Information Security Policy
PO 05 Document Public
|
Edition |
Date |
Modifications |
Performed by |
Approved by |
|
1 |
18/02/2020 |
First Edition |
Francisco Romero |
Security Committee |
|
2 |
05/06/2020 |
Review |
Francisco Romero |
Security Committee |
|
3 |
04/10/2023 |
Update |
Francisco Romero |
Security Committee |
INFORMATION SECURITY POLICY
The Management of DB SOFT SL is aware that information is an asset that, like other important business assets, has a high value for the Organization and therefore requires adequate protection. In particular, the protection of personal data, ensuring compliance with related regulations, is a fundamental factor in protecting the privacy of individuals. In the same way, the security of citizens’ data in general, and of the services provided to them in the field of public administration, is a commitment that DB SOFT assumes in relation to its intervention in these services as a provider of IT solutions.
Given the high value that the information asset represents for the organization, DB SOFT’s Management has decided to implement an Information Security Management System (ISMS) according to the requirements of the ISO/IEC 27001:2022 standard and the National Security Scheme (ENS), in order to protect it from the threats that affect it, minimize damage and ensure the continuity of the business lines. This system will be aligned with, and will also enable effective management of compliance with the requirements of data protection regulations.
The Management of DB SOFT, through the development and implementation of this Information Security Management System acquires the following commitments and principles:
- Develop products and services in compliance with the legislative requirements applicable to the lines of business, and related to information security and data protection.
- Define and implement the necessary technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of information and personal data, taking into account the context of the organization, and the probability and severity risks that may affect the information systems.
- Assign the necessary responsibilities for an adequate management of information security and personal data protection, and for an effective application of the procedures and measures defined in the organization.
- Define security training requirements and provide the necessary security training to stakeholders by establishing awareness and sensitization plans.
- To ensure the continuity of our operations and information, developing continuity plans in accordance with internationally recognized methodologies.
- To ensure lawful processing of personal data, using the minimum data necessary to fulfill the specific and legitimate purposes for which they were obtained.
- Ensure compliance with the right to information and transparency, as well as the possibility of exercising the other rights provided by law (access, rectification, cancellation, opposition, portability and limitation of treatment),
- Establish procedures for the notification, management and effective treatment of security incidents and, in particular, those that may affect privacy and the protection of personal data.
This Policy provides the reference framework for the continuous improvement of the Information Security Management System, as well as to establish and review the objectives of the Information Security Management System, being communicated to the entire Organization through the document manager installed in the organization and via e-mail. This policy is reviewed annually for its adequacy, and extraordinarily when there are special situations and/or substantial changes in the Information Security Management System, the latest version being the one approved and published through the document manager.