Security Policy

The Security and Compliance Committee of homedoctor is responsible for designing, evaluating and permanently reviewing the governance and sustainability system and, specifically, for approving and updating corporate policies, which contain the guidelines that govern the organization's actions, in the sense established by law.

In the exercise of these responsibilities, in order to establish the general principles that must govern corporate security actions in all their aspects, the Security and Compliance Committee approves this Corporate Security Policy (the "Policy"). All this in compliance with Information Security regulations based on RD 311.2022 which regulates the ENS and the voluntary standard ISO 27001.

On the other hand, and due to our activity, at Homedoctor we are aware that personal data is an asset with high value for our organization and therefore requires adequate protection and management in order to comply with current legislation regarding personal data protection (GDPR and LOPDGDD) and Homedoctor's commitment to our clients, which makes us especially sensitive to the processing of personal data to which we have access in the exercise of our activity.

1. Purpose

The purpose of this Policy is to establish the basic principles of action that must govern the Organization in terms of security, to guarantee the effective protection of people, physical assets (including critical infrastructures), information and knowledge, and control and communication systems, as well as the privacy of processed data, ensuring at all times that security actions are fully compliant with the law and scrupulously comply with the provisions of the Ethical and Conduct Code.

Through this Policy, the Organization expresses its commitment to excellence in security, which plays a leading role in the Organization's day-to-day operations, so that it remains secure, resilient, and reliable in a constantly transforming digital community, where new and increasingly sophisticated threats emerge, both physical, cybersecurity, and hybrid, leading to an increase in the demands of regulators, clients, and other Stakeholders with whom the Organization interacts, regarding compliance with increasingly high security standards that allow for the building and consolidation of lasting trust relationships.

Systems must be protected against rapidly evolving threats with the potential to affect information and services. To defend against these threats, a strategy that adapts to changes in environmental conditions is required to ensure the continuous provision of services.

This implies that the different departments must apply the minimum security measures required by the National Security Scheme according to the determined category in accordance with what is indicated in the internal system valuation process, a systematic aligned with what is indicated in the guide CCN-STIC 803 “System Valuation”, as well as continuously monitor service provision levels, follow and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of services provided.

The different departments of the organization must ensure that security is an integral part of each stage of the system's life cycle, from its conception to its withdrawal from service, including development or acquisition decisions and exploitation activities. Security requirements and funding needs must be identified and included in planning, in requests for proposals, and in tender documents for ICT projects.

Departments must be prepared to prevent, detect, react to and recover from incidents, in accordance with Article 8 of the ENS.

Following the guidelines of Chapter II, the basic principles by which Homedoctor is governed are the following:

  1. Security as an integral process, constituted by all elements related to the information system, paying special importance to the awareness of all participants.
  2. Risk-based security management, as described in section 2.8 of this document.
  3. Prevention, detection, response and preservation. Developed in sections 2.1, 2.2, 2.3 and 2.4 of this document.
  4. Existence of lines of defense made up of multiple layers of security organized into organizational, physical and logical measures.
  5. Continuous monitoring and periodic re-evaluation, allowing for the detection of anomalous behavior and its response, as well as measuring its evolution through the detection of vulnerabilities and configuration deficiencies, periodically verifying its effectiveness, and potentially leading to a rethinking of our security design.
  6. Differentiation of responsibilities, as developed in section 2.6 of this document.

2. Minimum Requirements

To do this, we will apply the following minimum requirements.

  1. Organization and implementation of the security process.
  2. Analysis and management of risks.
  3. Personnel management.
  4. Professionalism.
  5. Authorization and control of access.
  6. Protection of facilities.
  7. Acquisition of security products and contracting of security services.
  8. Minimum privilege.
  9. System integrity and update.
  10. Protection of stored and in-transit information.
  11. Prevention against other interconnected information systems.
  12. Activity log and detection of harmful code.
  13. Security incidents.
  14. Business continuity.
  15. Continuous improvement of the security process.

These minimum requirements are proportionate to the risks identified in our systems, in accordance with the provisions of article 28 and are developed in the ENS management system documents.

3. Scope of Application

This Policy applies to the Organization's information systems as a whole.

