Skip to main content
Request a demo
Security Policy

Privacy Policy

POLICY

Information Security

1. CONTEXT

Information is essential for virtually all business processes of MAPAL SOFTWARE, S.L (hereinafter, MAPAL), serving as the crucial thread for executing these processes with guarantees of efficiency and quality, thereby achieving compliance with the strategic objectives formally set by the Management.

The main dimensions of information security that must be guaranteed in the execution of any business process are:

  • Confidentiality: Ensures that information is only accessible to authorised persons, entities, or processes.
  • Integrity: Ensures that information is generated, modified, and deleted only by authorised persons, entities, or processes.
  • Availability: Ensures that information is accessible when required by authorised persons, entities, or processes.
  • Traceability: Ensures that information related to accesses and activities carried out by persons, entities, or processes is available for any analysis of anomalous behaviour patterns that must be performed.

Furthermore, other dimensions of security, such as authentication of the parties or non-repudiation, must similarly be guaranteed when the security value of the information in the context of the business process in which it is being stored, processed, or transmitted, requires it.

The Information Security Policy is based on the adoption of clear and well-defined principles that ensure compliance with strategic guidelines, legal requirements, as well as those of a contractual nature formalised with third parties or stakeholders, and thus, it constitutes the main instrument on which MAPAL relies for the secure use of information and communication technologies.

The regulations (standard, procedures, and security instructions) that emanate from or are derived from the Information Security Policy of MAPAL will become part of it once they have been disclosed, being mandatory for all employees and third parties who use information owned by MAPAL.

The Management of MAPAL will ensure that this Information Security Policy is understood and implemented throughout the organisation, providing the necessary resources to achieve the objectives defined in this framework of action.

2. OBJECTIVES

The Information Security Policy is established as the high-level document that formalises the various guidelines for action on security adopted by MAPAL, and which will be developed in greater detail in the corresponding security regulations prepared for this purpose.

Under this premise, therefore, the Information Security Policy contemplates the following main objectives:

  • To comply with the applicable legal regulations in the field of information security.
  • To contribute to the fulfilment of the mission and strategic objectives formalised by MAPAL.
  • To align the information security as a principal asset with the requirements demanded by the business through the formalisation of the information value model and the execution of the process of analysis and risk evaluation to which the various information assets are exposed, achieving the definition of a strategy for mitigating the risks related to the environment of information security.
  • To guarantee adequate protection of the various information assets depending on the degree of sensitivity and criticality achieved by them (security value of the information assets according to the various dimensions considered with the application of the inheritance criterion and the principle of proportionality).
  • To guarantee an effective response capacity to eventual information security incidents, minimising the respective operational, financial, and reputational impact.
  • To facilitate the sizing of the necessary resources for the correct implementation of the technical and organisational security measures collected in the documented security regulations.
  • To promote the use of good practices in information security, as well as to create the appropriate security culture in the context of the organisational structure of MAPAL.
  • To establish the mechanisms for review, monitoring, auditing, and continuous improvement in order to maintain the appropriate security levels demanded by the business model of MAPAL.

3. SCOPE

The Information Security Policy encompasses all information assets existing in MAPAL that act as support infrastructure for the possible execution of business processes.

4. REGULATORY FRAMEWORK

The formalisation of the Information Security Policy, as well as the security regulations derived from it, will take into consideration and integrate the following applicable legal regulations:

  • Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, GDPR – General Data Protection Regulation), relating to the protection of natural persons with regard to the processing of personal data and the free movement of such data.
  • Organic Law 3/2018, of 5 December 2018, on Personal Data Protection and Guarantee of Digital Rights (hereinafter, Law 3/2018).
  • Law 34/2002, of 11 July, on Services of the Information Society and Electronic Commerce (hereinafter, LSSICE).

5. PRINCIPLES

The fundamental principles that must be considered in order to guarantee the dimensions of information security are prevention, detection, response, and recovery, so that the potential threats that exist do not materialise or, if they do materialise, do not severely affect the information required for the execution of MAPAL's business processes, maintaining acceptable levels relative to the impact caused that have been formalised by Management.

5.1. PREVENTION

As a primary principle of security, MAPAL must prevent, and avoid, to the extent possible, that the business information is affected by security incidents. To this end, security measures of a preventive nature should be prioritised in the implementation strategy considered after the execution of the risk analysis and evaluation process. These controls, as well as the roles and responsibilities formalised in terms of security in order to achieve their proper implementation, must be clearly defined and documented.

5.2. DETECTION

Given that, inevitably, regardless of the formalisation of a preventive security strategy, information assets may be affected by the materialisation of security threats (security incidents), it is fundamental to continuously monitor operations to detect anomalies in the levels of service provision and act accordingly.

