Information Security Policy
1. Introduction
The Information Security Policy (hereinafter, the Policy) is a high-level policy approved by the Global area as a representative of all workers and cross-cutting areas of BASETIS, has the purpose of adopting a set of measures aimed at preserving the confidentiality, integrity, and availability of information, which constitute the three basic components of information security.
In every organization there is confidential information, to a greater or lesser degree, whose loss or improper use can damage its reputation. Likewise, the deterioration or unavailability of the information systems can interrupt the normal development of operations, producing negative effects on the quality of service and the company’s profits.
To this end, BASETIS undertakes to develop a set of rules of use, procedures, protocols, manuals, guides, etc. that reflect the legal and ethical requirements applicable to actions within the organization and that in turn cover all the aspects that are presented in this Policy. This is intended to mitigate the risks associated with the BASETIS information systems by describing what is expected of all interested parties who, in the performance of their functions, may have access to information, information systems or resources.
2. Objective
The main objective of this High Level Policy is to define the principles and basic rules for information security management. The ultimate goal is to ensure that BASETIS as an organization guarantees optimal levels of security, allowing it to ensure that said information (whether its own or that of third parties) maintains its integrity, confidentiality, and availability.
This document is available to all interested parties as documented information and is communicated throughout the organization.
3. Scope
The Policy is applicable to all BASETIS employees, as well as to the service provider companies to which it applies, and to all the services that are carried out as a business activity: Artificial Intelligence, Data Integration & Analytics, Design, Development, Infrastructure, Management & Business, Mobile.
4. Guiding principles or commitments
BASETIS establishes the following basic principles as fundamental information security guidelines that must always be kept in mind in any activity related to information processing, and to which it commits:
-
Risk management:
Risk analysis will be an essential part of the information security process. This risk management will allow the maintenance of a controlled environment.
-
Rules and procedures:
A complete security regulation will be defined that regulates the conditions in which the company, within the established scope, must carry out its activity to respect the security requirements and forms of action necessary to guarantee the correct development of this Policy.
-
Strategic scope:
Information Security must have the commitment and support of all Basetis workers and with the Global area as a guarantor of aligning the purpose of all the areas that make up the organization, assuming and supporting cross-cutting initiatives.
-
Security by default:
Information security must be considered as part of normal operations, being present and being applied throughout the process of design, development, and maintenance of information systems.
-
Continuous Improvement:
To guarantee the continuous maintenance of the security levels and the effectiveness of the System, internal and external audits must be carried out, periodic reviews, definition of training and awareness plans in terms of security, development of a treatment plan of risks, etc.
5. Control structure
Our Security Management System is made up of the following roles:
Security Committee
- CISO “Security Manager”
- CSO “Chief Security Office”
- Responsible for the Information Security Management System (RSGSI)
- The person designated as Data Protection Officer (DPO)
- A representative of the ISO27001 team
- A representative of the Global area.
- A representative from the Legal area
- A representative from the Development/Projects team
- A representative from the Systems and Helpdesk area.
6. Main rules of our System
Our Security Management System is based on a set of rules that are reflected in specific policies within the System, and which encompass the following aspects:
-
Confidentiality of Information
The information to which they have access will be protected access by users, against unauthorized or accidental disclosures, modification, destruction or misuse, regardless of the medium in which that information is contained. Likewise, care will be taken to preserve the confidentiality of commercially sensitive customer information to which Basetis may have access.
-
Privacy and protection of personal data
In order to preserve the confidentiality of data and information, BASETIS is responsible for ensuring compliance with current guidelines on the protection of personal data, which are communicated to all interested parties, and they are put into practice within all the processes of the organization.
-
Intellectual property
Compliance with legal restrictions on the use of material protected by intellectual property regulations will be guaranteed. The rules that regulate the matter will be taken into account both within the internal processes of the organization and in all commercial relationships with customers and suppliers.
-
Control of physical access to the facilities
The access of third parties (externals) to the BASETIS facilities will be controlled to guarantee the security and confidentiality of the information within our offices. To this end, our access policy sets the guidelines to ensure the control of all people who access our offices.
-
Appropriate use of resources and equipment
The resources that BASETIS makes available to its employees, regardless of their type (computer, data, software, networks, communication systems, etc.), are available exclusively to fulfill the obligations and purpose of the operation for which they were designed and implemented. Automatic blocking is established as a security measure on all computers assigned to users.
-
Use of software and protection against malware
The relevant area within the organization will be responsible for guaranteeing and controlling the proper use of software installed on the different computers.
-
Exchange of information
BASETIS will make sure to inform all its employees of those activities that are prohibited in relation to the use and exchange of information in the development of their work activities through the respective policies and training/awareness, including the handling of information that they contain. Personal data.
-
Use of email
Users who access the BASETIS information systems will have a specific and unique email account, assigned exclusively to said user (username[a]basetis.com).
-
Internet connectivity
The Internet is considered a work tool, so all activities on the Internet must be related to work tasks and activities.
-
Responsibility of the users
The user will be responsible for all the actions registered in the computer systems of BASETIS with his identifier, he must also ensure that he follows the instructions for managing his passwords and keeping his workstation clean and uncluttered.
-
Identification of users and passwords
All workers are obliged to use the resources of BASETIS and the data contained therein without incurring in activities that may be considered illicit or illegal.
-
Access management
A record, granting, alteration and revocation of access to users will be kept, applicable to all BASETIS Information systems.
-
Security for outsourcing
Suppliers will be duly evaluated and must follow a series of requirements defined both in the respective service contracts and in the supplier relationship policy.
-
Incidents
In the event of detecting any incident related to the information systems, the defined security incident management procedure will be followed.
7. Update of the Policy
Due to the evolution of technology, security threats and new legal contributions to the matter, Basetis reserves the right to modify this Policy when necessary. The review will include evaluation of opportunities to improve the information security policy and management approach in response to changes in the organizational environment, business circumstances, legal conditions, or changes in the technical environment.