1. Approval and entry into force

Text approved on January 8, 2024 by the Security Committee.

This Information Security Policy (hereinafter, Information Security Policy) Security) will take effect the day after the date above indicated and until it is replaced by a new policy.

2. Object

Red Leaf SL considers information an essential asset for the proper performance of their duties. Much of the information contained in the information systems of the AA.PP. and the services they provide constitute strategic national assets. Information and the services provided are subject to threats and risks coming from malicious or illicit actions, errors or failures and accidents or disasters.

In its efforts to ensure that the services available through electronic media to citizens are provided under conditions of security equivalent to those encountered when approaching personally to the Administration offices, Red Leaf SL develops and approves this Information Security Policy, applying the minimum security measures required by the ENS regarding relating to:

  1. Organization and implementation of the security process.
  2. Risk analysis and management.
  3. Personnel management.
  4. Professionalism.
  5. Authorization and access control.
  6. Protection of facilities.
  7. Acquisition of security products and contracting of security services security.
  8. Least privilege.
  9. Integrity and updating of the system.
  10. Protection of information stored and in transit.
  11. Prevention against other interconnected information systems.
  12. Activity logging and detection of harmful code.
  13. Security incidents.
  14. Continuity of activity.
  15. Continuous improvement of the security process.

The different areas and services must ensure that security Information is a vital part of the public services provided by Red Leaf SL, and must safeguard said information throughout its maintenance cycle. life (collection, transportation, treatment, storage and destruction). The areas and services must be prepared to prevent, detect, react and recover from incidents, thus ensuring continuity in the provision of services with adequate quality and safety.

This Security Policy ensures a manifest commitment of the highest authorities of the entity for the dissemination, consolidation and compliance with this Policy.

3. Scope

This Security Policy applies to all areas, services, internal and external employees of Red Leaf SL, anyone who be its hierarchical classification. Likewise, it applies to all systems of the information and communication infrastructures used for the performance of the functions of Red Leaf SL.

With this information security policy, the organization shows its commitment to establish, implement, maintain and improve continuously a safety management system in accordance with the principles included in article 5 of Royal Decree 311/2022. This is:

  • Understand security as a comprehensive process.
  • Manage security based on risks.
  • Continuously monitor and monitor security events to ensure prevention, detection, response and conservation.
  • Establish defenses
  • Assess security status periodically
  • Make a clear differentiation of responsibilities

4. Mission and Objectives

Red Leaf SL, in the effort to fulfill the interests, functions and entrusted powers, makes available to citizens the public services and activities necessary to satisfy the aspirations and interests of the municipality and its citizens. To potentiate its public mission, Red Leaf SL makes use of appropriate technologies and enhances the electronic relationship with citizens, creating the necessary trust based on an information security system comprehensive and that reaches the entire institution.

These systems aim to guarantee the quality of the information and the continued provision of services, acting preventively, supervising daily activity and reacting quickly to incidents. To this end, general objectives are established regarding information security the following:

  1. Have the necessary control measures for compliance with the legal requirements that are applicable as a consequence of the activity developed, especially in relation to the protection of personal data and the provision of services through means electronics.
  2. Ensure access, integrity, confidentiality, availability, authenticity, traceability of information and provision continuity of services, acting preventively, supervising the daily activity and reacting quickly to incidents.
  3. Protect the entity's information resources and technology used for processing against threats, internal or external, deliberate or accidental.
  4. Provide confidence to citizens by protecting their information throughout its life cycle.
  5. Facilitate continuous improvement of security processes, procedures, products and services.
  6. Guarantee the continuity of the entity by establishing contingency in critical services and maintaining at all times safety.
  7. Raise awareness, train and motivate staff about the importance of safety in the work environment.

5. Regulatory Framework

The regulatory base that affects the development of activities and competencies of Red Leaf SL, in terms of electronic administration are refers, and which implies the explicit implementation of safety measures security in information systems is regulated, mainly, by the following legislation:

  • Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations.
  • Law 40/2015, of October 1, on the Legal Regime of the Public Sector. Royal Decree 311/2022, of May 3, which regulates the Scheme National Security.
  • Royal Decree 3/2010, of January 8, which regulates the scheme national security, valid until May 2024.
  • Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 of April 2016, regarding the protection of natural persons in regarding the processing of personal data and the free circulation of these data and repealing the Directive 95/46/EC (General Data Protection Regulation, RGPD).
  • Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 of April 2016, regarding the protection of natural persons in regarding the processing of personal data and the free circulation of these data and repealing the Directive 95/46/EC (General Data Protection Regulation, RGPD).

