Information Security Policy
TABLE OF CONTENTS
CHANGE CONTROL
- DATE VERSION: 05/02/2024
- COMMENTS: 01 First edition of the document
- AUTHOR/PERSON RESPONSIBLE: ISMS Manager
CONTEXT
For essentially all business processes at Montero Traducciones, S.L (hereinafter, Montero Traducciones), information comprises the essential guiding thread for their implementation with guarantees of efficiency and quality, thereby complying with the strategic objectives formally established by the Management.
The main information security dimensions that must be guaranteed when implementing any business process are:
- Confidentiality: Ensure that information can only be accessed by authorised persons, entities or processes.
- Integrity: Ensure that information is generated, modified and deleted only by authorised persons, entities or processes.
- Availability: Ensure that information is accessible when authorised persons, entities or processes require it.
- Traceability: Ensure that information related to access and activity carried out by persons, entities or processes is available for any analysis of unusual behaviour patterns that must be performed.
Furthermore, other security dimensions exist, such as authentication of parties or non-repudiation, which likewise must be guaranteed when the security value of information in the context of the business process in which it is being stored, processed, or transmitted requires it.
The Information Security Policy is based on the adoption of clear and well-defined principles that ensure compliance with the strategic guidelines, legal requirements, as well as other requirements of a contractual nature that are formalised with third parties or stakeholders. As such, this policy is established as the main instrument reinforcing the secure use of information technologies and communications at Montero Traducciones.
The regulations (standards, procedures and security instructions) that arise or are derived from the Montero Traducciones Information Security Policy shall become part of the same once it has been disclosed and all employees and third parties that make use of the information owned by Montero Traducciones must comply with it.
Employees shall be responsible for ensuring the security of the information they process, store or transmit when performing their tasks, and they must know, understand and comply with the guidelines and standards related to information security, ensuring the correct application of the protective measures enabled.
Employee access to information shall be limited to what is strictly necessary to properly perform the formally assigned functions, thereby ensuring compliance with the principle of least privilege. Therefore, Information Managers and Service Managers shall take into account all technical and organisational security measures to define and maintain appropriate access privileges to information, depending on the activities of each job position.
Failure to comply with the guidelines included in the Information Security Policy could lead to the application of internal administrative sanctions.
The Management at Montero Traducciones shall ensure that this Information Security Policy is understood and implemented throughout the organisation, providing the necessary resources to achieve the objectives defined in this framework for action.
OBJECTIVES
The Information Security Policy is established as the high-level document that formalises the different security action guidelines adopted by Montero Traducciones and which shall be developed in further detail in the corresponding security regulations drawn up for such purposes.
Therefore, under this premise, the Information Security Policy contemplates the following main objectives:
- Comply with applicable legal regulations in the scope of information security.
- Contribute to fulfilling the mission and strategic objectives formalised by Montero Traducciones.
- Align information security as a main asset with the requirements demanded by the business by formalising the information value model and implementing the process of analysing and assessing the risks to which the different information assets are exposed, thereby defining a strategy for mitigating risks related to the information security environment.
- Ensure the adequate protection of the different information assets based on their degree of sensitivity and criticality (security value of the information assets according to the different dimensions considered with the application of the inheritance criterion and the principle of proportionality).
- Ensure an effective response capacity to possible information security incidents, minimising the respective operational, financial and reputational impact.
- Facilitate the sizing of the resources required to correctly implement the technical and organisational security measures set forth in the security regulations documented for such purposes.
- Promote the use of good practices in information security, as well as create the relevant security culture in the context of the organisational structure of Montero Traducciones.
- Promote the definition, implementation and maintenance of a Business Continuity Plan.
- Establish review, monitoring, auditing and continuous improvement mechanisms to maintain the appropriate security levels required by the Montero Traducciones business model.
SCOPE
The scope of the Information Security Policy contemplates all of the information assets existing at Montero Traducciones that act as a support infrastructure for the possible implementation of business processes.
