Information Security Policy

1. Introduction

Information has become one of the main assets of our organization, and that is why caring for and protecting it becomes an absolute priority.

It is part of our strategy, from now on, to maintain information security as a critical and fundamental element. This challenge is multiplied in demand and importance if we apply it to an environment as specific and critical as ours, where the secure treatment and management of information is imposed as a necessity to compete and improve in the future.

NEOSISTEC AND NAVILENS PROJECTS CORP. (hereinafter NEOSISTEC Y NAVILENS PROJECT CORPS. ) depends on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed diligently, taking the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, supervising daily activity and reacting promptly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use and value of information and services. Defending against these threats requires a strategy that adapts to changing environmental conditions to ensure continuous service delivery. This implies that the departments must apply the minimum security measures required by the National Security Scheme and ISO27001, as well as continuously monitor the levels of service provision, monitor and analyze reported vulnerabilities, and prepare an effective response to incidents to guarantee the continuity of the services provided. The different departments must ensure that ICT security is an integral part of each stage of the system life cycle, from its conception to its decommissioning, through development or acquisition decisions and exploitation activities.

Security requirements and financing needs must be identified and included in the planning, in the request for offers, and in the bidding documents for ICT projects. Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS

1.1 Prevention

Departments must avoid, or at least prevent as much as possible, that information or services are compromised by security incidents. For this, the departments must implement the minimum security measures determined by the ENS, as well as any additional control identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented. To guarantee compliance with the policy, the departments must:

· Authorize the systems before going into operation. · Regularly assess security, including assessments of changes in configuration performed routinely. · Request periodic review by third parties in order to obtain an independent evaluation.

1.2 Detection

Since services can quickly degrade due to incidents, ranging from a simple slowdown to a stoppage, services must continuously monitor operation to detect anomalies in service delivery levels and act accordingly as set out in Article 9 of the ENS. Monitoring is especially relevant when lines of defense are established in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that reach those responsible regularly when there is a significant deviation from the parameters that have been pre-established as normal.

1.3 Response

Departments must:

1.4 Recovery

To ensure the availability of critical services, departments should develop IT systems continuity plans as part of their overall plan for business continuity and recovery activities.

2. Purpose and scope

The purpose of this High Level Policy is to define the objective, direction, principles and basic rules for information security management.

This Policy applies to the entire Information Security Management System (ISMS) and to all employees of NEOSISTEC Y NAVILENS PROJECTS CORP. And extensible to third parties that carry out information processing owned by NEOSISTEC and NAVILENS PROJECTS CORP.

The Security Policy applies to the entire company and its information assets:

  • To all departments, both their managers and employees.
  • To contractors, customers or any other third party that has access to the organization's information or systems.
  • To databases, electronic and paper files, treatments, equipment, supports, programs and systems.
  • Information generated, processed and stored, regardless of its support and format, used in operational or administrative tasks.
  • To the information transferred within an established legal framework, which will be considered as its own for the sole purpose of its protection.
  • All systems used to administer and manage the information, whether owned, leased or licensed by the company.
  • 3. References and regulatory framework

    The management of NEOSISTEC AND NAVILENS PROJECT CORPS. ensures that documentation of external origin that is of interest to the operation of the company is known to those employees of the company who need it and is kept up to date and available at all times.

    For this purpose, the means defined in this document and the procedures that develop it are used.

    As regards the standards applied to formalize the different safety procedures established, the criteria of the following international standards have been followed:

    Additionally, the register "SGSI84_RE07_ Registro Normativa aplicable" has been created to provide all the information, links of interest and information related to the Regulations applied.

    Data protection regulations

    Normativa laboral

    General regulations

    4. Security Organization

    4.1 Committees: roles and responsibilities

    A security committee is formed, whose members and e-mails are reserved from this publication for security reasons. However, it will be communicated on the intranet, and can be shared with interested parties on demand.

    There is a mailing list called comiteseguridad@neosistec.com to respond to any internal/external need in information security.

    Each person responsible for his area may modify and adapt documents or procedures that fall within his competence without the express approval of the rest of the committee, provided that these modifications do not significantly alter the functioning of the ISMS. In any case, the committee must be informed of these modifications.

