Information security policy

1. Introduction

Information has become one of the main assets of our organization, and it is for this reason that caring for and protecting it becomes an absolutely priority objective.

It is part of our strategy, from now on, to maintain the security of information as a critical and fundamental element. This challenge increases in requirement and importance if we apply it to an environment as specific and critical as ours, where the treatment and secure management of information are imposed as a necessity to compete and improve in the future.

NEOSISTEC AND NAVILENS PROJECTS CORP. (hereinafter NEOSISTEC AND NAVILENS PROJECT CORPS.) depends on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed with diligence, taking the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity and traceability of the information treated or the services provided.

The objective of information security is to guarantee the quality of the information and the continuous provision of the services, acting preventively, supervising the daily activity and reacting promptly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to impact availability, integrity, confidentiality, authenticity and traceability, intended use and value of the information and services. To defend against these threats, a strategy is required that adapts to changes in the environmental conditions to guarantee the continuous provision of services. This implies that departments must apply the minimum security measures required by the National Security Scheme (ENS) as well as the international standard ISO27001, as well as perform continuous monitoring of the levels of service provision, follow and analyze reported vulnerabilities, and prepare an effective response to incidents to guarantee the continuity of the services provided.

The different departments must ensure that ICT security is an integral part of each stage of the system's life cycle, from its conception to its withdrawal from service, passing through the decisions of development or acquisition and the operations activities. Security requirements and financing needs must be identified and included in the planning, in the request for offers, and in tender specifications for ICT projects.

Departments must be prepared to prevent, detect, react and recover from incidents, according to Article 7 of the ENS.

1.1 Prevention

Departments must avoid, or at least prevent as far as possible, that information or services are harmed by security incidents. To do this, departments must implement the minimum security measures determined by the ENS, as well as any additional control identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented. To guarantee compliance with the policy, departments must:

• Authorize the systems before entering into operation.
• Regularly evaluate security, including evaluations of configuration changes performed routinely.
• Request the periodic review by third parties in order to obtain an independent evaluation.

1.2 Detection

Since services can degrade rapidly due to incidents, ranging from a simple slowdown to their stoppage, services must monitor the operation continuously to detect anomalies in the levels of service provision and act accordingly according to what is established in Article 9 of the ENS. Monitoring is especially relevant when defense lines are established according to Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that reach those responsible regularly when a significant deviation from the parameters that have been pre-established as normal occurs.

1.3 Response

Departments must:

• Establish mechanisms to respond effectively to security incidents.
• Designate a point of contact for communications regarding incidents detected in other departments or in other organisms.
• Establish protocols for the exchange of information related to the incident. This includes communications, in both directions, with the Emergency Response Teams (CERT).

1.4 Recovery

To guarantee the availability of critical services, departments must develop continuity plans for ICT systems as part of their general business continuity plan and recovery activities.

2. Object and scope

The purpose of this high-level Policy is to define the objective, direction, principles and basic rules for the management of information security.

This Policy applies to the entire Information Security Management System (ISMS) and to all employees of NEOSISTEC AND NAVILENS PROJECTS CORP. And extensible to third parties that perform processing of information owned by NEOSISTEC AND NAVILENS PROJECTS CORP.

The Security Policy applies to the entire company and its information assets:

• To all departments, both their managers and employees.
• To contractors, clients or any other third party that has access to the organization's information or systems.
• To databases, electronic and paper files, processing, equipment, media, programs and systems.
• To the information generated, processed and stored, regardless of its support and format, used in operational or administrative tasks.
• To the information assigned within an established legal framework, which will be considered as own for the exclusive effects of its protection.
• To all systems used to administer and manage the information, whether owned or rented or licensed by the same.

3. References and regulatory framework

The management of NEOSISTEC AND NAVILENS PROJECT CORPS. ensures that the documentation of external origin that results of interest for the operation of the company is known by the employees of the company who need it and is maintained updated and available at all times.

