1. Introduction
The Information Security Policy (hereinafter, Policy) aims to adopt a set of measures aimed at preserving the confidentiality, integrity and availability of information, which constitute the three basic components of information security, and aims to establish the requirements to protect information, technological equipment and services and also ensure business continuity in the event of a disaster, which supports most of ELHUYAR’s business processes. Information technologies are currently facing a growing number of threats, requiring a constant effort to adapt and manage the risks posed by them.
1.1. Objective
The main objective of this High Level Policy is to define the basic principles and rules for the management of information security and business continuity. The ultimate aim is to ensure that ELHUYAR guarantees the security of information and minimises the non-financial risks arising from an impact caused by inefficient management of information. In addition, counteract disruptions of business activities and protect critical business processes from the effects of major or catastrophic failures of ELHUYAR’s information systems and ensure timely resumption.
1.2. Scope
The scope of this Policy covers all information from ELHUYAR regardless of how it is processed, who accesses it, the medium containing it or where it is located, whether it is printed or stored electronically. The Policy must be available on the corporate website and is accessible by all ELHUYAR members. As for business continuity, the scope of this Policy is limited to long service cuts over time. Therefore, this plan does not apply to the organization’s normal daily work and excludes activities such as:
- Chemical or nuclear attacks.
- Terrorist attacks
- War
- Any other act or incident requiring military action or action by the competent authorities.
2. Principles of Information Policy
This Policy is in response to the recommendations of the best Information Security Practices set out in the ISO International Standard, as well as to compliance with existing legislation on the protection of personal data and the regulations that, in the field of Information Security, may affect ELHUYAR.
In addition, ELHUYAR establishes the following basic principles as fundamental information security guidelines which must always be taken into account in any activity related to the processing of information:
- Strategic scope: Information security should be committed and supported by all ELHUYAR management levels so that it can be coordinated and integrated with the other strategic initiatives to shape a fully coherent and effective framework of work.
- Comprehensive security: Information security is understood as an integral process consisting of technical, human, material and organizational elements, avoiding, except in cases of urgency or need, any punctual action or cyclical treatment. The security of information should be considered as part of the normal operation, being present and applied throughout the process of design, development and maintenance of information systems.
- Risk management: Risk analysis and management will be an essential part of the information security process. Risk management will allow a controlled environment to be maintained, minimizing risks to acceptable levels. The reduction of these levels shall be achieved through the deployment of security measures, which shall strike a balance between the nature of the data and the treatments, the impact and likelihood of the risks to which they are exposed and the effectiveness and cost of security measures.
- Proportionality: The establishment of protection, detection and recovery measures shall be proportionate to the potential risks and the critical nature and value of the information and services concerned.
- Continuous improvement: Security measures shall be regularly reassessed and updated to adapt their effectiveness to the constant evolution of risks and protection systems. The security of information will be addressed, reviewed and audited by qualified personnel.
- Default security: Systems must be designed and configured to ensure a sufficient degree of security by default.
ELHUYAR considers that the Information Security functions should be integrated at all hierarchical levels of its staff.
Since the Information Security is the responsibility of all ELHUYAR personnel, this Policy must be known, understood and assumed by all its employees.
In order to achieve the objectives of this Policy, ELHUYAR shall establish a preventive strategy of analysis of the risks that may affect it, identifying them, implementing controls for their mitigation and establishing regular procedures for their reassessment. In the course of this continuous improvement cycle, ELHUYAR will maintain the definition of both the accepted residual risk level (risk appetite) and its tolerance thresholds.
3. Commitment of the Directorate
The Management of ELHUYAR, aware of the importance of information security and business continuity to successfully achieve its business objectives, undertakes to:
- Promote in the organisation the functions and responsibilities in the field of information security.
- Provide adequate resources to achieve the objectives of information security and business continuity.
- Promote the dissemination and awareness of the Information Security Policy among ELHUYAR employees.
- Enforce compliance with the Policy, current legislation and regulatory requirements in the field of information security.
- Consider information security risks in decision-making.
- To document the work processes carried out in the company in order to determine the level of criticism and to be able to anticipate the company's organizational and technical strategies and measures in the event of a disaster.
- Ensure business continuity.
- Ensure adequate protection of confidentiality, integrity and availability of information.
- Promote commitment to continuous improvement of the organisation.
SIGNED BY THE MANAGEMENT