Skip to main content
Skip to main content

Privacy Policy and Information Security

Privacy Policy
and Information
Security

nazaries logo on a tablet.

APPROVAL AND ENTRY INTO FORCE

This document has been reviewed and approved by the Security Committee on November 18, 2024. From now on, we will refer to the ENS Information Security System using the term ISMS (Information Security Management System), by virtue of its integration and scope within the system.

In accordance with the recommendations of the ICT SECURITY GUIDE (CCN-STIC-801) and considering our resources and scope, the Information Security and ICT Services Committees may operate simultaneously, thanks to their integration and equivalence at Nazaries IT.

This Information Security Policy will come into effect from this date and will remain in force until a new policy is issued to replace it.

INTRODUCTION

At Nazaríes Information Technologies, S.L., since 2018 we have implemented an information security policy that plays a fundamental role in our management and in the protection of the data and services we manage.

Our security policy has been established following a rigorous process that addresses multiple essential aspects. It has been formally approved and, at minimum, includes clear guidelines on our objectives as an organization, the pertinent regulatory framework that affects us, the responsibilities and roles related to security, the structure of committees responsible for overseeing and coordinating security aspects, as well as precise guidelines for the management of documentation and the security of our systems.

It is very important that each member of our team knows and complies with these security standards. Our policy complies with the minimum security requirements, which vary according to the risks identified in our systems.

Within this framework, information security becomes a fundamental pillar to ensure the integrity, confidentiality and availability of the data and services we handle as a company.

PURPOSE

At Nazaríes Information Technologies, S.L., the Information Security Policy aims to establish guidelines and principles for the effective management and protection of information and services. We will implement, maintain and continuously improve an Information Security Management System (ISMS) in accordance with the requirements of

the UNE ISO/IEC 27001:2022 Standard, PCI-DSS v4.0 certifications and the National Security Framework (Medium Level) and the needs of our interested parties.

This will be carried out in compliance with the applicable regulatory framework, which includes current legal provisions, such as Royal Decree 311/2022, of May 3, which regulates the National Security Framework. The application of this policy focuses on ensuring adequate protection of information in the context of our organization.

The purpose of both the ISMS and the Security Policy is to ensure the protection of information and services, guaranteeing their authenticity, confidentiality, integrity, availability and traceability. This extends to the assets used in the processing, transmission and storage of information.

The dissemination, knowledge and application of this Information Security Policy is the responsibility of all personnel, both internal and external, who have access to the information of Nazaríes Information Technologies, S.L. and to the technological resources used in the organization's operations. This includes all levels of the organization, from the Management Committee to the information systems that support the services and processes necessary to achieve business objectives.

A - The objectives or mission of the organization

The mission of Nazaríes Information Technologies, S.L. is to develop software, IoT systems for industry, provide SaaS services and provide Customer Support service with the highest levels of quality, response time and information security, and at all times meeting client requirements.

The main objective of information security is to protect company data. But this concept is in general terms, since what the system will do is ensure five fundamental aspects: confidentiality, availability, traceability, authenticity and integrity. To carry out these actions, strategies must be established where action policies are drafted for each of these cases.

This Policy will apply to the information systems of Nazaríes Information Technologies, S.L. related to the exercise of its competencies and to all users with authorized access to them, whether or not they are public employees and regardless of the nature of their legal relationship with the company.

All employees have the obligation to know and comply with this Information Security Policy and its derived Security Regulations, with the Information Security Commission being responsible for providing the necessary means for the information to reach the affected personnel.

In this area, personally financed non-inventoried personal computers are not considered IT resources of Nazaríes Information Technologies, S.L., although they may occasionally be used for research purposes. However, in the event that the corporate network is accessed through said personal computers, they will be

subject to the obligations established in this information security policy and development regulations.

Specifically, this security policy is applicable to the following departments:

  • Administration
  • Sales
  • HR
  • Customer Success
  • Engineering
  • Industry 4.0
  • SaaS Solutions
  • DevOps
  • Ticketing
  • Infrastructure and Security

B - Legal and regulatory framework

The responsibilities of the departments of Nazaríes Information Technologies, S.L. towards its clients are reflected in the contracts signed by both parties. Likewise, this department requires from its suppliers the services and products acquired from its suppliers, services and obligations that are reflected in the contracts signed for this purpose.

