Information Security Policy
1. INTRODUCTION
The organization relies on its information systems to achieve its objectives, provide its services, and ensure business continuity. These systems must be managed diligently, applying appropriate risk-based measures to protect them against accidental or deliberate damage, whether physical or digital, internal or external.
The ultimate goal of information security is to guarantee the quality of information and the continuous provision of the Organization's services, acting preventively, monitoring daily activity, reacting promptly to incidents, and fostering a culture of security.
ICT systems must be protected against rapidly evolving threats that could affect the authenticity, traceability, confidentiality, integrity, availability, intended use, and value of information and services. To this end, the Organization adopts a comprehensive security strategy, aligned with the National Security Framework, which involves all individuals who handle information within the Organization.
The category of each system will be determined according to the criteria in Annex I of the National Security Scheme. Furthermore, the minimum security measures required by the ENS will be applied, as well as any additional measures deemed necessary based on the identified risks.
The organization must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception to retirement, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in projects involving the processing of personal data, the acquisition of ICT services, or the provision of services that affect information systems.
2. SCOPE
This Policy applies to the information systems of the Global Omnium Group that fall within its scope, as well as to all individuals within the Organization. It also applies to service providers, ICT solution providers, collaborators, and any third parties who, within the framework of their relationship with the Organization, access, process, store, communicate, or manage information, or use or manage information systems within its scope.
For the purposes of this Policy, “Organization” shall mean all the companies of the Global Omnium Group, as well as their units, services, and information systems; and includes both internal personnel and third parties acting on their behalf, provided they are within the defined scope. Hereinafter, any reference to the “Organization” shall be understood as referring to this scope.
3. MISSION
The Organization is committed to providing services and products with the required quality, fulfilling the obligations assumed with its clients, administrations and companies, as well as with current regulations and other requirements subscribed to by the Organization.
The Organization integrates service continuity, sustainability, risk management, asset management, security, cybersecurity, the safety and health of workers and customers, water efficiency, food safety and the security of water supplies within its business philosophy.
For the purposes of this Policy, the information security objectives are:
- To guarantee the confidentiality, integrity, availability, authenticity and traceability of information, as well as the continuity in the provision of services.
- Implement security measures based on risk.
- To train and raise awareness among members of the Organization regarding information security.
- Implement security measures that allow traceability of access and respect the principle of least privilege, reinforcing the duty of confidentiality of users regarding the information they know in the performance of their functions.
- Deploy and control physical security by ensuring that information assets are located in secure areas, protected by access controls, addressing the risks identified.
- Establish security in communications management through the necessary procedures, ensuring that information transmitted through communications networks is adequately protected.
- Control the acquisition, development and maintenance of information systems in all phases of the information systems life cycle, ensuring their security by default.
- Control compliance with security measures in the provision of services, maintaining control over the acquisition and incorporation of new system components.
- Manage security incidents for their proper detection, containment, mitigation and resolution, adopting the necessary measures to prevent them from recurring.
- Protect personal information by adopting technical and organizational measures in response to the risks arising from processing, in accordance with data protection legislation.
- Continuously monitor the safety management system, improving and correcting any inefficiencies detected.
The Organization identifies three types of clients: main or primary client, subsidiary or secondary client and internal client, including public administrations, companies, citizens and companies of the Group itself.
4. GUIDING PRINCIPLES AND MINIMUM REQUIREMENTS
The Organization's Information Security Policy is established in accordance with the basic principles of the National Security Framework and is developed by applying the minimum security requirements provided for in Article 12 of Royal Decree 311/2022, of May 3, which regulates the National Security Framework (in spanish, Esquema Nacional de Seguridad).
Information security will have a strategic scope and must have the commitment and support of all levels of the Organization, coordinating and integrating coherently with the rest of the strategic, operational and corporate governance initiatives.
In this regard, the Organization will apply the following guiding principles and basic principles in the management and protection of information, the services provided and the information systems that support them:
- Security as a comprehensive process: Security will be understood as a comprehensive process comprised of technical, human, material, legal, and organizational elements related to information systems, avoiding isolated, one-off, or situational actions.
- Risk-based security management: Security measures will be determined, implemented, and maintained based on the identified risks to the information processed, the services provided, and the information systems that support them. These measures will be proportionate to the risk they address, must be justified, and will take into account, where applicable, the risks arising from the processing of personal data.
- Prevention, detection, response and preservation: The Organization will adopt measures aimed at preventing incidents, minimizing vulnerabilities, reducing the possibility of threats materializing, detecting anomalous activities or behaviors, responding quickly to incidents and ensuring the secure preservation of information and the continuity of services.