This Policy is developed and complemented through the following specific policies, also approved by the Security and Compliance Committee:

  • SIG.SI.PO-01 – Internal Organization Policy
  • SIG.SI.PO-02 – Security measures policy in projects
  • SIG.SI.PO-03 – Information Asset Policy and others associated with it
  • SIG.SI.PO-04 – Access Control and Identity Policy
  • SIG.SI.PO-05 – Security Policy in the Relationship with Suppliers
  • SIG.SI.PO-06 – Information Security Policy for the Use of Cloud Services
  • SIG.SI.PO-07 – Security Incident Management Policy
  • SIG.SI.PO-07-A1 – Annex I – Security Incident Management Policy
  • SIG.SI.PO-08 – Business Continuity Policy
  • SIG.SI.PO-09 – Compliance Policies
  • SIG.SI.PO-10 – Personnel Controls Policy
  • SIG.SI.PO-11 – Teleworking Policy
  • SIG.SI.PO-12 – Physical Controls Policy
  • SIG.SI.PO-13 – Mobile Devices and BYOD Policy
  • SIG.SI.PO-14 – Technological Controls Policy
  • SIG.SI.PO-15 – Network Security Policy
  • SIG.SI.PO-16 – Cryptography Policies
  • SIG.SI.PO-17 – Secure Development Policies
  • SIG.SI.PO-18 – Risk Management Policy
  • SIG.SI.PO-19 – Training Policy
  • SIG.SI.PO-20 – Policy on the prevention of fraud, corruption and bribery

4. Basic Principles of Action

To materialize the commitment indicated in section 1 above, the following basic principles of action are established that must govern the Organization's activities in terms of corporate security:

  1. Define a comprehensive security strategy with both a preventive and proactive approach to ensure a reasonable level of risk.
  2. Ensure adequate protection of assets (including critical infrastructures) to proactively manage risks.
  3. Guarantee the protection of the Organization's professionals both at their workplace and during their business trips, as well as the protection of individuals when they are in the Organization's facilities or at any institutional event of the Organization.
  4. Define a security management model with a clear assignment of roles and responsibilities and effective coordination mechanisms that integrate security and proactive risk management into decision-making processes.
  5. Ensure adequate protection of information and knowledge, as well as control, information and communications systems, to proactively manage risks, in accordance with the provisions of the Risk Management Policy.
  6. Preserve the principles of Confidentiality, Integrity, Availability, Authenticity, Traceability, as well as Regulatory Compliance of information. In turn, these principles are defined as follows:
    • Confidentiality:
      is the property that allows ensuring that access to information can only be exercised by authorized persons.
    • Integrity:
      is the property of safeguarding the accuracy and completeness of information assets.
    • Availability:
      is the quality that guarantees that authorized persons can access and process information at any time it is necessary.
    • Authenticity:
      is the property or characteristic that an entity is who it claims to be or that guarantees the source from which the data originates.
    • Traceability:
      is the property or characteristic that an entity's actions can be exclusively attributed to that entity.
  7. Promote the identification of non-public information classified (or susceptible to being classified) as confidential or secret, as well as information considered (or susceptible to being considered) as a trade secret and define the criteria for its adequate protection, ensuring its implementation.
  8. Promote the active fight against fraud and against attacks on the brand, image and reputation of the Organization's companies and its professionals.
  9. Guarantee the right to the protection of personal data of all individuals who interact with the Organization, in accordance with the provisions of the USER SECURITY MANUAL.
  10. Adopt the necessary measures to prevent, neutralize, minimize or restore damage caused by security threats, whether physical, cybersecurity or hybrid, for the normal development of activities, based on proportionality criteria to potential risks and the criticality and value of affected assets and services.
  11. Comply with the basic principles of action established in PSI.08 – Business Continuity Policy.
  12. Foster an inclusive culture and security awareness within the Organization, by carrying out appropriate dissemination, awareness and training actions, adapted to each recipient and with sufficient periodicity to ensure the updating of knowledge in this area.
  13. Promote adequate security training for all personnel, both internal and external, defining requirements and criteria in hiring that take into account such training.
  14. Monitor the current context of the organization and the environment, as well as the evolution of events that allow identifying the most relevant security threats with the aim of anticipating their potential impact.
  15. Promote best practices and innovation in the field of security.
  16. Collaborate with involved Stakeholders (including, among others, the supply chain and clients) on security risks affecting the Organization's companies to strengthen coordinated response to potential security risks and threats.
  17. Provide all assistance and cooperation that may be required by competent institutions and bodies in matters of security, including among others regulators, law enforcement agencies and governmental agencies, national and international, in those countries where the Organization carries out its activity.
  18. Ensure effective compliance with the obligations imposed by the applicable regulation at all times in terms of security, always acting in accordance with current legislation and what is established in the Ethical and Conduct Code.

