Introduction

Like most companies today, our business is fully digitised and therefore depends on information; on the databases, repositories and systems where this information is stored and managed; on the data networks that allow us to access and distribute this information; and finally, on the equipment and devices that connect to these networks and allow us to work with it.

Any incident involving any of these assets (information, systems, applications, networks and equipment) will jeopardise business continuity by paralysing almost all (depending on the scope of the incident) of the processes that allow us to function. These incidents can be of two types: technical (equipment failure), or security (premeditated attack). It is the latter that is the subject of this document.

This document will set out security policies, objectives and procedures to, in the first instance, prevent security incidents from occurring in the first instance and, in the second instance, to be prepared if they do occur.

Finally, but perhaps most importantly for the business, being an ICT company, which also offers a cybersecurity service in its portfolio, reputation is a matter of being in the market, or being driven out of it for good.

 

Security objectives

As a company, we have set the following safety objectives, the achievement of which will be measured by indicators that will be displayed on the Management and Safety Committee scorecard:

  • Protect information assets: each asset will have an established owner, as well as the persons, suitably identified, who have access to this asset. Each asset is only accessible by its owner. If necessary, access will be authorised to other persons, but by default it will be in read mode, without any other privilege. Only if necessary and with the authorisation of the owner, or of the management (depending on the type of asset), will all usage privileges be granted to the authorised person.

    Metrics: Protected assets / Total assets, Active user accounts / Active employees, Public assets / Private assets.
  • Integrity of information: The integrity of the information must be maintained at all times during the operations carried out on the information. Reading, modification, encryption and deletion shall be prevented whenever unauthorised. The systems where this information is stored and the equipment and networks over which it is transmitted must actively support this, with end-to-end encryption if the network is untrusted (Internet).

    Metrics: Encrypted Assets / Total Assets
  • Access control with AAA mechanism:
    • Authentication: all employees and users of the system will have access credentials (username and password, biometrics) that guarantee that the person is who they say they are. To increase security and make identity theft more difficult, all those assets where it can be implemented will use two-factor authentication with mobile application.
    • Authorisation: assets of all types shall ask for authorisation for use before allowing access regardless of whether the person has successfully authenticated.
    • Accounting: all access to and modification of any asset shall be properly recorded.
  • Develop a continuity plan to recover from a disaster in the shortest possible time.Metrics: the plan itself, mock disaster report, project progress.
  • Inform, train and raise awareness among all employees on information security, especially on their roles, obligations and responsibility to fulfil them.Metrics: hacking performance.
  • Recording and managing security incidents: this will be done using the SOC (Security Operations Centre) which operates 24×7 every day of the year. Incidents will be logged and labelled as “security” and according to their impact will be given a criticality level, as established in the Incident Management.Metrics: progress over time of the number of security incidents, resolution times, etc.
  • Auditing: based on the security dashboard and real-time monitoring systems, security-related events (e.g. denied access attempts), incident metrics, review of authorisation lists (persons who have been terminated, changed departments, etc.) will be constantly reviewed to prevent unwanted actions.