1. Introduction
BeOneSec has ICT (Information and Communications Technology) systems in place to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.
The objective of information security is to ensure the quality of information and the continued provision of services, acting preventively, monitoring daily activity and reacting quickly to incidents.
ICT systems must be protected against rapidly evolving threats that have the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. Defending against these threats requires a strategy that adapts to changing environmental conditions to ensure the continued provision of services. This involves implementing the required minimum security measures, as well as continuous monitoring of service delivery levels, monitoring and analysis of reported vulnerabilities, and preparation of an effective incident response to ensure continuity of services provided.
The different organisational units must ensure that ICT security is an integral part of each stage of the system lifecycle, from its conception to its decommissioning, including development or procurement decisions and operational activities. Security requirements and funding needs should be identified and included in planning, request for tenders, and tender documents for ICT projects. Departments must be prepared to prevent, detect, react and recover from incidents.
This Security Policy sets out the following basic principles:
- Ensures that BeOneSec’s Information Systems have the appropriate level of cybersecurity and resilience.
- Raises awareness of cybersecurity risks among all employees and collaborators and ensures that they have the necessary knowledge, skills, experience and technological capabilities to support the company’s cybersecurity objectives.
- It enhances capabilities for prevention, detection, reaction, analysis, recovery, response, investigation and coordination in the face of new threats.
- It promotes the existence of adequate cybersecurity and resilience mechanisms for systems and operations.
Provides procedures and tools that enable agile adaptation to changing conditions in the technological environment and to new threats. - It collaborates with the relevant government bodies and agencies to improve the company’s cybersecurity, compliance with current legislation and contributes to the improvement of cybersecurity in the international sphere.
2. Scope
This policy applies to the information systems that support the Cybersecurity Services, according to the categorisation of the system (ENS medium category) and declaration of applicability in ISO27001.
The Security Policy affects all members of the company involved in this management and will be disseminated within the organisation for the purpose of knowledge and application by all its members.
3. Objectives
- Achieve a medium level of security according to the ENS standard.
- Achieve a maturity level in each of the measures between L3 and L5 in both ENS and ISO27001.
4. Mission, vision and principles
4.1. Mission
To provide cyber security services – within the framework of our principles – through the use of the highest level of technological, technical and human resources, in a cost-effective manner that meets regulatory and security needs and ensures a secure environment aligned with our customer’s business and/or service objectives.
4.2. Vision
A company specialising in cybersecurity that offers its services to private entities as well as to public institutions and organisations, and whose employees and collaborators abide by the highest ethical codes based on the principles of ‘Ethical Hacking’.
4.3. Principles
- Maintain a high degree of commitment to the objectives and needs of our clients.
- Maintain a high level of quality in our actions, working with a high degree of rigour and solvency.
- To maintain the confidentiality of the data provided by our clients and the data resulting from our work to the utmost.
- To apply strict principles of responsibility and professional ethics in our relationship and work with our clients.
5. Regulatory framework
The construction of the Information Security Management System shall take into account the applicable requirements of current legislation.
A procedure will be in place to keep the regulatory framework up to date.
6. Security Organisation
6.1. Roles: Functions, Responsibilities and Designation of Responsible Parties
Three main blocks of responsibility have been considered for the management of the system:
- Legal responsibility and the specification of needs or requirements, which falls to Management and the Information and Service Manager.
- Supervision, which falls to the Security Manager.
- Operation of the information system, which falls to the System Manager.
These roles in addition to the general functions set out in this policy will carry out the functions and tasks specified in the various procedures.
- The Management Committee serves as the corporate security committee.
- Exercises and assumes all high-level roles and responsibilities for the information management system.
- Approves the security policy and ensures compliance with the system’s security procedures.
- Responsible for the achievement of objectives.
- Senior responsible for the implementation and monitoring of the security system in accordance with the ENS and ISO27001.
- Information and Service Manager / Risk Owner
- Determines the security requirements of the information processed.
- Assesses the consequences of a negative impact on information security in terms of its impact on the organisation’s ability to achieve its objectives, the protection of its assets, the fulfilment of its service obligations, the respect of legality and the rights of stakeholders.
- It determines the security requirements of the services provided.
- Establishes the security specifications in the life cycle of the systems, accompanied by the corresponding control procedures.
- Assesses the consequences of a negative impact on the security of services in terms of their impact on the organisation’s ability to achieve its objectives, protect its assets, fulfil its service obligations, respect the law and the rights of citizens.
- It is ultimately responsible for the use made of the information handled in the services included in the scope of the Security Policy and, therefore, for its protection. He/she is ultimately responsible for any error or negligence leading to an incident of confidentiality, integrity (in terms of data protection) or availability (in terms of information security).
- He/she reports directly to the management committee.
- Head of Security
- Takes the security decisions necessary to guarantee the requirements established both in the security policy and those established by the information and service manager.