- Existence of lines of defense: the security strategy will be designed and implemented in layers, through organizational, physical and logical measures that allow reducing the probability of system compromise, limiting the impact of incidents and facilitating an appropriate response.
- Continuous monitoring and periodic reassessment: The Organization will implement mechanisms for monitoring, detecting, and responding to anomalous activities or behaviors, as well as for the ongoing assessment of the security status of assets. Furthermore, a continuous improvement process will be established for the periodic review and updating of security measures, taking into account their effectiveness, the evolution of risks, and changes in protection systems.
- Security by default and by design: systems must be designed, configured and maintained in a way that ensures security by default, providing only the functionality necessary for the purpose for which they were defined and applying criteria of least privilege, secure configuration and reduction of the exposure surface.
- Differentiation of responsibilities: security functions and responsibilities will be differentiated, separating the functions of the Information Officer, Service Officer, Security Officer and System Officer, and establishing the corresponding coordination and conflict resolution mechanisms.
Furthermore, the Organization will develop its security process by applying, in proportion to the risks identified in each system, the following minimum security requirements:
- Organization and implementation of the security process.
- Risk analysis and management.
- Personnel management.
- Professionalism.
- Authorization and access control.
- Protection of the facilities.
- Acquisition of security products and contracting of security services.
- Minimal privilege.
- System integrity and updates.
- Protection of information stored and in transit.
- Prevention in the face of other interconnected information systems.
- Activity logging and malicious code detection.
- Security incidents.
- Continuity of activity.
- Continuous improvement of the security process
These basic principles and minimum requirements will be applied proportionally to the nature of the information processed, the services provided, the category of the information systems, and the risks identified in each case. Their specific implementation will be carried out through security regulations, procedures, technical instructions, controls, and security measures that form part of the Organization's security documentation system.
5. LEGAL AND REGULATORY FRAMEWORK
The Organization's activity will be carried out in accordance with the current regulations applicable to the Organization, its services, its information systems and the data processing carried out.
The applicable regulatory framework is set out in the Annex “Regulations applicable to Global Omnium”, which is kept up to date through the contracted legislation and consultancy service.
This Policy takes into account, among others, the following main rules:
- Royal Decree 311/2022, of May 3, which regulates the National Security Scheme;
- Regulation (EU) 2016/679, General Data Protection Regulation;
- Organic Law 3/2018, on the Protection of Personal Data and the guarantee of digital rights;
- Directive (EU) 2022/2555, on measures to ensure a high common level of cybersecurity across the Union (NIS2).
The rest of the applicable regulations, including technical safety instructions, supplementary legislation and reference guides, are also included in said Annex.
Related Documentation: Regulations Applicable to Global Omnium.
6. SECURITY ORGANIZATION
The Organization has a security organizational model based on an Information Security Committee and specific roles with differentiated functions and responsibilities. This model allows for the coordination of information systems security needs, the distribution of responsibilities, conflict resolution, the regulation of the appointment and replacement of its members, and the promotion of continuous improvement. Furthermore, the Organization will establish mechanisms for addressing user non-compliance with this Policy, in accordance with internal regulations and applicable legislation.
Related Documentation:Roles and Responsibilities
6.1. APPOINTMENT AND REPLACEMENT OF MEMBERS OF THE SAFETY COMMITTEE
The appointment of the members of the Information Security Committee (Comité de Seguridad de la Información) will be made by the competent body of the Organization, at the proposal of the affected directorates or responsible areas, taking into account criteria of responsibility, knowledge, decision capacity and relationship with the systems, services or information included in the scope of this Policy.
Each appointment must be formalized in writing, indicating at least the identity of the appointee, the position or role they hold, the scope of their responsibilities, the effective date, and, where applicable, the expected duration of the appointment. Acceptance of the appointment implies knowledge of and commitment to fulfilling the assigned duties.
Temporary or permanent replacements must occur when any of the following circumstances arise: termination or change of position of the designated person, prolonged absence, supervening incapacity, conflict of interest, internal reorganization or any other cause that prevents the proper exercise of their functions.
The proposed replacement must be submitted by the affected department or unit as soon as it becomes aware of the circumstances that necessitate it, ensuring at all times the continuity of the Committee's functions. While the new appointment is being formalized, a temporary substitute may be appointed with the necessary powers to ensure operational and governance continuity for security.
The review of the Committee's composition will be carried out at least annually and whenever there are relevant changes in the organizational structure, the scope of information systems, the applicable regulatory framework, or the risks that may affect the Organization.