The applicable legislation in case of conflict between parties is equally specified in the service provision contracts signed by both parties.

The standards and regulations that apply include, among others:

  • Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSICE): Ensures that our company complies with the obligation to provide clear and accessible information to users about the services offered and the conditions of use, in addition to regulating advertising and content liability.
  • UNE-ISO/IEC 27002:2022 Code of Practice for Information Security Management: Provides a reference framework for establishing effective security policies in information management, which helps us protect our assets and mitigate risks associated with information security.
  • UNE-ISO/IEC 27001:2022 Specifications for Information Security Management Systems: Requires us to implement an information security management system (ISMS), which improves our ability to manage risks and comply with regulatory requirements, increasing the trust of our clients.
  • Regulation (EU) No 910/2014 (eIDAS): Facilitates the use of trust services, such as electronic signatures, which allows our company to conduct electronic transactions securely and legally, improving efficiency and security in our operations.
  • Royal Decree 311/2022, of May 3, which regulates the National Security Framework: Requires us to comply with security standards to protect information systems, especially if we work with public sector data, which can influence our risk management practices.
  • Law 9/2014, of May 9, General Telecommunications Law: Modernizes telecommunications regulation in Spain, promoting competition, improving user rights and facilitating the deployment of advanced infrastructures.
  • PCI-DSS (PCI Security Standards Council): Establishes requirements for the protection of payment card data, directly affecting our security management if we process card transactions, ensuring that we properly handle sensitive information.
  • Regulation (EU) 2019/881 (Cybersecurity Act): Establishes a framework for cybersecurity in the EU, affecting our company by requiring us to implement measures to protect our systems and data against cyber threats.
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights: Requires us to guarantee the protection of personal data of our clients and employees, establishing protocols for processing, storage and security of personal information.
  • Law 22/2019, of December 6, amending the Intellectual Property Law: Affects our ability to protect and enforce our rights over the software and other digital products we develop, as well as the management of the use of third-party works in our services.
  • Law 31/1995, of November 8, on Prevention of Occupational Risks: Requires us to guarantee the safety and health of our employees in the work environment, implementing policies and measures to prevent risks and promote a safe work environment.
  • State collective agreement for consulting companies, information technologies and market and public opinion research (agreement code 99001355011983) - April 13, 2023, Applicable collective agreement: Regulates specific labor conditions, including aspects of salaries, schedules and labor rights, which directly impacts human resources management in our organization.

C - Security Roles and Functions

In application of the criteria of the CCN-STIC-801 Guide (ENS Guide. Responsibilities and Functions), the following functions are distinguished within the ISMS of Nazaríes Information Technologies, S.L.:

  • Information Officer
  • Service Officer
  • System Officer
  • Security Officer
  • Data Protection Officer

As permitted by the aforementioned Guide, the Security Committee, as a collegiate body, performs the functions of "Information Officer". There is a Security Officer. The Data Protection Officer is the company's own personnel, and their appointment is recorded in minutes signed by the CEO.

Any conflicts between the roles involved in the ISMS that may occur in the normal course of the company's activity, or in security crisis situations, are resolved within the Security Committee. When dealing with situations of conflicts between roles, the company's CEO will be invited to the Committee. Decisions regarding conflicts will be made unanimously, and if there is no unanimity, by binding decision of the CEO.

The main functions of each of these figures, in terms of information security, are as follows:

Information Officer

The responsibilities of the Information and Service Officer include:

  • Establishing the necessary security levels for each aspect that constitutes the system categorization.
  • Accepting responsibility for the residual risk of information and services.
  • Assuming maximum responsibility in case of any error or negligence that results in a confidentiality or integrity incident (in the field of data protection) and availability (in the field of information security), without exempting the responsibility that corresponds to Senior Management.

Service Officer

The responsibilities of the Service Officer are as follows:

  • Determines the necessary security requirements in order to guarantee adequate protection of the services provided by these applications and technological platforms, considering the relevant interests and needs.
  • Assumes responsibility for both the use and protection of shared services, therefore being responsible for any error or negligence in the use of these services that may result in a security incident.
  • Plays an active role in the Security Committee.