- He/she is responsible for keeping abreast of regulatory changes (laws, regulations or sectoral practices) affecting the organisation, being informed of the consequences for the company’s activities, alerting the Management Committee and the Chief Information Officer and proposing the appropriate measures to adapt to the new framework.
- It is responsible for day-to-day decision-making, particularly in the event of incidents that have repercussions outside the organisation and in the event of disasters.
- He coordinates all actions related to any aspect of the company’s security in the event of a disaster.
- He/she is responsible for the drafting of procedures and rules relating to company security.
- He/she is responsible for the preparation of a systems risk analysis, which is submitted to the Management Committee for approval. This analysis must be updated at least once a year.
- He/she is responsible for regular safety checks according to a plan determined and approved by the
- Management Committee. The results of these inspections shall be presented to the Management Committee for its knowledge and approval. If non-compliances are found as a result of the inspection, he/she proposes corrective actions to be submitted to the Management Committee for approval and is responsible for their implementation.
- He/she draws up the training and qualification requirements for the different types of service users from a safety point of view.
- It is responsible for identifying management and operational tasks that ensure that the criteria and requirements for segregation of duties are met.
- It is the official interlocutor with other organisations.
- It is responsible for coordinating the response to incidents that exceed the planned and procedural cases.
- Promotes security training and awareness for everyone in the organisation.Reports directly to the management committee.
- Responsible for the system
-
- Is responsible for the operation of the information system, according to the parameters defined by the security manager.
- Develops, operates and maintains information systems throughout their life cycle, including their specifications, installation, and verification of correct operation.
- Establishes the topology and management of the system, defines criteria for use and availability.
Ensures that security measures are integrated into the system. - Reports to both the chief information officer and the chief security officer.
6.2. Designation procedure
All appointments are approved by the Management Committee.
Appointments are reviewed periodically every two years and whenever an appointment becomes vacant.
The following aspects shall be taken into account in the appointment of individuals:
- At least two years’ experience in security matters in all phases of its life cycle.
- Security training (evidenced by attendance at courses, lectures, conferences).7. Política de seguridad de la información
The Management Committee shall be responsible for the annual review of this Information Security Policy and for proposing its revision or maintenance.
The company’s management shows its commitment to the security policy and to this end, on an annual basis or whenever there is a change in the company at an organisational level or in its technological environment, a complete review of the system will be carried out and communication and information about it will be promoted throughout the organisation.
8. Conflict resolution between the various actors
Conflicts that may arise between the various roles shall be dealt with by the steering committee, which shall take appropriate action.
The person who detects or considers that a conflict exists shall send a communication to the steering committee with a description of the conflict and the measures that could be taken to resolve it. The steering committee shall request information from the other members involved in the conflict and, after the corresponding analysis, shall adopt the corresponding decisions for its resolution.
9. Risk analysis and risk management
Risk analysis is considered fundamental to the management of information systems security. A risk analysis shall be carried out, assessing the threats and risks to which they are exposed. This analysis shall be repeated:
- regularly, at least once a year
- when the information handled changes
- when the services provided change
- when a serious security incident occurs
- when serious vulnerabilities are reported
For the harmonisation of risk analyses, the BeOneSec Management Committee establishes as a reference a Medium risk level for the different types of information handled and the different services provided, including the systems and infrastructure that support them.
BeOneSec’s Management Committee will streamline the availability of resources to meet the security needs of the different systems, promoting investments of a horizontal nature.
BeOneSec adopts the MAGERIT v3 methodology (Information Systems Risk Analysis and Management Methodology developed by the Higher Council of Electronic Administration) to analyse the risks supported by the Information Systems, and to recommend the appropriate measures to be adopted to improve their control. The risk analysis shall assess the safeguards present at the date of approval of the adequacy plan.
10. People management
The training and information of all persons in the organisation in security matters, as well as in the duties and obligations deriving from their job, is a basic element of the system.
The training plan shall aim to ensure that everyone is aware of the system’s security processes, procedures and standards, as well as best security practices.
The communication plan shall keep all employees informed of system updates.
Both the training plan and the communication will be carried out using Microsoft365 systems. In TEAMS training, the list of participants is stored in the same application. Whenever possible, the training action shall be recorded so that it can be viewed at a later date, for which purpose the participants shall be asked to agree to the recording.
Taking into account the activity carried out by the company, remote working is the usual way of working.
11. Professionalism
In defining the roles and appointing people, the previous training of each of the people in charge has been taken into account.
The training and awareness-raising plan will establish a continuous training programme for those in charge in order to be able to adapt to the changing reality in this area.
12. Authorisation and access control
Access to the project management information system, as well as access to data and other documentation, shall be subject to the authorisation process laid down in the procedure in force.
13. Protection of installations
With all information in the cloud, protection is delegated to the service provider.
Paper documents are kept in locked cabinets.
14. Procurement of products
Purchases shall be made in accordance with the procedure in force at the time, all equipment and purchases shall conform to the average level of security set by this policy.
