INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY

SIGE is ISO 27001:2022 certified and thus endorses our commitment to security in our systems. This international standard describes how to manage information security in companies and seeks to ensure its confidentiality, integrity and availability, minimising possible risks and threats as much as possible.

1. Introduction

Information is a major asset for GRUPO ROCAJUNYENT, as it is essential for the provision of the services it offers to third parties. For their part, information and communication technologies (ICT) have become essential for organisations, as they contribute very effectively to the processing of this information. However, the improvements that ICTs bring to information processing are accompanied by new risks. For this reason, it is necessary to introduce specific measures to protect both information and the services that depend on it.

Information security aims to protect information and services by reducing the risks to which they are subject to an acceptable level. This document establishes the Information Security Policy of GRUPO ROCAJUNYENT to ensure that all professionals in its service, both directly and indirectly, know, manage and support information security.

The aim is to achieve the strategic alignment of information security management with international standards and existing legislative regulations in this area.

2. Mission and objectives of the information security policy

GRUPO ROCAJUNYENT has established an alignment with the management of information security as established in the regulatory framework of the ISO 27001 market standard, recognising information and the systems that support it as strategic assets.

One of the fundamental objectives of the implementation of this Information Security Policy is to establish the bases on which both internal employees and third parties can access the services offered by GRUPO ROCAJUNYENT in a secure and trustworthy environment.

The Information Security Policy defines the global framework for the management of information security, protecting all information assets and guaranteeing the continuity in the operation of the systems. The aim is to minimise the risks arising from a possible security breach and to ensure compliance with the objectives of the ROCAJUNYENT GROUP in the event of a hypothetical information security incident.

To this end, the following general information security objectives have been established:

  1. To contribute through security management to the fulfilment of the mission and objectives established by ROCAJUNYENT GROUP.
  2. To have the necessary control measures in place to guarantee compliance with the legal requirements applicable as a result of the activity carried out, especially with regard to the protection of personal data and the provision of services through electronic or telematic means.
  3. To ensure the accessibility, confidentiality, integrity, availability, authenticity and traceability of the information.
  4. To ensure the continuous provision of services, both preventively and reactively in the event of security incidents.
  5. To protect the information assets of GRUPO ROCAJUNYENT and the technology that supports them against any threat, intentional or accidental, internal or external, in order to ensure their confidentiality, integrity and availability.

This Information Security Policy ensures the ROCAJUNYENT GROUP’s continuous and clear commitment to the dissemination and consolidation of the culture of security.

3. Scope

This Information Security Policy shall apply to all ROCAJUNYENT GROUP information. For these purposes, the ROCAJUNYENT GROUP is understood as follows.

  • C/ Aribau,198 1ª Planta (Barcelona).
  • C/ José Abascal, 56 6th Floor (Madrid).
  • C/ Gran Vía Jaume I, 37 5th Floor (Girona).

Extending the scope of the information systems provided by ROCAJUNYENT to the following organisations:

SIGE BUSINESS SERVICES, S.L.P.U (“SIGE ’) with offices in the same locations.

4. Regulatory framework

The ROCAJUNYENT GROUP is defined as all the organisations described above.

This Policy is not limited to personal data and is independent of whether the processing is manual or automated.

The legislation on information security, which should serve as a reference, is continuously updated and is reflected in the ‘Annex: Applicable legislation’.

5. Review of the policy

In relation to any revisions that may be made to the wording of the text constituting the information security policy, two types of activities shall be distinguished:

  1. Periodic systematic reviews: these shall be carried out at least once a year, or when incidents or changes are detected in the legal framework that may call into question the validity of said Policy. The review of the Information Security Policy must guarantee that it is in line with the strategy, mission and vision of the ROCAJUNYENT GROUP in matters of information security and that it ensures compliance with the established control objectives.
  2. Unplanned reviews: these reviews must be carried out in response to any security event or incident that could lead to a significant increase in the current level of risk or have caused an impact on the security of GRUPO ROCAJUNYENT’s information.

6. Internal organisation of security

Information security corresponds, with the functions indicated for each of them in this section, to the following bodies: ROCAJUNYENT GROUP’s Information Security Committee, Information Managers, Service Managers, Security Managers and, where appropriate, Delegated Security Managers.

6.1. Information Security and Data Protection Committee.

The Information Security and Data Protection Committee is the body that centralises the management of information security in the organisation.

When justified by the complexity, the physical separation of its elements or the number of users of the information in electronic support, or of the systems that handle it, delegated Security Committees may be created, functionally dependent on the main Information Security and Data Protection Committee, which shall be responsible within their scope for the actions delegated to them.

The Information Security and Data Protection Committee is responsible for ensuring that the ISMS is implemented and maintained in accordance with this Policy and for ensuring that all necessary resources are available.

The Information Security and Data Protection Committee shall define what information related to information security is and will be communicated to which stakeholders (both internal and external), by whom and when.

6.2. Security Officer

The person who will determine the decisions to satisfy the security requirements for information and service security. He/she shall have the following functions:

  1. Operational coordination of the ISMS, as well as reporting on its performance.
  2. Conduct or promote periodic audits to verify compliance with information security obligations.
  3. To monitor and control the security status of the information systems.
  4. Propose to the Information Security and Data Protection Committee the security standards and security procedures.6.3.

