ESP ENG
Information Security Policy

Information Security Policy

1 - Purpose

This Security Policy is part of the Information Security Management System (ISMS) and its main objective is to establish general guidelines that ensure the management of information security in an integral and coordinated manner with the business objectives and strategic lines, applicable regulations and internal security directives of the company.

Information is a critical and essential asset, so this document establishes the basic principles to ensure that the access, use, custody, and safeguarding of information assets are appropriately developed.

This Security Policy ensures the explicit commitment of IDESA and its top management to guarantee and supervise the proper management of information security, minimizing the risks derived from existing threats in terms of availability, integrity, confidentiality, traceability, and authenticity of information.

The Security Policy is a document approved by IDESA´s management and has mandatory character throughout the organization.

2 - Scope

The scope of this Security Policy encompasses all business activities conducted within IDESA, including the assets that support these activities at any company location. This Security Policy applies to all personnel associated with IDESA who use its information and/or information systems. This includes internal staff of the company as well as external staff (customers, suppliers, auditors, etc.).

3 - Objectives

This Security Policy, in its purpose of protecting IDESA´s information assets in all their dimensions, has the following objectives:

  • Ensure the necessary level of confidentiality of information, so that it can only be accessed by authorized staff.
  • Maintain the integrity of information, ensuring that unauthorized alteration, loss or destruction does not occur, whether intentional or accidental.
  • Ensure the availability of information whenever it is needed.

 

In addition, it may also be necessary to manage other objectives related to information security, based on potential legal and/or business requirements. Specifically:

  • Provide traceability to track the history of actions taken on the information, as well as their authorship.
  • Ensure the authentication of the information, being able to verify the identity of its author without any doubts.

4 - Basic Principles

This section specifies the basic principles that should always be considered in any activity related to the handling of information, in order to achieve the objectives described in the previous section:

  • Strategic Scope: information security should be integrated and coordinated with other strategic initiatives of the company, forming a coherent, efficient, and effective framework.
  • Comprehensive Approach: security will be understood as a comprehensive process that encompasses all technical, human, material, and organizational elements related to information assets. Information security should be considered as part of the regular operations in all business processes.
  • Proportionality: the implementation of security measures should be done with a proportional approach based on the risks to mitigate, as well as the associated operational and economic costs.
  • Design and Implementation of Processes: security measures should be implemented to prevent, detect, respond to, and recover from possible incidents that affect the security objectives described in this document.
  • Segregation of Duties: adequate functional segregation should be implemented in all aspects related to information security.
  • Compliance: information systems should comply with all applicable legislation, regulations, or standards related to security.
  • Risk Management: all information assets should undergo periodic risk analysis to identify the threats they may be exposed to.
  • Awareness and Training: actions should be taken to raise awareness and provide training to all personnel regarding information security.
  • Continuous Improvement: security measures need to be periodically evaluated and updated in a process of continuous improvement, adapting their purposes to potential changes in risks and information systems.

5 - Management Commitment

The management of IDESA, fully aware of the importance of information security for its business processes, commits to:

  • Ensure that the Information Security Policy is established, integrated, and complied with in all organizational processes.
  • Facilitate the allocation of necessary resources to develop the Information Security Management System (ISMS).
  • Establish roles and responsibilities concerning information security.
  • Promote training and awareness regarding information security among all employees.
  • Foster continuous improvement in all processes related to information security.

6 - Roles and Responsibilities

The definition of roles and the assignment of responsibilities within the information security scope at IDESA are specified in an internal document, publicly available to all employees.

7 - Staff Obligations

All employees of IDESA have the obligation to be aware of and comply with this Information Security Policy and the security rules derived from it. It is the responsibility of IDESA´s management (or designated authority) to ensure that the Policy is known by all relevant parties.

Furthermore, all employees of IDESA have the obligation and responsibility to report to IDESA´s management (or designated authority) any identified incidents or offenses that could compromise the security of information assets.

All employees of IDESA with access to information systems will receive periodic awareness sessions or materials regarding information security. Similarly, employees with responsibilities in the use, operation, or administration of ICT systems will receive training for the secure handling of systems as necessary for their job tasks. Training will be mandatory before assuming a responsibility, whether it is their initial assignment or a change of position or responsibilities within the same role.

8 - Policy Review and Update

The Security Policy will be reviewed by the Security Committee at planned intervals, which should be no longer than 2 years, or whenever significant changes advise it, to ensure its suitability, adequacy, and effectiveness are maintained. Any updates to this Policy should be communicated to all relevant parties.

9 - Policy Communication

This Security Policy will be made available for reference to all employees of IDESA through the organization´s information systems and/or published on its website. The necessary actions will also be taken to communicate, ensure understanding, and implement the Policy effectively.

 

Legal advice | Privacy policy | Information Security Policy | Cookies policy | Ethical Channel
Web design: ticmedia.es