The remaining state regulations are also part of the regulatory framework. and autonomous organizations oriented towards Electronic Administration and that could affect the provision of the Red Leaf SL service, the safety of the information and services it handles, as well as the protection of personal data.

The maintenance of this entire regulatory framework will be the responsibility of the competent body of Red Leaf SL and will be maintained in annexed form in the means and/or supports determined by the Security Committee. I also know will include the mandatory technical safety instructions compliance, published by resolution of the Secretary of State of Public Administrations and approved by the Ministry of Finance and Public Administrations, at the proposal of the Sectoral Committee of Electronic Administration and at the initiative of the Cryptological Center National (CCN). Likewise, the Security Manager will ensure that CCN security guides have been identified that will be application to improve compliance with the provisions of the Scheme National Security.

6. Security Organization

To proactively manage and coordinate information security The is established as a management bodyINFORMATION SECURITY COMMITTEE.

This Committee will be made up of the following positions:

a. Information Responsible

It will determine the requirements of the information processed.

Has ultimate responsibility for the use made of a certain information and, therefore, its protection. Will advise and have power to technically determine the requirements of the information and the security services. He will also have the power to determine information security levels.

Likewise, it will report on the state of security in the area of the information and communication systems. You may call meetings, Send information and communications to the members of the commission.

b. Service Manager

It will determine the requirements for the services provided.

It will be the person or persons responsible for the exploitation of the different areas of the entity establishing requirements, purposes and means to carry out these tasks. It will determine the requirements of security of the services provided. This includes the responsibility of determine the security levels of the services and to do so, may obtain advice from the security manager and the person responsible for the system.

It will include security specifications in the life cycle of the services and systems, accompanied by the corresponding procedures of control. It will also have the mission of assessing the consequences of a negative impact on the security of services, taking into account consideration the impact on Red Leaf SL's ability to achievement of its objectives, protection of its assets, compliance with their service obligations, respect for the law and rights of the citizen.

In addition, they will have the obligation to monitor compliance with the rules security within your area and inform the Information Responsible for compliance with the safety regulations approved by the Safety Committee.

c. Security Manager

Determine decisions to satisfy security requirements of information and services, will supervise the implementation of the necessary measures to ensure that the requirements and will report on these issues.

It is the person designated by the highest governing body for the supervision of the information security system and will be the responsible for determining pertinent security decisions for meet the requirements established by those responsible for the information and services.

The two essential functions of the Security Manager are:

  1. Maintain the security of the information managed and services provided by information systems in their field of responsibility, in accordance with the provisions of this Privacy Policy. Organization Information Security.
  2. Promote training and awareness in security matters information within their scope of responsibility.

If the information system, given its complexity, distribution, physical separation or number of users so required, Red Leaf SL may appoint Delegated Security Managers, in which functions may be delegated, but never responsibilities. These Delegated Security Managers will be directly dependent on the Security Manager.

Among the functions attributed to the Security Manager, are find the following:

  • It will coordinate and control the measures defined in the Registry of Treatment Activities and in general will be responsible for compliance of the security measures detailed in the evaluation report of impact on data protection.
  • You will report directly to the Information Security Committee.
  • He may act, if so determined, as Secretary of the Information Security Committee.
  • It will compile the security requirements of those responsible for Information and Service and will carry out the categorization of the System.
  • Will carry out the Risk Analysis.
  • Will prepare a Declaration of Applicability based on the measures of security requirements in accordance with Annex II of the ENS and the result of the Risk analysis.
  • It will facilitate the Information Managers and those Responsible for Service information on the level of residual risk expected after implement the treatment options selected in the analysis of risks and the security measures required by the ENS.
  • Will coordinate the preparation of the Security Documentation of the System.
  • He will participate in the preparation, within the framework of the Security Committee of Information, of the Information Security Policy, for its approval by the municipal Government Bodies.
  • It will participate in the preparation and approval, within the framework of the Committee of Information Security, Information Security regulations Information.
  • Will prepare the Security Operational Procedures of the Information.
  • Periodically provide the Security Committee with a summary of actions regarding security, incidents related to information security and system security status (in particular the level of residual risk to which the system).
  • Will prepare, together with the Systems Managers, Improvement Plans for Security, for approval by the Security Committee of the Information.
  • Analyze and propose safeguards to prevent similar incidents in case these had occurred.
  • Will prepare Training and Awareness Plans for staff in Information Security, which must be approved by the Committee of Information Security.
  • Will prepare the Systems Continuity Plans that must be approved by the Information Security Committee and tested periodically by the Systems Manager.
  • Will approve the guidelines proposed by the Systems Managers to consider Information Security throughout the cycle life of assets and processes: specification, architecture, development, operation and changes.

d. System Manager

It will be in charge of developing the specific way to implement the security in the system and supervision of the daily operation of the himself, being able to delegate to administrators or operators under his responsibility.