    The roles and responsibilities of the Security Committee are listed below.

    4.2 Roles: functions and responsibilities

    In the document called "ISMS65_Roles and Responsibilities NEOSISTEC AND NAVILENS PROJECT CORPS." all the roles and responsibilities of the organization are detailed.

    4.3 Designation procedures

    The Information Security Officer shall be appointed by Management on the proposal of the Security Committee. The appointment will be reviewed every 2 years or when the position becomes vacant. The Department responsible for a service that is provided electronically in accordance with Law 11/2007 shall designate the System Manager, specifying his/her functions and responsibilities within the framework established by this Policy.

    4.4 Information security policy

    The Information Security Committee is in charge of building and maintaining the Information Security Policy, although the Management of NEOSISTEC Y NAVILENS PROJECTS CORP. is responsible for the approval and publication of this Policy, as well as for distributing it to all employees and affected third parties.

    Any change or evolution that affects or could affect the content of the Information Security Policy will be registered in a new signature of the approval document. In this way, the commitment of these entities to information security is confirmed.

    Periodically, and in any case not exceeding a period of one year, the validity and reasonableness of this policy will be reviewed and the required improvements, adaptations or modifications will be carried out according to the applicable organizational, technical or regulatory changes.

    4.5. Security Policy Distribution

    The distribution of the security policy will be distributed in the following ways depending on the target stakeholder group depending on the group of interest to which it is directed:

  • Personnel and managers of the company Nuevos Sistemas Tecnológicos S.L. The distribution of the security policy will be made by e-mail. To assure that it is received an acknowledgement of receipt of the corresponding document will be signed.
  • Clients, partners, suppliers and other groups of interest: the security policy will be included as a section of the web page of the company (www.navilens.com), where they will be able to consult it at any moment.
  • 5. Sanctions

    Any premeditated or negligent violation of the security policies and rules and that supposes a potential damage, consummated or not to NEOSISTEC AND NAVILENS PROJECTS CORP. will be sanctioned according to the mechanisms enabled in the Company's agreement and in the legal, contractual and corporate regulations in force.

    All actions in which the security of NEOSISTEC Y NAVILENS PROJECTS CORP. is compromised and that are not foreseen in this policy, must be reviewed by the Executive Management and by the responsible for Information Security to issue a resolution subject to the criteria of the company and the legislation in force.

    Disciplinary actions in response to non-compliance with the Information Security Policy are the responsibility of the Executive Management of NEOSISTEC AND NAVILENS PROJECTS CORP.

    NAVILENS PROJECTS CORP. and the governing bodies according to the applicable legislation.

    There is a complaints channel and an incident management protocol available to employees through which any member of the company can report a possible incident or breach to the safety committee or the person responsible for security.

    This infraction and the corresponding sanction will be communicated to the offender by a member of management by e-mail with a request for confirmation of receipt.

    6. Mission (Security Policy)

    In response to a new technological environment where the convergence between computing and communications are facilitating a new paradigm of productivity for companies, NEOSISTEC Y NAVILENS PROJECTS CORP. is highly committed to maintaining the Promotion of research projects, technological development and innovation, in a quality environment, where the development of good practices in Information Security is essential to achieve the objectives of confidentiality, integrity, availability and legality of all information managed. As a consequence of the above, NEOSISTEC AND NAVILENS PROJECTS CORP., defines the following application principles to be taken into account within the framework of the Information Security Management System (ISMS):

    The Management of NEOSISTEC AND NAVILENS PROJECTS CORP. understands its duty to ensure information security as an essential element for the proper performance of the organization's services, and, therefore, supports the following objectives and principles:

