Legal · Corporate document

Policy security.

Last update: May 19, 2023 · Esferize Communications, S.L.

Scroll

Introduction

Like most companies today, our business is completely digitalized and therefore dependent on information; of the databases, repositories and systems where this information is stored and managed; of the data networks that allow us to access and distribute said information; and, finally, the equipment and devices that connect to these networks and that allow us to work with it.

Any incident on any of these assets (information, systems, applications, networks and equipment) will jeopardize business continuity by paralyzing practically all (depending on the scope of the incident) of the processes that allow us to function.

These incidents can be of two types: technical (equipment failure) or security (premeditated attack). It is about the latter that this document is about.

This document will set out the security policies, objectives and procedures to, in the first instance, prevent security incidents from occurring as far as possible and, secondly, be prepared if they do occur.

Lastly, but perhaps most important for the business, is that being an ICT company, which also offers a cybersecurity service in its catalog, reputation is a matter of being in the market, or being definitively expelled from it.

Security objectives

As a company we set the following security objectives, the fulfillment of which will be measured with indicators that we will show in the dashboard of the Management Committee and the Safety Committee:

  1. Protect information assets

    Each asset will have an established owner, as well as the people, conveniently identified, who have access to this asset. Each asset is only accessible by its owner. If necessary, access will be authorized to other people, but by default it will be in reading mode, without any other privileges. Only if necessary and with authorization from the owner, or management (depending on the type of asset), will all use privileges be granted to the authorized person.

    Metrics: Protected Assets / Total Assets · Active User Accounts / Active Employees · Public Assets / Private Assets.
  2. Information integrity

    At all times, during the operations carried out on the information, its integrity must be maintained. Reading, modification, encryption and deletion will be prevented as long as it is not authorized. The systems where this information is stored and the equipment and networks through which it is transmitted must actively help ensure this is achieved, encrypting end-to-end if the network is unreliable (Internet).

    Metrics: Encrypted Assets / Total Assets.
  3. Access control with AAA mechanism
    • Authentication: All employees and users of the system will have access credentials (username and password, biometrics) that guarantee that the person is who they say they are. To increase security and make identity theft more difficult, double factor will be used with a mobile application in all those assets in which it can be implemented.
    • Authorization: Assets, of any type, must ask for authorization of use before allowing access, regardless of whether the person has successfully authenticated.
    • Accounting: All access and modification of any asset will be properly recorded.
  4. Continuity plan

    Develop a continuity plan that allows you to recover from a disaster in the shortest time possible.

    Metrics: the plan itself · disaster drill report · progress of the projects.
  5. Training and awareness

    Inform, train and raise awareness of all employees regarding information security, especially their functions, obligations and responsibility to fulfill them.

    Metrics: result of internal ethical hacking.
  6. Registration and management of security incidents

    For this we will use the SOC (Security Operations Center) which works 24×7 every day of the year. Incidents will be recorded and labeled as “safety” and, depending on their impact, they will be assigned a criticality level, as established in Incident Management.

    Metrics: progress over time in the number of security incidents · resolution times.
  7. Audit

    Based on the security dashboard and real-time surveillance systems, security-related events (for example, denied access attempts), incident metrics and the review of authorization lists (people who have been discharged, who have changed departments, etc.) will be constantly reviewed to prevent unwanted actions.

Return to main page