15. Security by default
The system is designed so that users have the minimum privileges necessary to use the applications. Access to the systems will be by username and password with two-factor authentication.
Users have access only to the sites, folders and documents they need to use. System documentation is available to all users in read-only mode.
16. System integrity and updating
System upgrades shall require prior formal authorisation before installation and shall follow the established procedure for monitoring and incident management.
17. Protection of information in storage and in transit
All information must be stored on the servers set up for this purpose, the downloading of information to portable equipment shall be limited to the minimum time necessary to carry out the specific activity being carried out with these documents.
18. Preventing other interconnected information systems
No interconnected information systems are in place.
19. Registration of the activity
All activity affecting personal rights shall be recorded and regularly monitored to ensure compliance.
20. Security incidents
The monitoring and incident management procedure sets out how incidents are managed, analysed and actions for their resolution are implemented.
21. Business continuity
With cloud-based systems, backups are automated. A procedure is established to determine how backups are carried out and how they are recovered.
22. Continuous improvement
For continuous improvement, a periodic review of the system is established, in such a way that each procedure indicates the dates on which it must be compulsorily reviewed in order to analyse its adaptation to existing best practices and to the reality of the organisation’s operation.
Likewise, any incident will be used to obtain lessons learned and modify the processes and procedures that are affected.
23. Personal data
The principles established by current legislation on the protection of personal data, so as to ensure compliance with said legislation. These principles are:
- Principle of lawfulness. For processing to be lawful, personal data must be processed with the explicit consent of the data subject or on another basis or legal ground.
- Principle of fairness. Personal data may not be collected by fraudulent means (i.e. no deceptive means or methods may be used), unfair (resulting in unfair or arbitrary discrimination against data subjects) and unlawful (i.e. unlawful, outside or outside the law).
- Principle of transparency. This requires that all information and communication relating to the processing of personal data be easily accessible and easy to understand, and that simple and clear language be used.
- Purpose limitation principle. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with or different from those purposes.
- Data minimisation principle. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with or different from those purposes.
- Principle of accuracy. Data must be accurate and, where necessary, kept up to date. All reasonable steps must be taken to correct errors, to amend data which prove to be inaccurate or incomplete and to ensure the accuracy of the information undergoing processing.
- Principle of limitation of the retention period. Data may not be kept or maintained for longer than is necessary for the purposes of processing. Time limits must be established for erasure or periodic review.
- Principle of integrity and confidentiality. Adequate security must be ensured to preserve the integrity of the data and to prevent unauthorised access or use. All persons involved at any stage of the processing are bound to secrecy or confidentiality for an indefinite period of time.
- Principle of proactive responsibility. It is established that it is the controllers of personal data who, in addition to implementing the measures to comply with the regulations, must be concerned with ensuring and demonstrating that they do in fact implement and comply with them.
All employees of the company are obliged to respect and apply these principles in their area of responsibility, as detailed in the company’s code of conduct.
A specific procedure on data protection will be established, whenever it is necessary after the initial analysis.
24. System documentation
Both this policy and the various documents, processes, procedures, guides and instructions will be located on the intranet set up for this purpose.
The document management procedure establishes the various types of documents, the form of approval, revision and the location of these documents.
25. Obligation of all persons working in the organisation
All employees of the organisation are obliged to know and comply with this Information Security Policy and the Security Regulations, and it is the responsibility of the BeOneSec Management Committee to provide the necessary means to ensure that the information reaches those affected.
All BeOneSec members will attend an ICT security awareness session at least once a year. An ongoing awareness programme will be established to cater for all BeOneSec members, particularly new recruits.
Persons with responsibility for the use, operation or administration of ICT systems shall be trained in the safe operation of the systems to the extent that they need it to carry out their work. Training shall be mandatory before taking up a responsibility, whether it is their first assignment or a change of job or job responsibilities.
The company’s annual training plan shall include regular safety training and briefings.
26. Third parties
The security policy will be available to all third parties involved, for which purpose direct and permanent access to it will be provided.
When BeOneSec provides services to other organisations or handles information from other organisations, they shall be made aware of this Information Security Policy, channels shall be established for reporting and coordination of the respective Security Officers and procedures shall be established for reacting to security incidents.
When using third-party services or providing information to third parties, they shall be made aware of this Security Policy and the Security Regulations that apply to such services or information. Such third party shall be subject to the obligations set forth in such regulations, and may develop its own operating procedures to comply with such regulations. Specific incident reporting and resolution procedures shall be established. It shall be ensured that third party personnel are adequately security-aware to at least the same level as that set out in this Policy.
Where any aspect of the Policy cannot be satisfied by a third party as required in the above paragraphs, a report from the Security Officer specifying the risks involved and how they will be addressed will be required. Approval of this report will be required from those responsible for the information and services concerned before proceeding further.
Fernando Ramos
CEO