    1. To implement the value of Information Security throughout the Organization.
    2. To contribute, each and every person of NEOSISTEC and NAVILENS PROJECTS CORP. to the protection of Information Security.
    3. To preserve the confidentiality, integrity, availability and resilience of the information, in order to ensure compliance with legal requirements, regulations, and our customers, regarding information security, and specifically with regard to personal data:
      1. The data will be processed in a lawful, fair and transparent manner in relation to the data subject (Lawfulness, fairness and transparency).
      2. The data will be collected for specified, explicit and legitimate purposes and will not be further processed in a way incompatible with those purposes (Purpose limitation).
      3. The data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data minimization).
      4. Data shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are promptly deleted or rectified (Accuracy).
      5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Limitation of the retention period).
      6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the implementation of appropriate technical or organizational measures (Integrity and confidentiality).
    4. To protect the information assets of NEOSISTEC AND NAVILENS PROJECTS CORP. from threats, whether internal or external, deliberate or accidental, in order to ensure the continuity of the service offered to our customers and the security of the information.
    5. Establish an Information Security Plan that integrates the activities of prevention and minimization of the risk of security incidents based on the risk management criteria established by NEOSISTEC AND NAVILENS PROJECTS CORP.
    6. To provide the necessary means to be able to carry out the pertinent actions in order to manage the identified risks.
    7. Assume responsibility for awareness and training in information security as a means to ensure compliance with this policy.
    8. Extend our commitment to information security to our employees and suppliers.
    9. Continually improve security by establishing and regularly monitoring information security objectives.

    This Policy shall be maintained, updated and adequate for the Organization's purposes, aligned with the Organization's risk management context. To this effect, it will be reviewed at planned intervals or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness are maintained.

    Similarly, a formally defined risk assessment procedure is established to manage the risks faced by NEOSISTEC AND NAVILENS PROJECTS CORP. In turn, all policies and procedures included in the ISMS will be reviewed, approved and promoted by the Executive Management of NEOSISTEC Y NAVILENS PROJECTS CORP.

    7. Risk Management

    All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated

    In order to harmonize risk analyses, the ICT Security Committee will establish a reference assessment for the different types of information handled and the different services provided. The ITC Security Committee will boost the availability of resources to meet the security needs of the different systems, promoting investments of a horizontal nature.

    8. Development of the Information Security Policy

    This Policy will be developed by means of security regulations that address specific aspects, as well as other complementary policies. The security regulations shall be available to all members of the organization who need to know them, in particular to those who use, operate or administer the information and communications systems.

    9.staff obligations

    All members of NEOSISTEC AND NAVILENS PROJECT CORPS. And NAVILENS PROJECTS CORP. have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the ICT Security Committee to arrange the necessary means for the information to reach those affected. All members of NEOSISTEC AND NAVILENS PROJECT CORPS. And NAVILENS PROJECTS CORP. will attend an ICT security awareness session at least once a year. An ongoing awareness program will be established to cater to all members of the organization, particularly new hires. Persons with responsibility for the use, operation or administration of ICT systems shall be trained in the safe operation of the systems to the extent that they need it to perform their work. Training will be mandatory before taking on a responsibility, whether it is their first assignment or a change of job or job responsibilities.

    Information Security is a joint effort, so it requires the involvement and participation of all members of the organization who work with the organization's Information Systems. Therefore, each employee must comply with the requirements of the Security Policy and its associated documentation.

    Employees who deliberately or negligently violate the Safety Policy will be subject to disciplinary action as contemplated herein.

    10. Third parties

    The present Security Policy is of extensible knowledge and fulfillment for any external person belonging to third entities that carry out any type of treatment on the information property of NEOSISTEC Y NAVILENS PROJECTS CORP.

    When NEOSISTEC AND NAVILENS PROJECTS CORPS. AND NAVILENS PROJECTS CORP. provide services to other organizations or handle information from other organizations, they will be made participants of this Information Security Policy, channels will be established for reporting and coordination of the respective ICT Security Committees and procedures will be established for the reaction to security incidents. When NEOSISTEC AND NAVILENS PROJECT CORPS. AND NAVILENS PROJECTS CORP. use services of third parties or transfer information to third parties, they will be made participants of this Security Policy and of the Security Regulations related to such services or information. Such third party shall be subject to the obligations set forth in such regulations, and may develop its own operating procedures to comply with them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that third party personnel are adequately security-aware to at least the same level as that set out in this Policy. Where any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer shall be required which specifies the risks incurred and how they will be addressed. Approval of this report by those responsible for the information and services concerned will be required before proceeding further.

    11. Approval and Validity

    This document has been approved by Management, effective as of the date 11th of May, 2023