Information security policy of SOLUCIONES INFORMÁTICAS AMBIENTALES

Introduction

SOLUCIONES INFORMÁTICAS AMBIENTALES SL relies on network, information and cybersecurity systems to achieve its objectives and ensure the continuity of its operations. These systems must be managed diligently, taking appropriate measures to protect them from threats and risks that could compromise the confidentiality, integrity, traceability, authenticity or availability of the information processed or the services provided. Likewise, cyber resilience and the ability to respond to incidents affecting critical infrastructure must be guaranteed.

The objective of network, information and cybersecurity systems security is to guarantee the resilience, integrity and availability of data and the continued provision of essential and critical services, through an approach based on risk management, prevention, continuous monitoring and efficient response to cybersecurity incidents.

Different departments must ensure that the security of network and information systems is an integral part of every stage of the system life cycle, from conception to decommissioning, including development, procurement, and operational decisions. Cybersecurity requirements and funding needs must be identified and included in strategic planning, requests for proposals, and tender documents for ICT projects, ensuring resilience, risk management, and security in the supply chain.

The organisation must be prepared to prevent, detect, react to, and recover from any incident that may affect its critical systems.

Scope

The general scope of the information systems associated with the business processes that are subject to UNE ISO/IEC 27001 certification is as follows:

"The information systems that support the following services:

Development, marketing, implementation, maintenance and software support aimed at the generation, management and distribution of safety data sheets (SDS).
Preparation and updating of safety data sheets, including specialised technical and regulatory advice.
Comprehensive technical support to customers, including resolution of functional queries, technical problems, legislative queries and management of associated databases.
Safety data sheet consulting.

In accordance with the current Statement of Applicability."

Mision, commitment, leaderchip, and strategy

The organisation's management is committed to facilitating and providing the necessary resources for the establishment, implementation, maintenance and improvement of the Information Security Management System, as well as demonstrating leadership and commitment to it through the creation of the Security Committee and its functions and responsibilities. The mission of this management is:

To ensure high levels of legal compliance.
To promote training and awareness plans.
Maintain optimal reputational standards.
Manage security incidents efficiently and effectively.
Develop an appropriate and transparent communication policy.
In general, preserve the confidentiality, integrity and availability of the information and services provided.

This commitment extends to the stakeholders described in the context of the ISMS, in order to satisfy their interests and expectations in terms of information security.

At a strategic level, information security will have the commitment and support of all levels of management within the organisation, so that it can be coordinated and integrated with other strategic initiatives and their implementation requirements, to form a completely coherent and effective framework.

ISMS security objectives

The organisation has implemented various security measures proportional to the nature of the information and services to be protected, taking into account its risk analysis and statement of applicability.

Security as a process comprising all technical, human, material and organisational elements related to the system.
Ensuring that systems meet basic security requirements, eliminating unnecessary and inappropriate functionalities.
Awareness-raising actions for those involved in the process(es).
Providing all members of the organisation with ongoing knowledge of information security policies and regulations through training and dissemination actions for the protection and correct use of information systems.
Personnel and professionalism management.
Risk-based security management and risk analysis and management.
Prevention, response and recovery to protect information assets in the event of security incidents.
Risk management through periodic analysis, adapting the ISMS to new, previously unforeseen circumstances.
Protection of stored and in-transit information and business continuity.
Protection of facilities.
Documented activity logs.
Continuous improvement with periodic review of the information security policy, adapting it to legal regulations and rules.

Personal data

The organisation processes personal data. The data protection procedures, to which only authorised persons shall have access, set out the processing operations concerned and the persons responsible for them. All the organisation's information systems shall comply with the security levels required by the regulations for the nature and purpose of the personal data collected in the aforementioned procedures.

Risk management

All systems subject to this policy must carry out a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:

regularly, at least once a year.
when the information handled changes.
when the services provided change.
when a serious security incident occurs.
when serious vulnerabilities are reported.

In order to harmonise risk analyses, the Security Committee shall establish a benchmark assessment for the different types of information handled and the different services provided. The Security Committee shall streamline the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

Development of information security policy

This Policy will be implemented through Security Regulations that address specific aspects. The Security Regulations will be made available to all members of the organisation who need to be aware of them, particularly those who use, operate or manage information and communications systems.

Third parties

When the organisation provides services to third parties, they will be made aware of this Information Security Policy, channels will be established for reporting and coordination with the respective Security Committees, and procedures will be established for responding to security incidents.

When the organisation subcontracts services to third parties or transfers information to third parties, within the framework of providing services to third parties, they shall be made aware of this Security Policy and the Security Regulations pertaining to such services or information. Such third parties shall be subject to the obligations set out in these regulations and may develop their own operating procedures to comply with them. Specific procedures for reporting and resolving incidents shall be established. It shall be ensured that third-party personnel are adequately aware of security matters, at least to the same level as that established in this Policy.

When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report shall be required from the Security Manager specifying the risks involved and how to address them. Approval of this report shall be required by those responsible for the information and services affected before proceeding.