Regarding standards applied to formalize the different Security procedures established, the criteria of the following international standards have been followed:

Information technology. Security techniques. Information Security Management Systems (ISMS). Requirements. UNE-ISO/IEC 27001

Information technology. Security techniques. Code of Good Practices for Information Security Management. UNE-ISO/IEC 27002

Requirements of stakeholders

Additionally, the register "SGSI84_RE07_ Applicable Regulations Register" is created to nourish all information, links of interest and information related to the applied Regulations. Below is an extract of the general applicable regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), relating to the protection of personal data and the free movement of the same, which establishes principles such as lawfulness, transparency, minimization, security and proactive responsibility.
• Organic Law 3/2018, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), which complements the GDPR and incorporates rights such as digital disconnection and protection against the use of biometric data.
• Law 34/2002, on services of the information society and electronic commerce (LSSI-CE), which regulates digital services, the use of cookies and electronic commercial communications.
• Law 31/1995, on Prevention of Occupational Risks, which establishes the legal framework for the safety and health of workers.
• Royal Decree 39/1997, by which the Regulation of the Prevention Services is approved, which regulates the organization and operation of the prevention services.
• Order TIN/2504/2010, which develops the Regulation of the Prevention Services regarding the accreditation of specialized entities and the audit activity.
• Law 10/2010, on prevention of money laundering and the financing of terrorism, which establishes obligations of due diligence, training, communication of operations and internal control.
• Royal Decree 304/2014, by which the Regulation of development of Law 10/2010 is approved, detailing the procedures, controls and required measures.
• Royal Legislative Decree 2/2015, by which the consolidated text of the Workers' Statute is approved, which regulates labor rights and duties.
• Royal Decree-law 28/2020, on distance work, which regulates teleworking and its conditions.
• Royal Legislative Decree 8/2015, by which the consolidated text of the General Social Security Law is approved, which gathers the benefits and rights regarding contribution and coverage.
• Order ESS/86/2015, which develops the rules for social security contribution, protection for cessation of activity, Wage Guarantee Fund and professional training.
• Labor Reform of 2021, which introduces changes in temporary hiring, subcontracting, collective bargaining and labor stability.
• Right to digital disconnection, recognized legally as the right of the worker to not attend devices outside working hours.
• Royal Legislative Decree 1/1996, by which the consolidated text of the Intellectual Property Law is approved, which regulates copyrights and the protection of original works.
• Law 17/2001, on Trademarks, which regulates the registration and protection of distinctive signs in the market.
• Organic Law 10/1995, of the Penal Code, applicable especially in computer crimes, revelation of secrets, damage to systems and criminal responsibility of the legal entity.
• Commercial Code, which regulates mercantile acts, accounting obligations and commercial relations.
• Law 1/2010, on Capital Companies, which regulates the constitution, operation and dissolution of mercantile companies.
• Law 3/2004, on measures to combat late payment in commercial operations, which establishes payment terms and measures to prevent late payment.
• Spanish Constitution of 1978, especially article 18, which protects honor, personal and family privacy and one's own image, as well as the protection of personal data.
• Law 14/2011, of Science, Technology and Innovation, which promotes research, technological development and innovation.
• Law 38/2003, General Law on Subsidies, and its Regulation approved by Royal Decree 887/2006, which regulate the legal regime of public aid and subsidies, justification and control obligations.
• Royal Decree-law 12/2018, on security of networks and information systems, not applicable to the company according to its current scope.
• ITS (Technical Security Instructions) ENS:
  • ITS of Auditing of the Security of Information Systems by the Resolution of March 27, 2018
  • ITS of Conformity with the ENS by the Resolution of October 13, 2016
  • ITS of Report of the State of the Security by the Resolution of October 7, 2016
  • ITS of Notification of Security Incidents by the Resolution of April 13, 2018
• According to Royal Decree 311/2022, of May 3, by which the National Security Scheme is regulated, the information security management system is articulated to which the organization commits through the present policy, guaranteeing that all and without exception the following security requirements have been addressed:
  • Organization and implementation of the security process.
  • Analysis and management of risks.
  • Personnel management.
  • Professionalism.
  • Authorization and control of access.
  • Protection of facilities.
  • Acquisition of security products and contracting of security services.
  • Minimum privilege.
  • Integrity and update of the system.
  • Protection of information stored and in transit.
  • Prevention against other interconnected information systems.
  • Recording of activity and detection of harmful code.
  • Security incidents.
  • Continuity of activity.
  • Continuous improvement of the security process.