System Officer

The responsibilities of the System Officer include:

  • Developing, operating and maintaining the information system throughout its entire life cycle, which includes specifications, installation and verification of correct operation.
  • Defining the topology and management of the information system, establishing usage criteria and available services.
  • Ensuring the proper integration of security measures within the general security framework.
  • Generating, maintaining and ensuring compliance with operational security procedures.
  • Developing security improvement plans and continuity plans.
  • Committing to compliance with and monitoring of continuity plans.
  • Avoiding temporary suspension of services, prioritizing maximum system availability whenever possible.
  • Supervising and planning the implementation of safeguards in the system.
  • Making the decision to suspend information processing in case of detecting serious deficiencies, although the final decision rests with Senior Management.
  • Applying the security configuration approved by the Information Security Officer.
  • Monitoring the security status of the systems.
  • Recording, accounting for and managing security incidents in the systems under their responsibility.
  • Isolating incidents to prevent their spread to elements outside the risk situation.
  • Making immediate decisions if information is compromised in a way that could have serious consequences.
  • Ensuring the integrity of critical System elements if their availability is affected.
  • Maintaining and recovering information stored by t

Information Security Officer

The Security Officer is appointed by the Management Committee. As long as their function is not revoked by another decision of the Management Committee, they will continue to perform that function.

The responsibilities of the Information Security Officer include:

  • Promoting and participating in the creation and implementation of information security policies, regulations, procedures and guidelines, in accordance with the requirements of the corresponding security standards.
  • Supervising information security, following the general guidelines established in the Security Policy.
  • Preparing the Statement of Applicability document.
  • Ensuring that the Information Security Management System complies with the security standards selected by the Information Security Committee.
  • Conducting periodic assessments to analyze security and propose changes to security controls as necessary.
  • Identifying relevant laws, regulations and standards that may impact information security and proposing applicable measures, seeking external advice when necessary.
  • Actively collaborating in the development of an Information Security Management System.
  • Documenting authorized uses of the organization's information systems for approval by the Security Committee.
  • Contributing to the design of aware

Data Protection Officer

The responsibilities of the Data Protection Officer include:

  • Ensuring compliance with the principles related to data processing.
  • Identifying the legal bases of data processing.
  • Evaluating the compatibility of purposes different from those that motivated the initial data collection.
  • Determining whether there is sectoral legislation that establishes specific processing conditions different from those established by the GDPR.
  • Designing and implementing information measures for individuals affected by data processing.
  • Establishing mechanisms to receive and manage requests for the exercise of rights by data subjects.
  • Evaluating requests for the exercise of rights by data subjects.
  • Managing the contracting of data processors, including the details of contracts or legal agreements that regulate the relationship between the controller and the processor.
  • Identifying appropriate international data transfer instruments for the needs and characteristics of the organization and the corresponding justifications.
  • Designing and implementing data protection policies.
  • Establishing and maintaining records of processing activities.
  • Integrating data protection measures from the design stage and data protection by default, adapted to the risks and nature of the processing.
  • Implementing security measures appropriate to the risks and nature of the processing.
  • Establishing procedures to manage data security incidents, including risk assessment for rights and freedoms.
  • Determining whether it is necessary to carry out data protection impact assessments.
  • Conducting data protection impact assessments.
  • Managing relationships with supervisory authorities.
  • Implementing training and awareness programs for personnel on data protection issues.

Appointment and renewal procedures

All roles are appointed by the company's CEO.

The change of any of the persons assigned to any role may be initiated by the CEO, or due to the employee's departure from the company, in which case the CEO must appoint the successor in that function.

Such change must be notified to the security committee, which must be responsible for providing the necessary information, training and resources to carry out their roles effectively.

D - Structure and composition of the committee for security management and coordination

This committee is responsible for the definition, implementation and monitoring of all matters related to Information Security at Nazaríes Information Technologies, S.L. In our organization, the general responsibility for information security will rest with the Security Officer, with ultimate responsibility resting with Management as the highest authority of the ISMS.