REGULATORY FRAMEWORK
The formalisation of the Information Security Policy, as well as the security regulations derived from the same, shall take into consideration and integrate the following applicable legal regulations:
- Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, GDPR – General Data Protection Regulation), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, Law 3/2018).
- Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (hereinafter, LSSICE).
PRINCIPLES
In order to ensure compliance with the previously identified security objectives, the Information Security Policy formalises the application of certain security principles.
5.1. SECURITY AS A COMPREHENSIVE PROCESS
Security is understood as a comprehensive process made up of all human, material, technical, legal and organisational elements related to the information systems used as support implementing business processes. Therefore, in this respect, all security activities shall be carried out from this perspective, avoiding any specific action or short-term treatment.
Maximum attention shall be given to increasing awareness among persons involved in the implementation of the business processes, as well as increasing awareness among line managers in order to prevent a lack of knowledge, lack of organisation and lack of coordination or adequate instructions from being sources of risk to information security.
5.2. RISK-BASED SECURITY MANAGEMENT
Risk analysis and management are an essential part of the security process and must be a continuous and permanently updated activity.
Risk management shall enable maintaining a controlled information environment, minimising risks to acceptable levels formalised by the Management.
Reducing risk to such levels shall be achieved by applying security measures in a balanced manner that is proportionate to the nature of the information processed, the services to be provided and the risks to which the different information assets used are exposed.
5.3. PREVENTION, DETECTION AND RESPONSE
Information security must contemplate actions related to prevention, detection and response aspects in order to minimise existing vulnerabilities and ensure that threats do not materialise or, if they do, that they do not seriously affect the information or services provided.
Prevention measures, which may incorporate components aimed at deterrence or reducing the scope of exposure, must reduce the possibility of threats materialising.
Detection measures shall be aimed at providing an early warning of any scenario of threat materialisation.
Response measures, which shall be managed in a timely manner, shall be aimed at restoring information and services that may have been affected by a security incident.
5.4. EXISTENCE OF LINES OF DEFENCE
The protection strategy must be made up of multiple security layers, arranged so that when one of the layers is compromised, it is possible to react appropriately to incidents that could not be avoided, reducing the likelihood that they could spread.
The lines of defence must include organisational, physical and logical measures.
5.5. CONTINUOUS MONITORING AND REGULAR REASSESSMENT
Continuous monitoring shall allow detecting unusual activities or behaviours and responding to them in a timely manner.
Permanent assessment of the security status of information assets shall allow measuring their evolution, thereby detecting vulnerabilities and identifying configuration deficiencies.
Security measures shall be reassessed and updated regularly, adapting their effectiveness to the evolution of risks and protection systems, leading to a rethinking of security, if necessary.
5.6. RESPONSIBILITY DIFFERENTIATION
Responsibility for information security shall be differentiated from responsibility for information system operation.
REQUIREMENTS
The development of the Information Security Policy must comply with certain security requirements.
6.1. ORGANISATION AND IMPLEMENTATION OF THE SECURITY PROCESS
Security must involve all members of the organisation.
6.2. RISK MANAGEMENT
The risk management process shall be made up of risk analysis and management activities, ensuring the application of the principle of proportionality.
6.3. PERSONNEL MANAGEMENT
Both internal and external personnel must be trained and informed of their duties, obligations and responsibilities in terms of security.
Their actions, which must be supervised to verify that the established procedures are followed, shall follow the approved security standards and operating procedures when performing their duties.
The meaning and scope of the secure use of information assets shall be specified and reflected in specific security standards.
6.4. PROFESSIONALISM
Information security shall be maintained and it shall be reviewed and audited by qualified, dedicated and trained personnel in all phases of the information system life cycle: planning, design, acquisition, construction, deployment, operation, maintenance, incident management and decommission.
Third-party entities that provide security services must have qualified professionals, as well as suitable levels of management and maturity in the services provided.
The training and experience requirements for personnel to perform their job shall be determined.
6.5. AUTHORISATION AND ACCESS CONTROL
Controlled access to information systems must be limited to duly authorised users, processes, devices or other information systems, and exclusively for the permitted functions.