4. Organization of the Security

4.1 Committees: functions and responsibilities

A security committee is formed, whose members and emails remain reserved from this publication for security reasons. Nevertheless, it will be communicated on the intranet, as well as it can be shared with stakeholders upon demand.

There is a mail distribution list called comiteseguridad@navilens.com to respond to any internal/external need in information security.

Each head of their area may modify and adapt documents or procedures that are within their competence without the express approval of the rest of the committee, as long as these modifications do not significantly alter the operation of the ISMS. In any case, the committee must be informed of these modifications.

Below, the functions and responsibilities of the Security Committee are listed.

• The coordination of the Information Security (IS) ensuring that the Information Security Policy is fulfilled, approving methodologies, procedures and technical instructions in the matter of information security protection, and establishing a culture of awareness in Information Security in the entire organization.
• Will adopt or propose the adoption of necessary measures so that the personnel know the rules in security matters that affect the development of their functions and the consequences in which they could incur in case of non-compliance.
• Will update the ISMS documentation and adapt it to the current regulations.
• Will be the advisory body to establish new measures related to information security and data protection.
• Adopt or propose the adoption to the Management, of the corrective measures as a consequence of the deficiencies detected in an audit process and as well as those approved by the Management.
• Supervise the fulfillment of the established procedures to authorize the use of mobile devices and teleworking.
• Supervise that a list of the personnel with access to personal data, a list of the personnel authorized to grant, cancel or alter the access rights, in accordance with the established criteria, and a list of the personnel with authorized access to the places where media and documents are stored are maintained, according to the procedures that are established.
• Promote the information and advise the organization and the employed personnel that deal with the processing of the obligations that are incumbent upon them in the matter of data protection and IS.
• Supervise the fulfillment of what is established in the applicable regulations, including the assignment of responsibilities, the awareness and training of the personnel who participate in the processing operations, and the corresponding audits.
• Supervise the correct maintenance and update of the Treatment Activities Records and other documentary supports for the fulfillment of the GDPR legislation.

4.2 Roles: functions and responsibilities

Executive Direction

Participates in the preparation of objectives and measurements. Approves the policies. Approves the reviews by management of the ISMS. Validates the conclusions of the systems audits.

The executive direction establishes the organization chart of the organization that contains more functions and roles than those specified here. In this policy we detail the responsibles related to information security.

Security Officer

• Promote the security of the information handled and of the electronic services provided by the information systems, with the responsibility and authority to ensure that the Information Security Management System complies with the requirements of the National Security Scheme.
• Supervise the fulfillment of the present Policy, of its rules, derived procedures and of the security configuration of the systems.
• Establish the appropriate and effective security measures to fulfill the security requirements established by the Service and Information Responsibles, following at all times what is required in Annex II of the ENS, declaring the applicability of said measures.
• Promote awareness and training activities in security matters in their area of responsibility.
• Perform the coordination and monitoring of the implementation of the projects of adaptation to the ENS standard, in collaboration with the Systems Responsible.
• Perform with the collaboration of the System Responsible, the mandatory risk analyses, of selecting the safeguards to implement and of reviewing the risk management process. Likewise, together with the System Responsible, accept the residual risks calculated in the risk analysis.
• Promote periodic audits to verify the fulfillment of the obligations in the matter of information security and analyze the audit reports, preparing the conclusions to present to the System Responsible so that they adopt the appropriate corrective measures.
• Coordinate the process of Security Management, in collaboration with the Systems Responsible.
• Determine the category of the system according to the procedure described in Annex I of the ENS and the security measures that must be applied in accordance with what is provided in Annex II of the ENS.
• Verify that the security measures are appropriate for the protection of the information and the services.