The committee is composed of:

  • Information Officer
  • Service Officer
  • System Officer
  • Security Officer
  • Data Protection Officer

The functions of the Security Committee are as follows:

  • Developing the Corporate Security Policy, which must be approved by the entity's Management.
  • Coordinating all security functions of the organization.
  • Ensuring compliance with applicable legal and sectoral regulations.
  • Ensuring the alignment of security activities with the organization's objectives.
  • Coordinating the Continuity Plans of different areas, to ensure seamless action in case they need to be activated.
  • Coordinating and approving, where appropriate, project proposals received from different security areas, managing control and regular presentation of project progress and announcement of possible deviations.
  • Receiving security concerns from the entity's Management and transmitting them to the relevant departmental managers, obtaining from them the corresponding responses and solutions that, once coordinated, must be communicated to Management.
  • Obtaining regular reports from departmental security officers on the state of the organization's security and possible incidents. These reports are consolidated and summarized for communication to the entity's Management.
  • Defining, within the Corporate Security Policy, the assignment of roles and criteria to achieve relevant guarantees regarding segregation of duties.

There is a documentary repository of ENS and complementary measures, which are approved in security committee sessions, and subsequently by Management (which stamps its signature on the documents). Eventually, some ISO 27001 documents may be part of the body of ENS measures.

ENS measures are considered approved when they bear the signature of the General Director and the Security Officer, and are uploaded to the documentary repository in Microsoft OneDrive or alternative system. They do not require minutes. It is also contemplated that the General Director carries out a general approval of measures in minutes that indicate the name of the measure and the approved version.

On the other hand, the Management Committee, with the collaboration of external legal advisors where appropriate, reviews changes in applicable legislation once a year, and their possible impact on the company's business within the scope. This review is carried out primarily through consultations with the BOE, INCIBE and CCN.

The Committee may regularly obtain from its own or external technical personnel the relevant information to make decisions.

This Committee will be convened when serious security incidents appear and specifically when new security needs arise.

The Committee will meet at least once a year in ordinary session and extraordinarily whenever necessary, with prior notice of at least 3 working days, made by Management, by email. The Committee may be requested by the Security Officer, in which case Management must convene it within a maximum period of 15 working days.

E - Guidelines for the structuring of system security documentation, its management and access

The guidelines for organizing documentation related to system security, its management and access are detailed in the procedure "IT.4 DOCUMENTATION MANAGEMENT".

If there is a substantial change in the structure or operation that impacts this policy, a corresponding review and update will be carried out.

These modifications will be recorded in a new edition of the document and documented in the change control section. This will serve as evidence of the update process carried out and will allow tracking of different versions.

The person responsible for Information Security has the responsibility to maintain and share the approved version of this document both in the information security policy available on our website and accessible to the public, as well as the one we have available internally.

F - Risks arising from the processing of personal data

Risk analysis and management must be taken into account as an essential part of the security process.

Risk management will contribute to maintaining a controlled environment by reducing risks to acceptable levels. To achieve this reduction, security measures will be implemented that will balance the nature of the data and processes, the impact and probability of associated risks, along with the effectiveness and cost of such measures.

When assessing risks related to data security, special attention will be paid to risks arising from the processing of personal data such as:

Unauthorized Access Risk: Possibility that unauthorized persons may access personal data, which could result in a breach of confidentiality.

  • Personal information could be modified or altered in an unauthorized manner, which would threaten its integrity.
  • Personal data could become inaccessible due to technical failures, cyberattacks or other interruptions, which would affect the availability of information.
  • The lack of adequate security measures could lead to security breaches, such as cyberattacks or loss of devices containing personal data.
  • Inadequate processing of personal data may lead to breaches of data protection legislation, which could result in legal sanctions.
  • Unauthorized disclosure of personal data could lead to harmful information leaks.
  • Employees or third parties could misuse personal data for unauthorized purposes.
  • Granting unnecessary or excessive permissions to access personal data can increase the risk of misuse.
  • Vulnerabilities in software used for processing personal data can be exploited by malicious actors.
  • Outsourcing services involving personal data may carry risks if third parties do not comply with necessary security requirements.
  • A lack of early detection and inadequate response to security incidents can aggravate the impact of a personal data breach.

