Security policy

Select language

CATALAN
SPANISH
ENGLISH

Information security policy

1. Adoption and entry into force

Text approved on 07 July 2023 by Salvador Marín Mellado. This Information Security Policy is effective from that date and until it is replaced by a new Policy.

2. Introduction

Gecor System S.L.U. depends on ICT (Information and Communication Technologies) systems to achieve its objectives.

These systems must be managed with diligence and procedural techniques, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

The objective of information security is to ensure the quality of information and the continuous provision of services by acting preventively, monitoring daily activity and reacting quickly and effectively to incidents. ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, intended use and value of information and services.

Defending against these threats requires a strategy that adapts to changing environmental conditions to ensure the continued delivery of services. This implies that departments must implement the minimum security measures required by the National Security Scheme, as well as continuously monitor service delivery levels, track and analyse reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.

The different departments must ensure that ICT security and

2.1. Prevention

Departments should avoid, or at least prevent as far as possible, information or services from being compromised by security incidents. To this end, departments should implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment.

These controls, and the security roles and responsibilities of all staff, should be clearly defined and documented. To ensure compliance with the policy, departments should:

Authorise systems prior to going into operation (as per IT06 Acceptance and Commissioning).
Regularly assess security, including assessments of configuration changes made on a routine basis (as per OP10 Change Management and perform risk analysis following PG09 Risk Management).
Request periodic review by third parties to obtain an independent assessment (ENS compliance certification by an external company requesting annual system reviews).

2.2. Detection

Given that services can be rapidly degraded by incidents, ranging from a simple slowdown to a standstill, they must continuously monitor the operation to detect anomalies in service provision levels and act accordingly as set out in Article 9 of the ENS.

Detection, analysis and reporting mechanisms shall be established and analysed by those responsible on a regular basis and especially when there is a significant deviation from the parameters that have been pre-established as normal.

2.3. Response

Departments should establish mechanisms to respond effectively to security incidents.

2.4. Recovery

To ensure the availability of critical services, departments should develop ICT systems continuity plans as part of their overall business continuity plan and recovery activities.

3. Outreach

This policy applies to all ICT systems of and to all members of the organisation, without exception.

4. Mission

Gecor System works to offer a safe and quality service to citizens, putting them in contact with public administrations, to improve together the quality of life in cities.

5. Information

RD 311/2022 of 3 May, which regulates the National Security Scheme.

Organic Law 3/2018, of 5 December, on the protection of personal data and the guarantee of digital rights

Law 9/2017, of 8 November, on Public Sector Contracts, transposing into Spanish law the Directives of the European Parliament and of the Council 2014/23/EU and 2014/24/EU, of 26 February 2014.

The procedure for identifying the applicable regulations is called PG 05 Legal Requirements.

The rest of the laws, regulations and other national or international regulations to which the activity of Gecor System S.L.U. is subject can be found in the register ‘PG 05.01 List of Legislation’.

6. Organisation of security

6.1. Committees: roles and responsibilities

The ICT Security Committee will be made up of:

  • Quality, Environment and Security Manager.
  • Technology Manager, System Manager

The ICT Security Committee will have the following functions:

  • Drafting and approval of the security documentation that forms part of the system.
  • Approving critical changes to the security management system.
  • Acquisition of new components that affect the security management system.

6.2. Roles: functions and responsibilities

The main role within Gecor System’s information security management system is that of the Information Security Officer, usually referred to in the documentation as the Security Manager. The functions of this Security Manager are:

  • To develop, operate and maintain the Information System throughout its life cycle, from its specifications, installation and verification of its correct functioning.
  • Define the topology and the management system of the Information System, establishing the criteria for its use and the services available in it.
  • Assess and determine the security category of the Information System as described in the National Security Scheme.
  • Ensure that specific security measures are properly integrated into the general security framework.

The System Manager may agree, together with the Security Committee, to suspend the handling of certain information or the provision of a certain service if he/she is informed of serious security deficiencies that could affect the satisfaction of the established requirements.

6.3. Designation procedures

The Information Security Officer is appointed by management taking into account the recommendations and capabilities of the members of the technology department. The appointment will be reviewed every 2 years or when the position becomes vacant.

6.4. Information security policy

Será misión del Comité de Seguridad TIC la revisión anual de esta Política de Seguridad de la Información y la propuesta de revisión o mantenimiento de la misma. La Política será aprobada y posteriormente difundida para su conocimiento por todas las partes afectadas.

7. Awareness raising and training

An annual training meeting will be held, which may or may not be included in the already planned quality training, in which the duties and obligations of each member of the organisation in security matters will be reminded, in accordance with the requirements set out in the National Security Scheme.

Likewise, annual communications will be made in which both this Security Policy and the location of the relevant documentation within the internal shared file server will be disseminated.

The objective is to achieve full awareness of the fact that information security affects all members of Gecor System S.L.U. and in all activities, in accordance with the principle of Integral Security set out in Article 5 of the ENS, as well as the articulation of the necessary means so that all persons involved in the process and their hierarchical managers are aware of the risks involved.

8. Risk Management

The risk analysis shall be the basis for determining the security measures to be adopted in addition to the minimums established by the National Security Scheme, as provided for in article 6 of the ENS.

All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated: regularly (at least once a year), when the information managed changes, when the services provided change, when a serious security incident occurs or when serious vulnerabilities are reported.

For the harmonisation of risk analyses, the ICT Security Committee shall establish a baseline assessment for the different types of information managed and the different services provided.

9. Information security policy development

This Information Security Policy complements the security regulations in the different areas:

  • MBPS-Manual de Buenas Prácticas de Seguridad en Uso de Móviles.
  • NS01-Access Control.
  • NS02-Workplace Management Regulations.
  • NS03-Backup Management Regulations.
  • NS04-Cleaning of Metadata.
  • NS05-Electronic Mail Use Regulations.
  • NS06-Information Qualification Regulation.
  • NS07-System Interconnection Regulations.
  • NS08-Electronic Signature Usage Regulation.
  • NS09-Secure Browsing Policy.

The security regulations shall be available to all members of the organisation who need to know them, in particular to those who use, operate or administer the information and communications systems. The security regulations shall be available on the Gecor System S.L.U. intranet.

These regulations shall be reviewed and updated on an annual basis. For accessibility to all internal documentation, the members of Gecor System S.L.U. will be manually authorised. They will be able to access through the following link to OneDrive where it can be found: internal documentation.

It will always be ultimately approved by Gecor System S.L.U. Management.

Approved by: Salvador Marin Mellado.