System Responsible

• Develop, operate and maintain the Information system during its entire life cycle, of its specifications, installation and verification of its correct operation.
• Ensure that the specific security measures are integrated appropriately within the general security framework.
• Perform exercises and tests on the operational security procedures and the existing continuity plans.
• Implement the necessary measures to guarantee the security of the system during its entire life cycle, in agreement with the Security Responsible.
• Perform with the collaboration of the Security Responsible, the mandatory risk analyses, of selecting the safeguards to implement and of reviewing the risk management process. Likewise, together with the Security Responsible, accept the residual risks calculated in the risk analysis.
• Prepare in collaboration with the Security Responsible, the third-level security documentation (STIC Operational Procedures and STIC Technical Instructions).
• The application of the operational security procedures.
• Ensure that the established security controls are fulfilled strictly, as well as ensure that the approved procedures are applied to handle the information system.
• Supervise the hardware and software installations, their modifications and improvements to ensure that the security is not compromised and that at all times they are adjusted to the pertinent authorizations.
• Monitor the state of security of the system provided by the security event management tools and technical audit mechanisms implemented in the system.
• Inform the respective Responsibles of any anomaly, compromise or vulnerability related to security.
• Collaborate in the investigation and resolution of security incidents, from their detection to their resolution.

Data Protection Officer

• Inform and advise the information responsible and their employees of the obligations that are incumbent upon them in relation to the GDPR and other data protection provisions.
• Supervise the fulfillment of what is provided in the present Regulation, of other data protection provisions of the Union or of the Member States and of the policies of the responsible or of the processor in the matter of personal data protection, including the assignment of responsibilities, the awareness and training of the personnel who participate in the processing operations, and the corresponding audits.
• Offer the advice that is requested about the data protection impact assessment and supervise its application in accordance with article 35.
• Cooperate with the control authority.
• Act as point of contact of the control authority for issues related to the processing, including the prior consultation referred to in article 36, and perform consultations, as appropriate, on any other matter.

Service Responsible

• Establish the requirements of the service in security matters, including the interoperability, accessibility and availability requirements.
• Determine the security levels of the service, in agreement with the Security Responsible and the System Responsible.
• Maintain the security of the information handled and of the services provided by the information systems in their area of responsibility.

Information Responsible

• Ensure the good use of the information and, therefore, of its protection.
• Establish the requirements of the information in security matters.
• Determine the security levels of the information treated, assessing the consequences of a negative impact.

Users and employees

• Comply with the information security policy and the rules, procedures and complementary instructions.
• Protect and safeguard the information of the company, avoiding the revelation, emission to the exterior, modification, erasure or destruction accidental or unauthorized or the misuse regardless of the support or means by which it has been accessed or known.
• Know and apply the Information Security Policy, the Rules of Use of the Information Systems and the rest of the policies, rules, procedures and security measures applicable.

4.3 Designation procedures

The Information Security Responsible will be named by the Direction at the proposal of the Security Committee. The appointment will be reviewed every 2 years or when the position remains vacant. The Department responsible for a service that is provided electronically according to Law 39/2015 (Law of Common Administrative Procedure) and Law 40/2015 (Legal Regime of the Public Sector) will designate the System Responsible, specifying their functions and responsibilities within the framework established by this Policy.

4.4 Information security policy

The Information Security Committee is the one in charge of building and maintaining the Information Security Policy, although, it is the Direction of NEOSISTEC AND NAVILENS PROJECTS CORP. the responsible for the approval and publication of said Policy, as well as for distributing it to all employees and third parties affected.