7. DEVELOPMENT OF THE INFORMATION SECURITY POLICY
This Policy is implemented through the Organization's security documentation system, comprised of Security Regulations, procedures, technical instructions, and guides that specify and regulate particular aspects of information security. Additionally, other corporate procedures may incorporate security requirements derived from the National Security Framework (ENS). All documentation implementing this Policy must be approved by the Security Officer.
Security documentation will be stored in the Organization's document repository and will be accessible only to authorized users. Document management must ensure its availability, updating, version control, distribution to authorized recipients, and removal of obsolete documentation.
The specific application of the security measures of the National Security Framework will be documented in the corresponding Statement of Applicability, which will include the applicable measures and reinforcements, justified exclusions, compensatory measures, and, where applicable, supplementary monitoring measures. The Statement of Applicability will be signed by the Security Officer and will be kept up-to-date according to the category of the systems, the identified risks, and the evolution of the regulatory and technological framework.
The review of the information security documentation system will be carried out annually or when there is a significant change that affects security, the organization, the regulatory framework or the information systems.
8. PROCESSING OF PERSONAL DATA
The Organization processes personal data in the course of its activities, as described in the Record of Processing Activities. Access, use, and processing of personal data will be carried out in accordance with Regulation (EU) 2016/679, Organic Law 3/2018, and all other applicable regulations.
Personal data must be processed in a legitimate, lawful, fair, transparent manner, limited to the corresponding purpose, minimized, accurate, updated, complete, confidential and with a limited retention period.
The Organization will adopt appropriate technical and organizational measures to prevent the alteration, unauthorized or unlawful processing or access, as well as the loss or destruction of personal data. .
The Data Protection Officer, together with the Compliance Officer, the Legal Department, and the Information Security Officer, will develop and maintain up-to-date internal regulations for the overall management of data protection. The Information Security Officer will implement appropriate IT controls and developments in the information systems to ensure compliance with information management regulations.
Data protection risk management will be coordinated with ENS risk management, including impact assessments where appropriate and the coordination of risk treatment plans.
9. RISK MANAGEMENT
All systems subject to this Policy must undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:
- Regularly, at least once a year.
- When the handled information changes.
- When the services provided are changed.
- When a serious security incident occurs.
- When serious vulnerabilities are reported.
- When relevant changes occur in the data protection risk analysis or impact assessments.
To harmonize risk analyses, the Information Security Committee will establish a benchmark assessment for the different types of information handled and the services provided.
The Security Committee will streamline the availability of resources to meet the security needs of the different systems, promoting horizontal investments.
Data protection risks will be taken into account, taking into account the opinion of the Data Protection Officer, and risk treatment plans will be coordinated.
10. PERSONNEL OBLIGATIONS
All personnel of the Organization have the obligation to know and comply with this Information Security Policy and the norms, procedures, protocols, instructions, rules and standards that develop it.
The Organization will take the necessary steps to ensure that the Policy and its implementing regulations reach the affected individuals. All staff will receive regular information security awareness training, and those responsible for the use, operation, or administration of ICT systems will receive specific training appropriate to their roles.
11. THIRD PARTIES
When the Organization provides services to other entities or handles information from third parties, they will be made aware of this Information Security Policy to the extent applicable to them, without prejudice to compliance with the obligations arising from the regulations on the protection of personal data when the Organization acts as a processor or processes information on behalf of said entities.
Likewise, the necessary channels will be established for reporting, coordinating, and responding to security incidents with the entities, clients, suppliers, or other third parties involved. The Security Officer, or their designee, will act as the Point of Contact for information security matters, without prejudice to the involvement of the Information Security Officer, the Data Protection Officer, the Information Systems Department, the Legal Department, or the Security Committee when the nature of the incident or the information processed so requires.
When the Organization uses third-party services, contracts service providers, acquires ICT products or solutions, allows third-party access to its systems, or transfers information to third parties, such third parties must be aware of and comply with this Information Security Policy and the security regulations applicable to the affected services, systems, or information.
When contracting service providers or acquiring products, the contractor's obligation to comply with the National Security Framework, where applicable, will be taken into account, as well as any legal, contractual, regulatory, and sector-specific obligations affecting the Organization or the services provided. When the supplier has access to personal data on behalf of the Group companies, their contracting will be carried out in accordance with applicable data protection regulations and established internal contracting policies.
In acquiring rights to use assets, services or solutions in the cloud, the Organization will take into account the requirements established in the security measures of Annex II of the National Security Scheme and in its development guides, as well as the security, continuity, confidentiality, traceability, data protection and incident management requirements that may be applicable.
