Security

SECURITY POLICY:

Last update: 14-09-2023

Information corresponds to an asset, which is exposed to risks and threats that may come from within or outside the organization, and may be intentional or accidental. Its occurrence may cause material and/or economic losses, damage to the institutional image and customer trust, legal violations, regulatory non-compliance, violation of the rights of customers, employees, collaborators or third parties. In light of this reality, it is important to adequately protect the organization’s information assets.

The Security Policy’s mission is to establish global security guidelines for the organization, as well as protect information assets.

These guidelines include the adoption of a series of organizational measures and standards that are presented in this document and developed in its associated documents and whose purpose is to protect the information resources of ALDIA CONSULTECH S.L. the information systems used for processing, against threats, internal or external, deliberate or accidental, in order to ensure compliance with the confidentiality, integrity, availability and legality of the information.

In view of the above, the Board of Directors of ALDIA CONSULTECH S.L. supports the strategic objectives of Information Security and ensures that they are aligned with business strategies and objectives.

This Policy is based on good practice recommendations to guarantee Security in Information Systems Management (International Standards ISO 27001 and ISO 27002) as well as current applicable legislation.

GOALS

The Information Security Policy aims to:

• Minimize the risk in the most important functions of ALDIA CONSULTECH S.L..
• Comply with information security principles.
• Maintain the trust of your customers, employees and other interested parties.
• Implement the information security management system.
• Protect technological assets.
• Establish policies, procedures and instructions regarding information security.
• Strengthen the information security culture of employees and suppliers of ALDIA CONSULTECH S.L.
• Guarantee the continuity of services in the event of incidents.

INFORMATION SECURITY POLICY

Next, the security policies that support the Information Security Management System (ISMS) that ALDIA CONSULTECH S.L. determined to define, implement, operate and continuously improve.

• ALDIA CONSULTECH S.L. will protect against risk the information generated, processed or stored by the different processes, its technological infrastructure and assets that are generated from accesses granted to third parties (e.g., suppliers), or as a result of an internal or external service.
• ALDIA CONSULTECH S.L. will protect the confidentiality, integrity, availability and legality of the information generated, processed or stored by the different processes, in order to minimize financial, operational or legal impacts due to its incorrect use. To achieve this, it is essential to apply controls according to the classification of the information owned or in custody.
• ALDIA CONSULTECH S.L. It will protect your information against threats from internal or external sources to the organization.
• ALDIA CONSULTECH S.L. will protect processing facilities and the technological infrastructure that supports your critical processes. ALDIA CONSULTECH S.L. controls the operation of its processes, guaranteeing the security of technological resources and data networks.
• ALDIA CONSULTECH S.L. will ensure that security is an integral part of the life cycle of information systems through adequate management of risks and weaknesses associated with information systems.
• ALDIA CONSULTECH S.L. will guarantee the availability of its processes and the continuity of its services based on the impact that adverse events can generate.
• ALDIA CONSULTECH S.L. will guarantee compliance with established legal, regulatory and contractual obligations.
• Information security responsibilities will be defined, shared, published and accepted by all interested parties.

SCOPE

1. Employees

   Information Security is a joint effort. It requires the involvement and participation of all members of the organization who work with Information Systems. Therefore, each employee must comply with the requirements of the Security Policy and its associated documentation. Employees who deliberately or negligently fail to comply with the Security Policy will be subject to disciplinary action as contemplated in the last chapter of this document.

2. Information systems

   This Policy affects all the company’s Information assets, whether personal equipment or servers, networks, applications, Operating Systems, company processes that belong and/or are managed by ALDIA CONSULTECH S.L.. This policy covers the most directly aspects related to the responsibility and good use of personnel.

3. Third parties

   This Security Policy is subject to knowledge and compliance by any external person belonging to third parties that carries out any type of processing on the information owned by ALDIA CONSULTECH S.L.. Likewise, this Policy and its associated procedures will be mandatory for third party companies. suppliers contracted for the execution of professional services in the areas considered appropriate, in the event that they carry out any activity that involves access or processing of any system or information owned by ALDIA CONSULTECH S.L. and this will be defined contractually.

ROLES AND RESPONSIBILITIES

1. Users

   Users must know and apply the Security Policies, procedures, standards and apply current legislation. They must understand them perfectly and comply with them.
   In general, any person who generates information is responsible for its classification in accordance with the Company’s instructions. Likewise, any person who uses information and information systems is obliged to manage them with the necessary care, as well as to use them only to carry out authorized tasks and in compliance with valid regulations. This also applies to external staff.

2. Owners

   The owners of Information Assets generally correspond to the General Management, or Area Managers, who must acquire, develop and maintain company applications such as Decision Support Systems and other Company Activities.
   Owners must indicate the classification of their assets that best corresponds to their critical value, availability, and relative importance to the organization. Its classification will mark the level of risk and protection, as well as the level of access to said information or application.

3. Administrators

   Administrators are employees in charge of safeguarding the Company’s own Information and that provided by third parties.
   Each Information System must have at least one authorized Administrator as stated in the Asset Inventory, being recognized as the person responsible for it. They are responsible for Storing the Information, implementing access controls (to prevent unauthorized access) and executing periodic Backups (to ensure the availability of critical information).
   Administrators must also develop, apply, maintain and review the Security measures defined by the owners of the Information.

MAINTENANCE, APPROVAL AND REVIEW OF THE POLICY

The Information Security Manager is responsible for establishing and maintaining the Security Policies, Manuals and Procedures of ALDIA CONSULTECH S.L..

The General Management of the Company is responsible for approving and publishing the Policy, distributing it to all employees and affected third parties, as well as reviewing and evaluating the ISMS Security Policy.

Any change or evolution that affects or could affect the content of the ISMS Security Policy document will be recorded in a new signature of the approval document. In this way, the commitment of these entities to information security is specified and confirmed.

Periodically, and in any case not exceeding a period of one year, the validity and reasonableness of this policy will be reviewed and the required improvements, adaptations or modifications will be carried out based on the applicable organizational, technical or regulatory changes.

DISTRIBUTION OF POLITICS

The ISMS Security Policy document will be accessible to all internal staff, it will be delivered upon the incorporation of a new employee and every 12 months it will be distributed by email to all internal and external employees subcontracted by ALDIA CONSULTECH S.L. that manage data and resources belonging to it for knowledge and awareness of the established security regulations.

Likewise, commitment will be obtained from the reading and acceptance of this by all employees.

The policy will be included in the document “41-MA-01 – Employee Safety Manual”

Any substantial change to the document will be distributed to all users through a formal notification, sent by email or by internal communication in media accessible to them through a communication model enabled for this purpose.

SANCTIONS

Any premeditated or negligent violation of security policies and standards that entails potential damage, whether consummated or not, to ALDIA CONSULTECH S.L., will be sanctioned in accordance with the mechanisms enabled in the Company’s agreement and in legal, contractual and corporate regulations. current.

All actions in which the security of ALDIA CONSULTECH S.L. is compromised. and that are not provided for in this policy, must be reviewed by the General Management and the Head of Security to issue a resolution subject to the criteria of the company and the anticipated legislation.

Disciplinary actions in response to non-compliance with the Security Policy are the responsibility of the Department Heads in conjunction with the Administration and General Management.