Any change or evolution that affects or could affect the content of the Information Security Policy will remain recorded in a new signature of the approval document. In this way the commitment of these entities for information security is specified and confirmed.

Periodically, and in any case not exceeding the term of one year, the validity and reasonableness of the present policy will be reviewed and the improvements, adaptations or modifications required in function of the organizational, technical or regulatory changes applicable will be carried out.

4.5. Distribution of the Security Policy

The distribution of the security policy will be distributed in the following ways in function of the stakeholder group to which it is addressed:

• Personnel and managers of the company Navilens: The distribution of the security policy will be performed through email. To ensure that it is received a receipt of the corresponding document will be signed.
• Clients, partners, providers and remaining stakeholder groups: the security policy will be included as a section of the website of the company (www.navilens.com), where they can consult it at any moment.

4.6. Level of information security

The Organization has a policy “SGSI05_PO02- Policy for classification, labeling and handling of the information”, in which the classification system is defined, the assignment criteria based on nature, sensitivity, impact and legal requirements, as well as the controls associated to each level.

The organization has a procedure for categorization of the system formally defined based on the CCN-STIC 803 Guide: Valuation of the systems by means of which it is concluded that SGSI192_PR029-Procedure for categorization of the system - Google Documents: “According to Royal Decree 311/2022, of May 3 and the guidelines of the CCN-STIC 803 Guide, the category of a system is determined by the highest level of the dimensions evaluated (Confidentiality, Integrity, Availability, Traceability and Authenticity) in all services and the associated information.

In this case:

• Dimensions in high level are identified, being the maximum to follow. Therefore an adaptation to ENS high level is performed.

Therefore, according to the ENS, the category of the system is High, which implies that the corresponding security measures to said category gathered in Annex II of the ENS must be implemented.”

5. Sanctions

Any premeditated or negligent violation of the security policies and rules and that supposes a potential damage, consummated or not to NEOSISTEC AND NAVILENS PROJECTS CORP., will be sanctioned according to the mechanisms enabled in the Company agreement and in the current legal, contractual and corporate regulations.

All the actions in which the security of NEOSISTEC AND NAVILENS PROJECTS CORP. is compromised and that are not provided in this policy, must be reviewed by the Executive Direction and by the Information Security Responsible to dictate a resolution submitting to the criteria of the company and the provided legislation.

The disciplinary actions in response to the non-fulfillments of the Information Security Policy are attribution of the Executive Direction of NEOSISTEC AND NAVILENS PROJECTS CORP. and of the government bodies according to the applicable legislation.

There is a whistleblower channel and a protocol for incident management placed at disposal of the workers through which any member of the company can communicate a possible incident or non-fulfillment to the security committee or to the security responsible.

Said infraction and the corresponding sanction will be communicated to the infractor by a member of direction through email with a request for confirmation of receipt.

6. Mission

As a response to a new technological environment where the convergence between informatics and communications are facilitating a new paradigm of productivity for companies, NEOSISTEC AND NAVILENS PROJECTS CORP., is highly committed to maintaining the Promotion of research, technological development and innovation projects, in an environment of quality, where the development of good practices in Information Security is fundamental to achieve the objectives of availability, integrity, confidentiality, authenticity and traceability and legality of all the information managed. In consequence to the above, NEOSISTEC AND NAVILENS PROJECTS CORP., defines the following application principles to be taken into account in the framework of the Information Security Management System (ISMS):

The Direction of NEOSISTEC AND NAVILENS PROJECTS CORP., understands its duty to guarantee the security of the information as an essential element for the correct performance of the services of the organization, and, therefore, supports the following objectives and principles:

1. Implement the value of Information Security in the set of the Organization.
2. Contribute, each and every one of the persons of NEOSISTEC AND NAVILENS PROJECTS CORP., to the protection of Information Security.
3. Preserve the availability, integrity, confidentiality, authenticity and traceability and resilience of the information, with the objective of guaranteeing that the legal, regulatory requirements and those of our clients relative to information security are fulfilled; and specifically in what respects data of personal character:
   • The data will be treated in a lawful, fair and transparent manner in relation with the data subject (Lawfulness, fairness and transparency).
   • They will be collected for specified, explicit and legitimate purposes, and will not be treated later in a way incompatible with said purposes (Purpose limitation).
   • The data will be adequate, relevant and limited to what is necessary in relation with the purposes for which they are treated (Data minimization).
   • The data must be accurate and, if it were necessary, updated; all the reasonable measures will be adopted so that the personal data that are inaccurate with respect to the purposes for which they are treated are suppressed or rectified without delay (Accuracy).
   • Maintained in a way that allows the identification of the data subjects during no more time than necessary for the purposes of the processing of the personal data; personal data can be conserved during longer periods as long as they are treated exclusively with purposes of archive in public interest, scientific or historical research purposes or statistical purposes (Storage limitation).
   • Treated in a way that guarantees an adequate security of the personal data, including the protection against the unauthorized or unlawful processing and against its accidental loss, destruction or damage, by means of the application of appropriate technical or organizational measures (Integrity and confidentiality).
4. Protect the information assets of NEOSISTEC AND NAVILENS PROJECTS CORP. from threats, whether internal or external, deliberate or accidental, with the objective of guaranteeing the continuity of the service offered to our clients and the security of the information.
5. Establish an information security Plan that integrates the activities of prevention and minimization of the risk of security incidents based on the criteria of risk management established by NEOSISTEC AND NAVILENS PROJECTS CORP.
6. Provide the necessary means to be able to perform the pertinent actions for the management of the identified risks.
7. Assume the responsibility in the matter of awareness and training in information security as a means to guarantee the fulfillment of this policy.
8. Extend our commitment to information security to our worker personnel and providers.
9. Improve continuously the security through the establishment and periodic monitoring of information security objectives.

This Policy will be maintained, updated and adequate to the purposes of the Organization, aligning with the context of risk management of this. To this effect it will be reviewed at planned intervals or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness is maintained.

In the same way, to manage the risks that NEOSISTEC AND NAVILENS PROJECTS CORP faces, a formally defined risk assessment procedure is established. On its part, all the policies and procedures included in the ISMS will be reviewed, approved and promoted by the Executive Direction of NEOSISTEC AND NAVILENS PROJECTS CORP.

7. Risk Management

All the systems subject to this Policy must perform a risk analysis, evaluating the threats and the risks to which they are exposed. This analysis will be repeated:

• regularly, at least once a year
• when the handled information changes
• when the provided services change
• when a serious security incident occurs
• when serious vulnerabilities are reported

For the harmonization of the risk analyses, the ICT Security Committee will establish a reference valuation for the different types of information handled and the different services provided. The ICT Security Committee will dynamize the availability of resources to attend to the security needs of the different systems, promoting investments of horizontal character.

8. Development of the Information Security Policy

This Policy will be developed by means of security rules that address specific aspects, as well as with other complementary policies. The security rules will be at disposal of all the members of the organization that need to know it, in particular for those that use, operate or manage the information and communications systems.

9. Obligations of the personnel

All the members of NEOSISTEC AND NAVILENS PROJECT CORPS. AND NAVILENS PROJECTS CORP. have the obligation of knowing and fulfilling this Information Security Policy and the Security Rules, being responsibility of the ICT Security Committee to dispose the necessary means so that the information reaches those affected. All the members of NEOSISTEC AND NAVILENS PROJECT CORPS. AND NAVILENS PROJECTS CORP. will attend to an awareness session in ICT security matter at least once a year. A continuous awareness program will be established to attend to all the members of the organization, in particular to those of new incorporation. The persons with responsibility in the use, operation or administration of ICT systems will receive training for the secure management of the systems in the measure in which they need it to perform their work. The training will be mandatory before assuming a responsibility, whether it is their first assignment or if it is a change of job position or of responsibilities in the same.

