Principles of Information Security
Principles of Information Security
- This Policy pursues the adoption, implementation and ongoing operation of actions designed to preserve the basic components of information security.
- Confidentiality: Ensure that only duly authorised persons have access to data and systems.
- Integrity: Ensure the accuracy of information and systems against accidental or intentional alteration, loss or destruction.
- Availability: Ensuring that information and systems can be used as and when required.
- Resilience: Ensuring the organisation’s ability to endure and recover from disasters and disruptions, which implies constant learning from critical situations to enable recovery from them under enhanced conditions.
- The Policy applies to all phases of the information life cycle: creation, distribution, storage, processing, transport, consultation and deletion, and to the systems that process it: analysis, design, development, implementation, operation and maintenance.
- Information security is the responsibility of all employees at ECIX TECHand therefore must be well known, fully understood and embraced by all levels of the Organisation. The Policy must be communicated to the entire organisation, both to its own personnel and to external business partners, and be made available to interested parties.
- Relations with third-party collaborating companies must always be covered by the corresponding service provision contracts, including guarantee provisions on the use and processing of information.
1.1 IMPLEMENTATION OF THE SECURITY POLICY
In order to apply the principles set out in this policy, Strategic Security Plans must be defined, drawn up, implemented and maintained. The development of Strategic Security Plans shall be accompanied by formal risk analysis and management processes to enable the implementation of appropriate solutions.
At the operational level, ECIX TECH will develop its own security procedures, standards and guidelines to guarantee the integrity, confidentiality, availability and resilience of the information. The necessary security management processes in line with the ISO 27001 standard and the National Security Scheme will be implemented to ensure effective and efficient monitoring of security actions, as well as review and improvement processes of security projects and defined countermeasures.
1.2 LEGAL CONFORMITY
Given the nature and purpose of ECIX TECH’s business, compliance with higher-ranking regulations (laws, standards and legal provisions) must be observed, which will take preference, when applicable, over the guidelines of this information security policy:
- General and/or deontological rules of ECIX TECH.
- Spanish regulations that govern this activity.
- Spanish rules deriving from supranational bodies of which Spain is a member.
- EU and/or non-EU legislation, depending on the areas where services are provided by ECIX TECH.
1.3 CLASSIFICATION AND PROCESSING OF INFORMATION
All information shall be classified by virtue of its importance to the organisation and shall be treated according to that classification, in accordance with the provisions of the regulations on classification and handling of information.
1.4 TRAINING AND AWARENESS RAISING
The most effective method of improving safety is through continuous training and its incorporation into the workplace.
The training plans will include specific courses on information security in accordance with the target area: management, technicians, administrators and system users. Likewise, security awareness campaigns shall be carried out for all personnel and suppliers by whatever means is considered most effective.
The information systems shall be subject to periodic internal and external audits in order to verify the correct functioning of the security plans, determining degrees of compliance and recommending corrective measures, thus achieving continuous improvement