Security Policy
Information Security Policy
1. Approval and Effective Date
This document is approved as of the last publication date on the medium being read. Therefore, this Information Security Policy is effective from that date until replaced by a new version.
2. Introduction
AEIOROS Services relies on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them from accidental or deliberate harm that may affect the availability, integrity, or confidentiality of the information processed or services provided.
The objective of information security is to ensure the quality of information and the continuous provision of services, acting preventively, monitoring daily activity, and reacting promptly to incidents.
ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy is required that adapts to changes in environmental conditions to ensure the continuous provision of services. This implies that departments must implement the minimum security measures required by the National Security Scheme, as well as continuously monitor service levels, track and analyze reported vulnerabilities, and prepare an effective incident response to ensure the continuity of services provided.
Different departments must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development or acquisition decisions and exploitation activities. Security requirements and funding needs must be identified and included in planning, tender requests, and bidding documents for ICT projects.
Departments must be prepared to prevent, detect, react, and recover from incidents, in accordance with Article 7 of the ENS.
2.1. Prevention
Departments must avoid, or at least prevent to the extent possible, information or services from being harmed by security incidents. To do this, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented. To ensure policy compliance, departments must:
Authorize systems before they enter operation.
Regularly assess security, including assessments of routinely made configuration changes.
Request periodic review by third parties to obtain an independent assessment.
2.2. Detection
Since services can degrade rapidly due to incidents, ranging from simple slowdowns to stoppages, services must continuously monitor operation to detect anomalies in service levels and act accordingly as established in Article 9 of the ENS.
Monitoring is especially relevant when defense lines are established according to Article 8 of the ENS. Detection, analysis, and reporting mechanisms will be established that reach responsible parties regularly and when a significant deviation from pre-established parameters occurs.
2.3. Response
Departments must:
Establish mechanisms to effectively respond to security incidents.
Designate a point of contact for communications regarding incidents detected in other departments or organizations.
Establish protocols for the exchange of information related to the incident. This includes communications, in both directions, with the Computer Emergency Response Teams (CERT).
2.4. Recovery
To ensure the availability of critical services, departments must develop ICT system continuity plans as part of their overall business continuity plan and recovery activities.
3. Scope
This policy applies to all ICT systems of AEIOROS Services and to all members of the organization, without exceptions.
4. Mission
Ensure information security by applying necessary measures and establishing improvement objectives regarding IS. These objectives are described in MOD-001.
5. Regulatory Framework
All relevant laws are listed and assessed in the document "AEIOROS-Legislation\IdentificationAssessmentApplicableLegislation.xlsx" of the company, which is updated and reviewed annually.
6. Security Organization
6.1. Committees: Functions and Responsibilities
The ICT Security Committee will be formed by management, which also assumes the role of security officer, and the SIG manager. This committee was formalized in a constitution document.
The functions of the security committee are defined in the constitution document itself.
6.2. Roles: Functions and Responsibilities
All roles and responsibilities of the organization are identified in the profile sheets. These functions have been communicated to all personnel of the organization.
6.3. Appointment Procedures
All positions have been officially appointed. The assignment process is defined in the HR management procedure.
6.4. Conflict Resolution Procedures
The project manager and area managers are responsible for coordinating and resolving conflicts.
When a conflict arises, the affected party will communicate it through the company's communication tool to their supervisor, who will establish measures for conflict resolution and communicate the incident and its resolution to management.
If the conflict cannot be resolved, it will be escalated to management, who will take necessary actions.
6.5. Information Security Policy
The Security Committee is responsible for annually reviewing this Information Security Policy and proposing its revision or maintenance. The Policy will be approved by management and disseminated for knowledge to all affected parties.
The applicability statement establishes the measures implemented by the organization for managing all aspects of information security, as well as the established level. In particular, with:
1. Organization and implementation of the security process.
2. Risk analysis and management.
3. Personnel management.
4. Professionalism.
5. Authorization and access control.
6. Facility protection.
7. Product acquisition.
8. Security by default.
9. System integrity and updating.
10. Protection of stored and in-transit information.
11. Prevention against interconnected information systems.
12. Activity logging.
13. Security incidents.
14. Business continuity.
15. Continuous improvement of the security process.
7. Personal Data
AEIOROS Servicios processes personal data. All information systems of AEIOROS Servicios will comply with the security levels required by regulations for the nature and purpose of the personal data collected in the data processing activities register.
8. Risk Management
All systems subject to this Policy must conduct a risk analysis, assessing the threats and risks they are exposed to. This analysis will be repeated:
Regularly, at least once a year.
When the handled information changes.
When the provided services change.
When a serious security incident occurs.
When serious vulnerabilities are reported.
For harmonizing risk analyses, the Security Committee will establish a reference assessment for different types of handled information and different provided services. The Security Committee will facilitate the availability of resources to meet the security needs of different systems, promoting horizontally oriented investments.
9. Development of Information Security Policy
This Information Security Policy complements the security policies of AEIOROS Servicios in different areas:
The list of security policies is recorded in MOD-007 Documented Information List.
This Policy will be developed through security regulations addressing specific aspects. The security regulations will be available to all organization members who need to know them, particularly those who use, operate, or administer information and communication systems.
The security regulations will be available in our OneDrive document manager and have been sent to all personnel.
10. Staff Obligations
All members of AEIOROS Servicios are obligated to understand and comply with this Information Security Policy and the Security Regulations, with the Security Committee being responsible for providing the necessary means for the information to reach the affected parties.
All members of AEIOROS Servicios will attend a security awareness session at least once a year. A continuous awareness program will be established to address all members of AEIOROS Servicios, particularly new recruits.
Individuals with responsibility for the use, operation, or administration of ICT systems will receive training for the secure handling of systems as needed for their work. Training will be mandatory before assuming responsibility, whether it is their first assignment or a change of position or responsibilities in the same role.
11. Third Parties
When AEIOROS Servicios provides services to other organizations or handles information from other organizations, they will be informed of this Information Security Policy, channels for reporting and coordinating with the respective Security Committees will be established, and procedures for reacting to security incidents will be established.
When AEIOROS Servicios uses third-party services or provides information to third parties, they will be informed of this Security Policy and the Security Regulations relevant to those services or information. The third party will be subject to the obligations established in these regulations, and they may develop their own operational procedures to meet them. Specific incident reporting and resolution procedures will be established. It will be ensured that third-party personnel are adequately aware of security matters, at least to the same level as established in this Policy.
If any aspect of the Policy cannot be met by a third party as required in the paragraphs above, a report from the Security Officer specifying the risks incurred and how to address them will be required. Approval of this report by the affected information and service managers will be required before proceeding.
12. Security Policy Approval
Approval Date: 2021/02/23 performed by Iván Magdaleno Campos.