The Information Security is a joint effort, therefore it requires the implication and participation of all the members of the organization that work with the Information Systems of the organization. Therefore, each employee must fulfill the requirements of the Security Policy and its associated documentation.

The employees that deliberately or by negligence do not fulfill the Security Policy will be subject to disciplinary actions as contemplated in this document.

9.1. Definition of Information Responsibles

• Customer Information
  • Responsible: Commercial Direction.
  • Functions: Guarantee the accuracy, the adequate use and the update of the customer information.
  • Security: The Information Security Responsible (RSI) watches over its protection according to the established classification.
  • Access: Access allowed only to the authorized personnel, under confidentiality commitments and following the principle of need to know.
• Financial Information
  • Responsible: Financial Direction.
  • Functions: Ensure the integrity, availability and veracity of the accounting, fiscal and budgetary information.
  • Access: Limited to the authorized personnel, applying the principle of minimum privilege.
  • Security: The RSI verifies the application of adequate controls (encryption, segregation of functions, traceability of accesses).
• Human Resources (HR) Information
  • Responsible: HR Direction.
  • Functions: Manage and custody the personal data of the employees according to GDPR and LOPDGDD.
  • Access: Restricted to the HR team and to specifically authorized responsibles.
  • Security: The RSI supervises that reinforced controls exist given the sensitive nature of these data.
• Development / R&D / Source Code Information
  • Responsible: Technical Direction (CTO) or the person responsible for the Development area.
  • Functions: Protect the source code, algorithms, designs and technical documentation.
  • Access: Restricted to the authorized technical personnel; authentication controls and secure management of repositories are applied.
  • Security: The RSI guarantees protection measures, separation of environments and prevention of information leaks.
• Operational and Projects Information
  • Responsible: Operations Area or the person responsible for the project.
  • Functions: Maintain updated the operational, project documentation and deliverables.
  • Access: Authorized only to the personnel involved in each project.
  • Security: The RSI guarantees controls to prevent unauthorized access.
• Marketing and Communication Information
  • Responsible: Marketing Area.
  • Functions: Manage the internal and external corporate contents.
  • Access: Marketing and direction personnel, according as corresponds.
  • Security: The RSI verifies that sensitive information is not disseminated accidentally.
• Security and Systems Information
  • Responsible: Information Security Area / Systems Area.
  • Functions: Manage and custody logs, configurations, policies and sensitive registers.
  • Access: Limited to the specifically authorized personnel.
  • Security: Reinforced controls, periodic audits and safeguards against improper accesses.

10. Third parties

The present Security Policy is of extensible knowledge and fulfillment for any external person belonging to third entities that performs any type of treatment over the information property of NEOSISTEC AND NAVILENS PROJECTS CORP.

When NEOSISTEC AND NAVILENS PROJECT CORPS. AND NAVILENS PROJECTS CORP. provides services to other organisms or handles information of other organisms, they will be made participants of this Information Security Policy, channels for reporting and coordination of the respective ICT Security Committees will be established and procedures of action for the reaction to security incidents will be established. When NEOSISTEC AND NAVILENS PROJECT CORPS. AND NAVILENS PROJECTS CORP. uses services of third parties or assigns information to third parties, they will be made participants of this Security Policy and of the Security Rules that concern said services or information. Said third party will remain subject to the obligations established in said rules, being able to develop their own operational procedures to satisfy it. Specific procedures for reporting and resolution of incidents will be established. It will be guaranteed that the personnel of third parties is adequately aware in security matter, at least at the same level as that established in this Policy. When some aspect of the Policy cannot be satisfied by a third party as required in the previous paragraphs, a report from the Security responsible will be required that specifies the risks in which it is incurred and the way to treat them. The approval of this report by the responsibles of the information and the affected services will be required before proceeding.

11. Approval and Validity

The present document has been approved by the Direction, with validity from December 19, 2025.