When justified by the complexity, the physical separation of its elements or the number of users of the information in electronic format, or of the systems that handle it, ‘delegated security officers’ may be designated, functionally dependent on the main officer, who shall be responsible in their area for the actions delegated to them.

The person/s in charge of implementing the security measures designated by the Information Security Officer.

The person/s in charge of monitoring the information systems and the follow-up of the measures implemented.

6.4. Manager

Senior management should review the ISMS at least once a year or whenever there is a significant modification; and should prepare minutes of such meetings. The objective of management reviews is to establish the suitability, adequacy and effectiveness of the ISMS.

6.5. Data Protection Officer

The person in charge of developing the policies related to data protection, as well as participating in the committee to provide his or her vision regarding security incidents and their impact on personal data.

6.6. Other areas

Protecting the integrity, availability and confidentiality of assets is the responsibility of the owner of each asset.

All security incidents or weaknesses must be reported to the security officer.

The human resources department is responsible for adopting and implementing the Training and Awareness Plan, which applies to all persons who have a role in information security management.

7. Conflict resolution

In the event of conflict between the different persons responsible for the organisational structure of the Information Security Policy, this will be resolved by the Management of GRUPO ROCAJUNYENT, and the most stringent requirements derived from the protection of personal data will prevail.

8. Classification of information

ROCAJUNYENT GROUP will classify and inventory the information assets by virtue of their nature. The level of protection and the measures to be applied will be based on the result of this classification.

9. Personal data

When a system affected by ISO 27001 handles data of a personal nature, the provisions of European Regulation 679/2016 on data protection and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and its implementing regulations shall apply, without prejudice to the requirements established in the regulatory framework of ISO 27001 in the field of e-Government. All information systems shall comply with the security levels required by personal data protection regulations.

10. Risk management

All systems subject to this Policy shall be subject to risk analysis and risk management, assessing the assets, threats and vulnerabilities to which they are exposed and proposing appropriate countermeasures to mitigate the risks. While continuous monitoring of changes made to systems is required, this analysis shall be repeated:

  1. at least once a year (by formal review and approval).
  2. when the information handled changes
  3. when the services provided change
  4. when a major security incident occurs
  5. when serious vulnerabilities are reported

11. Development tool

For the harmonisation of risk analysis, a baseline assessment will be established for the different types of information handled and the different services provided.
An information security policy framework structured at different levels is established so that the objectives set out in this document are specifically developed. The information security policy will structure its regulatory framework at the following levels:

  1. The present Information Security Policy, which establishes the global protection requirements and criteria.
  2. The security standards that define what is to be protected and the desired security requirements. The set of all security standards must cover the protection of all the organisation’s information systems environments. They establish a set of expectations and requirements that must be met in order to satisfy and fulfil each of the security objectives set out in the policy. They are proposed by the Security Manager and approved by the Information Security Committee.
  3. The security procedures that describe in concrete terms how to protect what is defined in the rules and the people or groups responsible for the implementation, maintenance and monitoring of their level of compliance. These are documents that specify how to carry out the usual tasks, who should do each task and how to identify and report anomalous behaviour.

12. Obligations of professionals

Their approval will depend on their scope of application, which may be in a specific area or in a specific information system.
In addition, guidelines with recommendations and good practices may be established.
As far as possible, all this documentation will be managed in accordance with the current procedure for the Control of documents and records in ROCAJUNYENT GROUP, which will aim to establish the criteria for the control of documentation and security records used in the Information Security Management System and which extends to all the documentation that supports compliance with ISO 27001.

All professionals with responsibility for the use, operation or administration of information and communications technology systems are obliged to know and comply with this Information Security Policy and the derived security regulations, regardless of the type of legal relationship that links them to ROCAJUNYENT GROUP.

All persons will receive training in the safe use of the systems to the extent that they need it to carry out their work.

The Information Security Policy will be accessible to all professionals who provide their services in the bodies and entities referred to in the point relating to ‘Scope’.

In order to foster a ‘Culture of Security’, the Information Security Committee shall promote an ongoing awareness programme to train all professionals. Failure to comply with the Information Security Policy and its implementing regulations shall give rise to the establishment of preventive and corrective measures aimed at safeguarding and protecting the networks and information systems, without prejudice to the corresponding disciplinary liability.

13. Relations with third parties

When ROCAJUNYENT GROUP provides services or transfers information to third parties, it will inform them of this Information Security Policy and the rules and instructions derived from it.

Likewise, when ROCAJUNYENT GROUP uses the services of third parties or cedes information to third parties, they will likewise be informed of this Information Security Policy and of the security regulations and instructions relating to such services or information. Third parties shall be subject to the obligations and security measures established in said regulations and instructions, and may develop their own operating procedures to comply with them. Specific incident detection and resolution procedures shall be established.

It shall be ensured that the personnel of third parties are adequately aware of information security matters, at least to the same level as that established in this Information Security Policy.

Specifically, third parties shall ensure compliance with the information security policy based on auditable standards that allow verification of compliance with these policies. Likewise, it will be guaranteed by means of an audit or certificate of destruction/deletion that the third party cancels and deletes the data belonging to GRUPO ROCAJUNYENT at the end of the contract.
When any aspect of the Information Security Policy cannot be satisfied by a third party, a report will be required from the Information Security Manager specifying the risks incurred and how they are to be dealt with. Approval of this report by the Manager will be required before proceeding further.

Approved by:
Information Security and Data Protection Committee.


Download the information security policy here