This monitoring is especially relevant when defence lines are established in the terms considered by the reference best practices in the field of information security, and therefore, act as early warning mechanisms.

In the event that the degradation is directly attributed to security incidents, the appropriate reporting mechanisms should be established to allow notification to the Security Manager for analysis and investigation of the root cause in conjunction with incident response teams.

5.3. RESPONSE

Mechanisms must be established to respond effectively to security incidents. Thus, depending on the type of incident that has occurred, the appropriate response plan should be formalised.

5.4. RECOVERY

In order to guarantee the continuity of critical processes, for which, in certain cases, response plans to incidents may not be applicable, contingency plans should be developed as part of the general business continuity plan and recovery activities of the organisation.

6. RISK APPROACH

The information assets that make up the scope of the present Information Security Policy are subject to analysis and risk evaluation, in order to identify the potential threats to which they are exposed, evaluate the associated impact of the possible materialisation of such threats, and determine the risk situations that could arise.

The result of this analysis and risk evaluation will allow the identification and proposal of the appropriate security measures as a strategy for mitigating these.

The Information Security Committee will lead the periodic execution of risk analysis, planning the technical, human, and economic resources necessary for such purposes.

7. STRUCTURE

The security regulations established by MAPAL are structured at the following levels related hierarchically:

  1. Level I: Information Security Policy
  2. Level II: Information Security Standard
  3. Level III: Information Security Procedures
  4. Level IV: Information Security Instructions

This hierarchical structure allows the lower levels to be efficiently adapted to changes in the technical and functional environment of MAPAL without the need to review its security strategy, except when substantial modifications are warranted.

MAPAL personnel will have the obligation to know and attend to, in addition to the Information Security Policy, the standards and security procedures that may affect their functions. For this reason, they will receive specific training to this effect according to the responsibilities formally assigned.

The security regulations will be available on the IT Portal of MAPAL.

7.1. LEVEL I: INFORMATION SECURITY POLICY

Contained in the present document, it has been formally approved by Management, and details the guidelines for action on information security in order to contribute to the fulfilment of the mission formalised by Management.

7.2. LEVEL II: INFORMATION SECURITY STANDARD

The second level develops the Information Security Policy by identifying the specific security objectives considered for the different security domains:

  • Security related to human resources
  • Information asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Security of operations
  • Communication security
  • Acquisition, development, and maintenance of information systems
  • Supplier relations
  • Management of information security incidents
  • Aspects of information security for the management of business continuity
  • Compliance

The Information Security Standard must be approved by the Information Security Committee prior to its formalisation and disclosure, with the criteria for evaluating compliance (degree of compliance with specific security objectives) being defined.

7.3. LEVEL III: INFORMATION SECURITY PROCEDURES

The third level consists of technical and organisational procedures of action that will collect the set of activities and tasks that must be executed in order to comply with the specific security objectives formalised through the documented Information Security Standard, according to the security value achieved by the information asset for the various security dimensions in the application of the Information Classification Standard.

These guidelines for action will be specifically applicable according to the different security domains considered and detailed in the Information Security Standard.

The security procedures must be approved by the Security Manager prior to their formalisation and disclosure.

7.4. LEVEL IV: INFORMATION SECURITY INSTRUCTIONS

The specific work instructions will be documented in order to customise the application of a procedure for a specific context or information asset, and therefore, will present the detail of the activities and tasks to be executed in that scope, complying with the established security procedure from which such instruction derives.

The specific information security instructions will be approved by the Security Manager after consensus has been reached with the managers of the affected information assets.

8. THIRD PARTIES

When MAPAL requires the participation of third parties for the provision of a service, they will be made participants in the security regulations that are of consideration in the context of such collaboration, subjecting them to the obligations established in said regulations.

When any aspect of the security regulations cannot be satisfied by a third party, authorisation from the Security Manager will be required after identifying the risks incurred and how to treat them, and contracting may not be formalised prior to obtaining such authorisation. In any case, these authorisations, depending on their categorisation, will be reported to the Information Security Committee in order to adopt the appropriate decisions.

9. REVIEW

The Information Security Policy will be reviewed annually by the Information Security Committee or when there is a significant change (management approach to security, business circumstances, legal changes, changes in the technical environment, recommendations made by control authorities, and trends related to threats and vulnerabilities) that necessitates it.

In the case that a new version of the Information Security Policy is obtained, formal approval from Management will be required prior to its disclosure.

10. ENTRY INTO FORCE

Text approved by Management on 6 February 2023.

Its entry into force implies the repeal of any other policy that existed for such purposes.

Jorge Lureña

CEO of Mapal Software