INTRODUCTION
At Euro Economics Holding, S.L. and subsidiaries (hereinafter, EE), information is a fundamental asset for the provision of our services, which is why there is an express commitment to protect information adequately against possible threats, whether intentional or accidental, as part of a strategy aimed at business continuity, risk management and the consolidation of a security culture. This is what we know as information security. Aware of the current needs, through the publication of this Security Policy, the Management of EE formalizes this commitment to information security with the aim of ensuring the integrity, confidentiality and availability of this important asset, promoting compliance with the strategic objectives of the company and the legal and contractual requirements in this area. By information assets, we must understand any information supported in physical or electronic format, necessary for the company to perform its functions and achieve the strategic and operational objectives.
SCOPE
Effective information security can only be achieved through a joint effort that requires the participation of all company employees and collaborators working with information assets. Therefore, all users of these assets must comply with this policy in accordance with their role when dealing with company or customer information in any format (paper or electronic). This policy applies to all information infrastructures and assets, including the infrastructure provided by the company, by the specific one of each project or the client infrastructure under the responsibility of the personnel (WAN, LAN and mobile and fixed telephone communications networks, personal devices, all information assets that are used for the performance of activities, etc.).
INFORMATION SECURITY OBJECTIVES
EE establishes, defines and reviews objectives aimed at improving its security, understood as the preservation of the confidentiality, integrity and availability of all information assets, as well as the systems that support it, thus increasing the confidence of our customers and improving the way we provide our services and treat our own and third party information. Therefore, EE takes as a reference framework for its objectives:
- Protecting information, preventing access to unauthorized persons.
- Comply with business objectives, legal or regulatory and contractual obligations that apply.
- Evaluate the information assets to apply the appropriate technical and organizational measures according to the risks analyzed.
- Promote a culture of security through training and awareness of staff working in the entity and affecting their performance in information security.
- Establish that all personnel are responsible for reporting vulnerabilities and threats to security, preserving the confidentiality, integrity and availability of information and complying with this policy and other regulations that develop it.
- Establish the necessary means to guarantee the continuity of the company’s activities.
COMMITMENT AND RESPONSIBILITIES
The Management of EE, as Responsible for the Information, is committed to providing those means and resources that are necessary to meet the security objectives defined in this Policy and encouraging all staff to assume this commitment. To this end, EE will implement the measures required for the training and awareness of staff with information security. The general responsibility for information security will fall on the Security Manager, who will have the backing and support of the Technical Manager and Information Security System Administrator as part of his team, with the ultimate responsibility of the Management as the maximum responsible for security. The Security Officer is directly responsible for the maintenance of this policy, providing advice and guidance for its implementation.
APPLICABILITY OF THE POLICY AND REGULATORY FRAMEWORK
All internal personnel, suppliers, collaborators and, in general, all those who have responsibilities over the sources, repositories and resources for processing information in the U.S. must adopt the guidelines contained in this document and in related documents, in order to maintain the confidentiality, integrity and ensure the availability of the information. The regulatory framework on which this policy is based is defined by:
- Legislation related to the Protection of Personal Data (LOPD, GDPR)
- Legislation on Information Society Services and Electronic Commerce (LSSI).
- Legislation on legal protection for intellectual property works (LPI).
- Other regulations and legislation applicable to the organization’s activity.
FAILURE TO COMPLY WITH THE POLICY AND DISCIPLINARY PROCESS
Failure to comply with this Policy and the information security regulations and procedures that implement it may result in disciplinary action within the applicable legal framework, depending on the impact on the organization.
REVIEWS AND DISCLOSURE
This Security Policy, reviewed and approved by the Management of EE, may be modified according to the needs for revision established periodically or to the applicability of the same, ensuring its adaptation at all times. This Security Policy and the regulations that develop it, will be disseminated through the appropriate channels to all interested parties based on the need for knowledge.