Minimum security requirements (art 12 ENS)

This security policy is developed by applying the following minimum requirements:

a) Organization and implementation of the security process.

Security involves the entire organization, with the relevant functions within the ISMS being well delimited in the Security Policy document itself.

b) Risk analysis and management.

A risk analysis is carried out annually using the Magerit methodology. From this analysis, a Risk Treatment Plan is derived, whose measures are proportional to the identified risks.

c) Personnel management.

Users who access the system are identified and are aware of the company's security regulations. There is an annual training plan for all personnel within the scope. Likewise, the free-use awareness tools that INCIBE has made available to companies are implemented.

d) Professionalism.

Personnel selection is carried out following interviews and after a thorough examination of the candidate's CV. Hired workers receive training in the company's ISMS at the time of their incorporation, as well as periodic refresher actions.

System security will be attended to, reviewed and audited by qualified, dedicated and trained personnel, in all phases of its life cycle: installation, maintenance, incident management and decommissioning.

e) Authorization and access control.

Access to the system is regulated by permissions, which are audited periodically. The granting and withdrawal of temporary permissions is also provided for.

f) Protection of facilities.

The company's facilities are in an office building with restricted hours. The company's own offices have a magnetic key that is given to each worker, and of which there is a record. There are no production or data storage servers in the offices of Nazaríes Information Technologies, S.L.

Information systems will be located in secure areas protected with physical access controls appropriate to the consideration of critical services. The systems and information assets they contain will be sufficiently protected against physical or environmental threats, whether intentional or accidental. Servers hosting production applications or containing production data are hosted in companies certified under the ENS at medium or high level.

g) Acquisition of security products and contracting of security services.

In the contracting of products, those with functionalities certified by CCN-CERT are prioritized. The contracting of critical services is carried out with providers certified at medium or high categories in the ENS.

h) Least privilege.

The system will provide the minimum functionality required for the organization to achieve its objectives. The operation, administration and activity logging functions will be the minimum necessary, and it will be ensured that they are only accessible by authorized persons, or from authorized locations or equipment, and time restrictions and authorized access points may be required if applicable. In an operating system, functions that are not of interest, are unnecessary and even those that are inappropriate to the intended purpose will be eliminated or deactivated through configuration control. Finally, ordinary use of the system must be simple and secure, so that unsafe use requires a conscious act on the part of the user.

i) System integrity and updating.

Every physical or logical element will require formal authorization prior to its installation in the system. The security status of the systems must be known at all times, in relation to manufacturers' specifications, vulnerabilities and updates that affect them, reacting diligently to manage risk in view of their security status.

j) Protection of stored and in-transit information.

The equipment used is encrypted. The use of personal removable devices is not allowed. Information on paper is restricted to contracts, and information on paper cannot be printed or deleted without authorization.

Nazaríes Information Technologies, S.L., has implemented mechanisms to protect information stored or in transit, especially when it is in insecure environments (laptops, mobiles, tablets, information media, open networks, etc.).

k) Prevention against other interconnected information systems.

The system protects the perimeter, in particular, if it connects to public networks. A public communications network shall be understood as the electronic communications network that is used, in whole or mainly, for the provision of electronic communications services available to the public, in accordance with the definition established in section 32 of Annex II, of Law 9/2014, of May 9, General Telecommunications Law. In any case, the risks arising from the interconnection of the system, through networks, with other systems will be analyzed, and their connection point will be controlled.

l) Activity logging and detection of malicious code.

User activity is recorded and analyzed to identify and prevent illegal actions or actions that may generate security risks.

m) Security incidents.

There is a procedure for the identification and management of security incidents. Workers receive information in this regard.

n) Business continuity.

Backup creation is outsourced to providers certified at medium or high level of the ENS.

ñ) Continuous improvement of the security process.

Periodically, every two years, the system is audited; both with internal technicians and subsequently by an entity accredited by ENAC - CCN. In addition, security committees are regularly held in which the evolution of the Risk Treatment Plan, indicators and other actions that involve an improvement of the ISMS are discussed.

The comprehensive security process implemented must be continuously updated and improved. To this end, criteria and methods recognized in national and international practice relating to information technology management will be applied.