com.
Furthermore, it may be additionally reviewed when there are significant changes affecting security, the services provided by the organisation, regulatory changes, or any other issue of relevance.
8. Personal Data
In accordance with the provisions of the applicable data protection regulations (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL regarding the protection of natural persons with regard to the processing of personal data or the GDPR and Organic Law 3/2018, of 5 December, Protection of Personal Data and Guaranteeing Digital Rights) Ivnosys Soluciones SLU and Signaturit Solutions SL in their capacity as Data Controller or Joint Controllers as appropriate and data Processors of their clients undertake to:
–Process the personal data, both of customers and of other workers and collaborators in accordance with the principles of legality, loyalty, and transparency. The data collected and used will be gathered for explicit and legitimate purposes. The data collected will be relevant, and limited regarding the purposes established for said processing. The principle of accuracy will be complied with, and all necessary measures will be taken to rectify them when necessary. The data will not be kept longer than necessary in relation to the purposes for processing it, except for compliance with legal aims.
– All security measures mentioned in this Information Security Policy will take into account the protection of data privacy.
– Comply with and enforce, regarding those employees acting as Processors, in accordance with their responsibility regarding the personal data being processed, all those measures provided in this Policy that may affect the personal data to which they may have access due to their work activity. The same applies to the personal data being processed by Signaturit in its capacity as Data Controller. Comply with and enforce, regarding those employees acting as Processors, in accordance with their responsibility regarding the personal data being processed, all those measures provided in this Policy that may affect the personal data to which they may have access due to their work activity. The same applies to the personal data being processed by Signaturit in its capacity as Data Controller.
– That when both Signaturit and its employees and external collaborators in order to provide the services contracted by its customers, require access to personal data, for whose storage in files and processing the customer will be the Data Manager (data access conditions applicable to the Processor), the terms contained in the document “Processing activity to be undertaken” for each contracted service, which will be sent to the client, as ANNEXES to the “Conditions Applicable to Accessing Personal Data”, will apply.
– That Signaturit, its staff and external collaborators will proactively join and use the internal and external communication channels established in the Communications Plan and share information about any incident or security breach of which they become aware, above all about those that may affect personal data. They will cooperate to manage and resolve them according to the degree of responsibility assigned to them.
Likewise, regarding anything not expressly covered by this Policy, Signaturit commits itself and all personnel forming part of it, to strictly comply with all the provisions and principles set out in the data protection regulations currently in force, mentioned at the beginning of this section, and those regulations modifying or replacing them.
Signaturit has an information security management system (ISMS) implementing best practice for managing information security in accordance with standard UNE-ISO / IEC 27001. It applies to all data processing carried out within the framework of contracts formalised with customers and monitoring and measures aimed at guaranteeing the security of personal data, which are the responsibility of customers, whom have access to them under the contract.
The organisation guarantees that it will carry out regular monitoring and security audits necessary to verify that the controls and security measures implemented to handle risk effectively have been implemented in every case.
9. Risk management
All systems subject to this Policy must perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be carried out regularly, at least once a year. Furthermore, it may be repeated in the following cases:
• When the information handled changes.
• When the services provided change.
• When a serious security incident occurs.
• When serious vulnerabilities are reported.
To align risk analyses, the System Management Committee will set a baseline assessment for the different types of information handled and the different services provided.
The methodology used for risk assessment is MAGERIT which allows the incidents that could arise in the different information assets and affect any of the principles of confidentiality, integrity, availability, authenticity, and traceability, to be effectively managed.
The System Management Committee will boost the availability of resources to meet the security needs of the different systems, promoting horizontal investments.
10. Development the information security policy
This Information Security Policy supplements Signaturit’s security policies in different fields:
- The Management System Policy.
- The Practice and Policy Statements of eIDAS services.
- The Acceptable Use of Assets policy.
- Security risk analyses.
- Troubleshooting management.
- Asset management.
- Physical and Environmental Safety.
- Access Control.
- Communications and Operations Security.
- Organisation security.
- Managing change.
- Developing the information security policy
- Classifying information.
- Secure development.
- Continuous improvement
This Policy will be developed by means of security regulations addressing specific aspects. The security regulations will be made available to all members of the organisation who need to be aware of them, and in particular, to those who use, operate, or manage information and communications systems.
These regulations (processes, procedures, work instructions and any other necessary documentation) will be published on the Confluence Management System, as well as the Signaturit Corporate Wiki.
11. Personnel obligations
All members of Signaturit, have the obligation to be aware of and comply with this Information Security Policy and the Security Regulations, the System Management Committee being responsible for providing the necessary means so that the information reaches those affected by it.
All Sig. members, within the framework of the Annual Training Plan, will attend an ICT security awareness session at least once a year. A continuous awareness programme, based on the regular dissemination of emails on information security, will be set up to serve all Signaturit members, particularly those newly recruited. Additionally, for such personnel, specific training and assessment of the knowledge acquired will be carried out, as part of the process of their incorporation into the organisation.
Everybody responsible for using, operating, or administering ICT systems will be trained in the secure operation of the systems to the extent required in order to carry out their work. Training will be mandatory before assuming a responsibility, whether it is a first assignment or a change of job or the responsibilities of the same.
12. Outsourced parties
When Signaturit provides services to other agencies or handles information from other agencies, they will be made stakeholders for this Information Security Policy, channels will be set up for reporting and coordinating the managers concerned and action procedures will be set, in accordance with the organisation’s Incident Management Procedure, regarding reacting to any possible security incidents
When Signaturit uses outsourced services or transfers information to outsourced parties, they will be adhered to this Security Policy and the Security Regulations applicable to services or information. As outsourced parties they will be subject to the obligations established in these regulations, having the ability to develop their own operating procedures to satisfy then. Specific procedures for reporting and resolving incidents will be set. It will be ensured that outsourced personnel are appropriately aware of security, at least to the same level as set out in this Policy. When any aspect of the Policy cannot be satisfied by an outsourced party as indicated in the paragraphs above, the Security Manager, together with the person responsible for the service, will meet them to define and specify the risks incurred and how they should be handled.