It is responsible for the operation of the information system, attending to the security measures determined by the Security Manager. His Responsibility may be located within the organization (use of own systems) or be compartmentalized between a mediate responsibility (of the organization itself) and a immediate responsibility (of third parties, public or private), when the information systems are outsourced. His functions, Specifically, they are the following:

  1. Develop, operate and maintain the information system throughout its life cycle, including its specifications, installation and verification of its correct operation.
  2. Define the topology and management of the information system, establishing the criteria for use and the services available in the same.
  3. Ensure that security measures are properly integrated in the general security framework.
  4. The System Manager may agree to suspend the management of certain information or the provision of a certain service if it is informed of serious security deficiencies that could affect the satisfaction of the established requirements. This decision must be agreed with those responsible for the affected information, of the Service affected and with the Security Manager before being executed.
  5. Apply security operating procedures developed and approved by the Security Manager.
  6. Monitor the security status of the Information System and report it periodically or in the event of security incidents relevant to the Information Security Manager.
  7. Carry out exercises and periodic tests of the Continuity Plans of the System to keep them updated and verify that they are effective.
  8. Will develop guidelines to consider the Security of the Information throughout the life cycle of assets and processes (specification, architecture, development, operation and changes) and the will provide the Information Security Manager for his/her approval.

If the information system, given its complexity, distribution, physical separation or number of users would require additional staff For the performance of these functions, Red Leaf SL may appoint Delegated System Managers, in which you can delegate functions, but never responsibilities. These responsible for System Delegates will have direct dependence on the Person Responsible for the System.

e. Security Administrator

Its most significant functions would be the following:

  1. The implementation, management and maintenance of security measures applicable to the information system.
  2. The management, configuration and updating, if applicable, of the hardware and software on which security mechanisms and services are based of the information system.
  3. The management of authorizations and privileges granted to users users of the system, including monitoring that the activity developed in the system conforms to what is authorized.
  4. The application of Security Operational Procedures (POS).
  5. Ensure that established security controls are adequately observed.
  6. Ensure that approved procedures are applied to manage the information system.
  7. Monitor hardware and software installations, their modifications and improvements to ensure that security is not committed and that at all times comply with the authorizations relevant.
  8. Monitor the security status of the system provided by the security event management tools and mechanisms technical audit implemented in the system.
  9. Inform the Security Manager or the System Manager of any anomaly, compromise or vulnerability related to the security.
  10. Collaborate in the investigation and resolution of security incidents, from detection to resolution.

The Security Administrator may depend on the System Manager or the Security Manager, but not both at the same time.

f. Secretariat

You will have the obligation to supervise that the procedures approved by the Committee comply with the law, as well as to advise the Committee on this subject. In addition, she will keep minutes of the meetings.

g. Data Protection Officer

It will ensure and advise to protect compliance with the rights of the interested in data protection matters.

Appointment

The members of this Committee will be appointed by the PRESIDENCY and The Plenary will subsequently be informed, contemplating transitional measures in order to ensure security compliance. Furthermore, the future resolutions on appointments of area managers, responsible for related entity or changes in the distribution of area functions and entities must expressly contemplate the appointment as a member of this information security committee.

Committee members as well as security roles will be reviewed every four years or on the occasion of a vacancy.

Conflict resolution:

The Information Security Committee will be in charge of the resolution of conflicts and/or differences of opinions that may arise between security roles. In the event that the Committee did not have the capacity or authority for the resolution of certain conflicts, will elevate it to the higher hierarchical body for resolution.

6.1 Functions of the Safety Committee

Its functions are the following:

  • Responsibilities arising from the processing of personal data.
  • Address the concerns of the Corporation and the different areas.
  • Regularly report the status of information security to the highest governing body.
  • Promote the continuous improvement of the Safety Management System of information.
  • Develop the evolution strategy of the Red Leaf SL regarding to information security.
  • Coordinate the efforts of the different areas in matters of information security, to ensure that efforts are consistent, aligned with the strategy decided on the matter, and avoid duplications.
  • Prepare (and regularly review) the Company's Security Policy Information to be approved by the Security Committee itself before its final approval in plenary session.
  • Approve the information security regulations.
  • Assess risks periodically to establish appropriate necessary security measures based on the results.
  • Develop and approve training and qualification requirements for administrators, operators and users from the point of view of security of the information.
  • Monitor the main residual risks assumed by Red Leaf SL and recommend possible actions regarding them.
  • Monitor the performance of incident management processes security and recommend possible actions regarding them. In In particular, ensure the coordination of the different areas of security in the management of information security incidents.
  • Promote the performance of periodic audits that allow verify compliance with the organization's obligations in matters of security.
  • Prioritize security actions when resources be limited.
  • Approve plans to improve the information security of the company Organization. In particular, it will ensure the coordination of different plans that can be carried out in different areas.
  • Ensure that information security is taken into account in all ICT projects from their initial specification to their put in operation. In particular, it must ensure the creation and use of horizontal services that reduce duplication and support homogeneous operation of all ICT systems.
  • Establish appropriate measures for training, information and awareness of all staff regarding security information and protection of personal data.
  • Resolve any liability conflicts that may arise between the different managers and/or between different areas of the Organization, raising those cases in which it does not have enough authority to decide.
  • In the event of information security incidents, will approve the Security Improvement Plan.

The Information Security Committee is not a technical committee, but will regularly collect from its own or external technical personnel, the relevant information to make decisions. The Safety Committee The Information will advise you on the issues on which you have to decide or express an opinion. This advice will be determined in each case, being able to materialize in different forms and ways:

  • Internal, external or mixed specialized work groups.
  • External advice.
  • Attendance at courses or other types of training or educational environments exchange of experiences.

6.2 Documentation Management

Documented information regarding controls must be communicated of security to the personnel who work in the entity (employees and suppliers), who will have the obligation to apply it in carrying out their work activities, thus committing themselves to compliance of the ENS requirements.

The documented information will be classified as: public or publishable, internal, confidential and secret, giving the appropriate use according to said classification and according to the criteria established in the information classification regulations.

7. Awareness

Red Leaf SL will establish the necessary mechanisms, taking into account the proposals of the Security Committee, so that all personnel have of the appropriate information, training and awareness to manage in accordance with this Security Policy and its derived internal regulations information, both in terms of privacy and security.

The Committee will establish appropriate mechanisms for the dissemination of information and will record all the training actions provided for in this sense.

8. Risk Management

Red Leaf SL will periodically and each time perform the the information suffers a significant alteration. An Analysis of Risks, following the guidelines set out by the ENS in its article 6, so that existing risks can be anticipated. This Analysis Risk Committee and its conclusions must be analyzed by the Risk Committee. Security and establish appropriate safeguards so that the level of risk is acceptable.

For this to be achieved, the Committee will develop a procedure for Risk Analysis and Potential Impact Assessment that must be clearly establish acceptable risk values, criteria for acceptance of residual risk, the periodicity of the analysis and when it is will perform exceptionally.

The risk analysis carried out by Red Leaf SL will also address and specifically to those that arise from the treatment of personal data in the performance of their duties.

9. Protection of Personal Data

Red Leaf SL will only collect personal data when they are adequate, relevant and not excessive, and these are in relation with the scope and purposes for which they were obtained. Likewise Likewise, it will adopt the pertinent technical and organizational measures for the compliance with data protection legislation.

These measures, as indicated in the first additional provision of Law 3/2018 of December 5, on Data Protection and Guarantee of Digital Rights, will correspond to those described in the Scheme National Security, which will be defined in the policies, regulations and corresponding procedures.

10. Third Parties

When Red Leaf SL provides services to other organizations, or manages information from other organizations, they will be made a participant in this Policy of Information Security. Channels will be established for coordination of information and action procedures for the reaction to security incidents.

When Red Leaf SL uses third-party services or transfers information to third parties, they will be made a participant in this Security Policy and the Existing Security Regulations that pertain to said services or information. Said third party will be subject to the obligations established in the aforementioned regulations, being able to develop their own operating procedures to satisfy it. They will be established specific communication and incident resolution procedures. It will be ensured that third party personnel are properly security aware, at least to the same level as the established in this Security Policy.

When any aspect of this Security Policy cannot be satisfied by a third party as required in paragraphs above, a report from the Security Manager will be required specify the risks incurred and how to treat them. HE will require the approval of this report by those responsible for the affected information and services before moving forward.

11. Approval and Review of this Security Policy

This security policy must be a document that reflects faithfully the commitment of Red Leaf SL and entities linked to the security of the information. Therefore, this policy may be modified at the proposal of the Security Committee to adapt to changes in the legislative, technical or organizational environment. Both the approval initial version of this policy and its future revision, carried out by the competent higher body of the entity after a proposal of the information security committee.

Last update: January 8, 2024.
©2024 Red Leaf S.L. All rights reserved