5. GENERAL OBJECTIVES

The Security Policy provides the basis for defining and delimiting the objectives and responsibilities for the various technical, legal and organizational actions required to guarantee information security and privacy, complying with the applicable legal framework and the firm's global and specific policies, as well as the defined procedures.

These actions from a security and privacy perspective are selected and implemented based on risk analysis and the balance between acceptable risk and the cost of measures.

The objective of the Security Policy is to establish the necessary framework of action to protect information resources and data against internal or external, deliberate or accidental threats.

Information and data can exist in a variety of formats, both electronic and paper or other media, and sometimes includes critical data about Homedoctor's operations, strategies, or activities, and those of its clients, and even, where applicable, sensitive data established by personal data protection regulations. The loss, corruption, or theft of information or the systems that manage it has a high impact on our Firm.

Homedoctor is convinced that effective Information Security and Privacy management is an enabler for the organization to fully understand and act appropriately on the risks to which information is exposed, as well as to be able to respond and adapt efficiently to the growing requirements of regulatory bodies, laws, and of course its clients.

6. TOP MANAGEMENT COMMITMENT

The purpose of the Information Security Management System is to ensure that information security and privacy risks are known, assumed, managed, and minimized in a documented, systematic, structured, repeatable, manageable way, adapted to changes in risks, environment, and technologies.

To this end, the management declares Homedoctor's commitment to:

  • Establish services as the primary objective, with absolute respect for quality standards, preserving information, with special attention to the sensitivity of processed personal data, with all necessary measures within its reach.
  • Apply the principle of continuous improvement to all organizational processes, with the additional objective of achieving the highest degree of customer satisfaction.
  • Ensure compliance with applicable legal and regulatory requirements (in particular those relating to personal data protection), as well as those that the organization has voluntarily assumed in the development of the Corporate Social Responsibility of the Style Guide and in the Code of Ethics,
  • Promote the participation, communication, information and training of the professional team with the aim that they feel part of the organization's work as a whole.
  • Promote the commitment of responsibility among team members in accordance with quality requirements, as well as those related to privacy and information security agreed upon both internally and with clients, through appropriate and regular training and awareness actions.
  • Ensure business continuity by developing continuity plans in accordance with recognized methodologies.
  • Periodically carry out and review a risk analysis based on recognized methods that allow us to establish the level of both personal data privacy and general information security and ongoing projects and services, and minimize risks through the development of specific policies, technical solutions, and contractual agreements with specialized organizations.
  • Commitment to inform interested parties.
  • Selection of suppliers and subcontractors based on criteria related to privacy and information security.
  • With regard to the specific protection of personal data, Homedoctor undertakes to comply with the principles indicated in the reference legislation. These are:
  • Principle of "lawfulness, transparency and fairness". Data must be processed lawfully, fairly and transparently for the data subject.
  • Principle of “purpose”. Data must be processed for one or more specified, explicit and legitimate purposes and, on the other hand, it is prohibited for data collected for specified, explicit and legitimate purposes to be subsequently processed in a manner incompatible with those purposes.
  • Principle of “data minimization”. Apply technical and organizational measures to ensure that only the data strictly necessary for each specific processing purpose is processed, reducing the extent of processing, limiting the retention period and accessibility to what is necessary.
  • Principle of “accuracy”. Take reasonable measures to ensure that data is kept up-to-date, deleted or modified without delay when inaccurate with respect to the purposes for which it is processed.
  • Principle of “storage limitation”. Data retention must be limited in time to achieve the purposes of the processing.
  • Principle of "security". Carry out a risk analysis aimed at determining the necessary technical and organizational measures to guarantee the integrity, availability, authenticity, traceability and confidentiality of the personal data they process.
  • Principle of “accountability” or “demonstrated responsibility”. Maintain due diligence permanently to protect and guarantee the rights and freedoms of natural persons whose data are processed based on an analysis of the risks that the processing represents for those rights and freedoms, so that we can guarantee and demonstrate that the processing complies with the provisions of the GDPR and the LOPDGD.
  • Direct, support and supervise the information security management system, as established in RD 311.2022 and subsequent modifications, as well as in ISO 27001, and strive to achieve its objectives.

Homedoctor's management is committed to supporting and promoting the principles established in this Policy, for which it asks Homedoctor's personnel to assume and abide by the provisions of the documented management system for the ENS.