6.6. FACILITY PROTECTION
Information systems and their associated communications infrastructure must remain in controlled areas and have appropriate and proportional access mechanisms based on the risk analysis.
6.7. LEAST PRIVILEGE
Information systems must be designed and configured to grant the least privileges necessary for their correct performance, which entails incorporating the following aspects:
- a) Information systems shall provide the essential functionality in order to achieve the competence or contractual objectives.
- b) The activity operation, administration and recording functions shall be the minimum functions necessary, and they shall only be carried out by authorised persons, from locations or equipment that are likewise authorised, and, where appropriate, time restrictions and authorised access points may be required.
- c) Functions that are unnecessary or inappropriate for the intended purpose shall be eliminated or deactivated through configuration control. The normal use of information systems must be simple and secure, such that unsecure use requires a conscious act by the user.
6.8. SYSTEM INTEGRITY AND UPDATING
The inclusion of any physical or logical element in the record of information assets, or its modification, shall require prior formal authorisation.
Permanent assessment and monitoring shall allow the security status of information systems to be adjusted, taking into account configuration deficiencies, identified vulnerabilities and updates that affect them, as well as the early detection of any incident involving them.
6.9. PROTECTION OF STORED INFORMATION AND INFORMATION BEING TRANSFERRED
Special attention shall be given to stored information or information being transferred through portable or mobile equipment or devices, peripheral devices, information carriers and communications over open networks, which must be specially analysed to achieve adequate protection.
6.10. PREVENTION AGAINST OTHER INTERCONNECTED INFORMATION SYSTEMS
The perimeter of information systems, especially if it is connected to public networks, shall be protected, reinforcing the tasks of prevention, detection and response to security incidents. In any case, the risks derived from the interconnection of information systems with other systems shall be analysed, and their connection point shall be controlled.
6.11. ACTIVITY LOG AND MALWARE DETECTION
User activities shall be recorded, retaining the information strictly necessary to monitor, analyse, investigate and document improper or unauthorised activities, allowing the acting person to be identified at all times. All this shall be carried out in compliance with the applicable legal provisions in this scope of action.
In order to maintain information system security, thereby ensuring rigorous compliance with the applicable legal regulations, incoming and outgoing communications may be analysed, only for information security purposes, so that unauthorised access to networks and information systems can be blocked, denial of service attacks can be stopped and ill-intentioned distribution of malware, as well as other damage, can be prevented.
To correct or, where appropriate, demand accountability, each user who accesses the information system must be uniquely identified, so that the person who receives access rights, the type of rights they are, and the person who has carried out a certain activity is always known.
6.12. SECURITY INCIDENTS
Security incident management procedures shall be available, in addition to communication channels to interested parties and an actions log. This log shall be used for continuously improving information system security.
6.13. ACTIVITY CONTINUITY
Information systems shall have backup copies, and the necessary mechanisms shall be established to ensure the continuity of operations in the event of loss of the usual means.
6.14. CONTINUOUS IMPROVEMENT
The comprehensive information security process that is implemented must be continuously updated and improved.
THIRD PARTIES
When Montero Traducciones requires the involvement of third parties to provide a service, it shall require them to comply with the relevant security regulations in the context of said collaboration, subjecting them to the obligations set forth in said regulations.
When any aspect of the security regulations cannot be met by a third party, the authorisation of the Security Manager shall be required after identification of the risks incurred and the manner of addressing them, whereby it is not possible to formalise the contract prior to obtaining said authorisation. In any case, these authorisations, depending on their categorisation, shall be reported to the Information Security Committee in order for the appropriate decisions to be made.
REVISION
The Information Security Policy shall be revised annually by the Information Security Committee or whenever there is a significant change that requires it (security management approach, business circumstances, legal changes, changes in the technical scope, recommendations made by supervisory authorities, and trends related to threats and vulnerabilities).
In the event that a new version of the Information Security Policy is created, formal approval from the Management shall be required prior to its disclosure.
ENTRY INTO FORCE
Text approved by the Management on 6 February 2024.
The entry into force of this policy entails the repeal of any other policy that existed for such purposes.