Third parties will be subject to the obligations set forth in this Policy, applicable security regulations, and any contracts, agreements, data processing agreements, security annexes, or equivalent instruments governing their relationship with the Organization. These third parties may develop their own operating procedures to fulfill these obligations, allowing the Organization to monitor compliance, request evidence, review controls, or initiate second- or third-party audits as appropriate.
Third parties must ensure that their personnel are aware of and comply with the information security obligations applicable to the contracted service, including those related to confidentiality, personal data protection, authorized use of information, incident reporting, and compliance with applicable security regulations. This level of compliance must be at least equivalent to that required by the Organization of its own personnel or that specifically established contractually.
Specific procedures will be established for reporting and resolving incidents involving third parties. Any incident, security breach, data loss, unauthorized access, misuse, significant vulnerability, or situation that could affect information security or service continuity must be reported by the third party to the contacts defined by the Organization. When the incident affects or may affect personal data, the Data Protection Officer must intervene, along with the relevant internal functions.
When the Organization acquires, develops, integrates, or implements an Artificial Intelligence system, in addition to complying with applicable regulations, it must obtain a report from the Security Officer, who will consult with the Information Officer, the Service Manager, and, when necessary, the System Manager. When the system processes or may affect personal data, the opinion of the Data Protection Officer must also be obtained.
12. SECURITY INCIDENT MANAGEMENT
The Organization will have procedures in place for the agile management of security events and incidents that may pose a threat to information, information systems or services provided.
These procedures will include the detection, recording, analysis, treatment and monitoring of security incidents, as well as the adoption of the necessary measures for their containment, resolution and continuous improvement of the security process.
Security incidents and their corresponding actions will be recorded. These records will be used for the continuous improvement of system security, vulnerability detection, control review, and, where appropriate, evidence preservation.
Incident management will be integrated, where appropriate, with other applicable procedures and obligations regarding personal data protection, business continuity, critical infrastructure, essential infrastructure, or other sector regulations that affect the Organization.
When the incident affects or may affect personal data, the Data Protection Officer will be involved, along with the Information Systems Management, the Information Security Officer and the rest of the relevant internal functions, in order to assess the breach and activate the necessary security protocols.
The Organization will report incidents to the competent bodies when required by applicable regulations and, where necessary, to the State Security Forces and Corps, judicial bodies or other competent authorities, without undue delay.
In the case of critical or essential services, systems or infrastructure, incident management will take into account the specific plans, protocols and coordination mechanisms established by the Organization to ensure the response, recovery and continuity of services.
13. ACTION IN CASE OF USER BREACH OF THE POLICY
Failure to comply with this Information Security Policy, as well as the rules, procedures, instructions or controls that develop it, may lead to the adoption of corrective, disciplinary, contractual or legal measures, depending on the nature, scope, intentionality, repetition, impact and risks associated with the detected fact, all in accordance with labor, conventional, contractual and other applicable regulations.
The application of any measure must respect the principles of proportionality, confidentiality, traceability, contradiction and minimum exposure of information, ensuring that the management of non-compliance is properly documented and that only people with competence and need to know intervene.
When non-compliance affects or may affect personal data, regulatory obligations, electronic evidence, service continuity, or potential liabilities to third parties, the Data Protection Officer, the Legal Department, or other relevant departments will be involved. If there are indications of a criminal or administrative offense, the Organization may report the matter to the competent authorities.
The Information Security Officer will monitor relevant breaches and periodically report to the Security Committee aggregated information on incidents, measures taken, trends detected and improvement actions, in order to strengthen the security culture and prevent recurrence.
14. APPROVAL AND ENTRY INTO FORCE
This Information Security Policy has been approved by the Security Committee, with the participation of the Information Security Officer.
This Policy is effective from the date of approval and will remain in effect until replaced by a new, formally approved version. This version supersedes and renders all previous versions of the Information Security Policy obsolete.
This Policy will be reviewed at least annually by the Information Security Committee, or sooner when regulatory, organizational, technical, contractual, risk or security changes occur that make it necessary.
Modifications that involve substantial changes affecting principles, responsibilities, scope or security governance model must be proposed by the Security Committee and formally approved by the competent body.
The replacement of the Policy will be requested by the Information Security Committee and ratified by the competent body, with interested parties being duly informed through the channels used for its dissemination.
The Policy will be disseminated to all personnel of the Organization and, where appropriate, to external personnel, suppliers, service providers, collaborators and third parties who access, process, store, communicate or manage information or information systems of the Organization.
15. DILIGENCE IN REVIEWING THE POLICY
This Policy has been reviewed and validated by the Information Security Officer and sent to the Human Resources Department for dissemination throughout the Organization.