7. DEVELOPMENT OF THE SECURITY POLICY

This Security Policy complements Homedoctor's security policies in different areas and will be developed through security regulations that address specific aspects. The security regulations will be available to all members of the organization who need to know them, particularly for those who use, operate or administer information and communication systems.

The documentation related to Information Security will be classified into three levels, so that each document of one level is based on those of a higher level:

  • First level: Security policy.
  • Second level: Security regulations and procedures.
  • Third level: Reports, records and electronic evidence.

7.1. POLICY

7.1.1. Prevention

Departments must avoid, or at least prevent as far as possible, information or services from being harmed by security incidents. To do this, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented.

To ensure policy compliance, departments must:

  • Authorize systems before going into operation.
  • Regularly evaluate security, including evaluations of routine configuration changes.
  • Request periodic review by third parties in order to obtain an independent evaluation.

7.1.2. Detection

Given that services can rapidly degrade due to incidents, ranging from a simple slowdown to a complete halt, services must continuously monitor operations to detect anomalies in service delivery levels and act accordingly as established in Article 9 of the ENS.

Monitoring is especially relevant when lines of defense are established in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that reach those responsible regularly and when a significant deviation from the pre-established normal parameters occurs.

7.1.3. Response

Departments must:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate a contact point for communications regarding incidents detected in other departments or organizations.
  • Establish protocols for the exchange of incident-related information. This includes two-way communications with Emergency Response Teams (CERT).

7.1.4. Recovery

To ensure the availability of critical services, departments must develop system continuity plans as part of their overall business continuity plan and recovery activities.

8. SECURITY ORGANIZATION

This policy applies to all Homedoctor systems and to all members of the organization, without exception.

Homedoctor is committed to providing its services in a managed way and complying with the requirements established in its Integrated Management System so as to guarantee an uninterrupted service in accordance with the requirements of availability, security and quality towards clients.

Due to our activity, at Homedoctor we know that information is an asset of high value for our organization and especially for our clients and therefore requires adequate protection and management in order to ensure the continuity of our business line and minimize possible damages caused by failures in Information Security.

To this end, the organization:

  • Will adequately protect the confidentiality, availability, integrity, authenticity and traceability of its information assets by introducing a series of controls to manage relevant security risks.
  • Will prioritize the protection and safeguarding of its clients and client data as a business priority.
  • Will establish, implement, monitor, maintain and continuously improve its information security management as part of its broader business management approach, and will maintain Accredited Certification to the appropriate standards.
  • Will manage any information security breach in a timely and responsible manner, and will invest in appropriate detection, response and remediation strategies.
  • At planned intervals, will test its information security controls and its responses to scenarios that may cause a threat to its operations.
  • Will provide adequate resources to the organization to establish, maintain and improve the security environment as appropriate for the changing risk landscape.
  • Will invest in staff competencies to carry out their tasks and will provide staff with adequate training and awareness relevant to their role and the information they have access to.
  • Will ensure that our suppliers and partner organizations do the same, and that they establish and enforce security standards for those to whom we transmit any information.

8.1. Security Committee

The members of the Security Committee will be designated in a foundational act, where the designated person and the position they must hold will be indicated.

The Secretary of the Security Committee will be the SECURITY MANAGER and will have the following functions:

  • Convenes meetings of the Security Committee.
  • Prepares the topics to be discussed at Committee meetings, providing timely information for decision-making.
  • Drafts the minutes of the meetings.
  • Is responsible for the direct or delegated execution of the Committee's decisions.
  • The Security Committee will report to the General Director.
  • The Security Committee will have the following functions:
  • Address the concerns of Top Management and the different departments.
  • Regularly report on the status of information security to Top Management.
  • Promote the continuous improvement of the information security management system.
  • Develop the evolution strategy of the Organization regarding information security.
  • Coordinate the efforts of the different areas regarding information security, to ensure that efforts are consistent, aligned with the strategy decided in this matter, and avoid duplication.
  • Prepare (and regularly review) the Security Policy for approval by Management.
  • Approve information security regulations.
  • Coordinate all security functions of the organization.
  • Ensure compliance with applicable legal and sectoral regulations.
  • Ensure the alignment of security activities with the organization's objectives.
  • Coordinate the Continuity Plans of the different areas, to ensure seamless action in case they need to be activated.
  • Coordinate and approve, where appropriate, project proposals received from different security areas, being responsible for managing control and regular presentation of project progress and announcement of possible deviations.
  • Receive security concerns from the entity's Management and transmit them to the relevant departmental managers, gathering from them the corresponding responses and solutions which, once coordinated, must be communicated to Management.
  • Gather regular reports on the status of the organization's security and possible incidents from departmental security managers. These reports are consolidated and summarized for communication to the entity's Management.
  • Coordinate and respond to concerns transmitted through departmental security managers.
  • Define, within the Corporate Security Policy, the assignment of roles and criteria to achieve relevant guarantees regarding segregation of duties.
  • Develop and approve training and qualification requirements for administrators, operators, and users from an information security perspective.
  • Monitor the main residual risks assumed by the Organization and recommend possible actions regarding them.
  • Monitor the performance of security incident management processes and recommend possible actions regarding them. In particular, ensure the coordination of the different security areas in information security incident management.
  • Promote the realization of periodic audits to verify compliance with the organization's security obligations.
  • Approve information security improvement plans for the Organization. In particular, it will ensure the coordination of different plans that may be carried out in different areas.
  • Prioritize security actions when resources are limited.
  • Ensure that information security is taken into account in all projects from their initial specification to their operation. In particular, it must ensure the creation and use of horizontal services that reduce duplication and support a homogeneous operation of all ICT systems.
  • Resolve conflicts of responsibility that may arise between different managers and/or between different areas of the Organization.

8.2.  Roles: Functions and Responsibilities

The functions of the organization's managers are detailed below:

8.2.1. Information Manager

Their functions will be the following:

  • Ultimate responsibility for the use made of certain information and, therefore, for its protection.
  • Ultimate responsibility for any error or negligence that leads to a confidentiality or integrity incident (in data protection matters) and availability (in information security matters).
  • Establish information security requirements.
  • Determine and approve information security levels.
  • Approve the system categorization with respect to information.
  • Those that are indicated in the documents within the scope of the ENS.

8.2.2. Service Manager

Their functions will be the following:

  • Establish service security requirements.
  • Determine service security levels.
  • Approve the system categorization with respect to services.
  • Those that are indicated in the documents within the scope of the ENS.

8.2.3. Security Manager

Their functions will be the following:

  • Maintain the security of the information handled and the services provided by information systems within their area of responsibility, in accordance with the organization's Information Security Policy.
  • Promote information security training and awareness within their area of responsibility.
  • Approve the statement of applicability.
  • Channel and supervise both compliance with the security requirements of the service provided or solution supplied, and communications related to information security and incident management for the scope of said service (POC).
  • Those that are indicated in the documents within the scope of the ENS.

The Security Manager will be the secretary of the Security Committee with the functions indicated in section 3.5.1 of this policy.

In accordance with the principle of "segregation of functions and tasks" set out in article 10 of the ENS, the Security Manager will be a separate figure from the System Manager.

8.2.4. System Manager

Their functions will be the following:

  • Develop, operate and maintain the information system throughout its life cycle, including its specifications, installation and verification of its correct functioning.
  • Define the topology and management of the information system, establishing the criteria for use and the services available therein.
  • Ensure that security measures are properly integrated into the overall security framework.
  • Power to propose the suspension of the processing of certain information or the provision of a specific service if serious security deficiencies are detected that could affect the satisfaction of the established requirements.
  • Those that are indicated in the documents within the scope of the ENS.

8.2.5. Privacy Manager

Their functions will be the following:

  • Coordinate all aspects related to the adequacy of Homedoctor's actions regarding personal data protection.
  • Coordinate, together with the Security Manager, ENS compliance with regard to personal data protection.

8.3. Designation Procedures

The Security Manager will be appointed by the Security Committee. The appointment will be reviewed every 2 years or when the position becomes vacant.

Likewise, the rest of the positions indicated in the previous section will be designated by the Security Committee by means of a meeting minute.

9. REVIEW OF THE SECURITY POLICY

It will be the mission of the Security Committee to annually review this Security Policy and to propose its revision or maintenance. The Policy will be approved by Top Management and disseminated so that all affected parties are aware of it.

10. PERSONAL DATA

Homedoctor, in providing its service, processes particularly sensitive personal data, either because it forms part of the health record, or due to its special category.

The related documentation, to which only authorized persons will have access, includes the records of affected data processing activity and the corresponding responsible parties. All Homedoctor information systems will conform to the security levels required by regulations for the nature and purpose of the personal data.

11. RISK MANAGEMENT

All systems subject to this Policy must perform a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be repeated:

  • Regularly, at least once a year
  • When the information handled changes
  • When the services provided change
  • When a serious security incident occurs
  • When serious vulnerabilities are reported

For the harmonization of risk analyses, the Security Committee will establish a reference valuation for the different types of information handled and the different services provided. The Security Committee will dynamize the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

12. PERSONNEL OBLIGATIONS

All Homedoctor members have the obligation to know and comply with this Security Policy and the Security Regulations, being the responsibility of the Security Committee to provide the necessary means for the information to reach those affected.

All Homedoctor members will attend an information security awareness session at least once a year. A continuous awareness program will be established to attend to all Homedoctor members, particularly new hires.

Persons with responsibility for the use, operation or administration of systems will receive training for the secure handling of systems to the extent they need it to perform their work. Training will be mandatory before assuming a responsibility, whether it is their first assignment or if it involves a change of job position or responsibilities within it.

13. THIRD PARTIES

When Homedoctor provides services to other public or private organizations or handles information from other public or private organizations, they will be made aware of this Security Policy, channels will be established for reporting and coordinating the respective Security Committees, and operating procedures will be established for responding to security incidents.

When Homedoctor uses third-party services or transfers information to third parties, they will be made aware of this Security Policy and the Security Regulations that concern such services or information. Said third party will be subject to the obligations established in said regulations, being able to develop their own operational procedures to satisfy them. Specific procedures for reporting and resolving incidents will be established. It will be ensured that third-party personnel are adequately aware of security matters, at least at the same level as that established in this Policy.

When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Manager will be required specifying the risks incurred and how to address them. Approval of this report by the affected information and service managers will be required before proceeding.

14. APPLICABLE LEGISLATION

Below are the laws considered applicable to the ISMS, along with a definition of the area responsible for evaluating their impact on the organization.

Law / RegulationResponsibility
Law 39/2015, of October 1, on the Common Administrative Procedure of Public AdministrationsSecurity Manager
Law 40/2015, of October 1, establishes and regulates the bases of the legal regime of Public Administrations, the principles of the liability system of Public Administrations and sanctioning power, as well as the organization and functioning of the General State Administration and its institutional public sector for the development of its activitiesSecurity Manager
Royal Decree 311/2022, of May 3, regulating the National Security Scheme.Security Manager
Organic Law 1/2015, of March 30, which modifies Organic Law 10/1995, of November 23, of the Criminal CodeSecurity Manager
Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such dataSecurity Manager
Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rightsSecurity Manager
Law 34/2002 on Information Society Services (LSSI)Security Manager
Law 22/11, of 11/11/1987, on Intellectual Property Security Manager
Resolution of October 13, 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security SchemeSecurity Manager
Resolution of April 13, 2018, of the Secretary of State for Public Function, approving the Technical Security Instruction for Notification of Security IncidentsSecurity Manager
Resolution of October 13, 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security SchemeSecurity Manager

15. STRATEGIC SECURITY PROGRAM

The Security and Compliance Committee will identify, implement and evaluate the necessary actions for the elaboration of a Strategic Security Plan (the “Plan”), in accordance with the principles and guidelines defined in this Policy and will develop the internal rules, methodologies and procedures to ensure the adequate implementation of the Plan by the Organization.

The Security and Compliance Committee will ensure that at all times a maturity level of the organization in terms of security is guaranteed in accordance with the highest existing standards at all times, taking into account the territory and the businesses carried out by the corresponding company.

For its part, the Security and Compliance Committee will also ensure the adequate coordination of practices and risk management in the field of the Organization's security, as well as the maintenance of an adequate level of maturity.

16. SUPERVISION AND CONTROL

It is the responsibility of the Security and Compliance Committee to supervise compliance with the provisions of this Policy.

The foregoing shall be understood, in any case, without prejudice to the responsibilities corresponding to other bodies, areas, functions and directorates of the Organization and, where applicable, to the administrative and management bodies of the Organization.

To verify compliance with this Policy, periodic evaluations and audits will be carried out with internal or external auditors.

This Policy was initially approved by the Security and Regulatory Compliance Committee on November 25, 2024.


Version 2 of Nov. 2024.

We use cookies to improve your Browse experience and offer personalized content.
If you continue Browse, you accept our Privacy Policy and our Cookie Policy.