ENS INFORMATION SECURITY POLICY

PSICONNEA B2B, as a company dedicated to the design, development, implementation, and support of software products for recording communications, electronic monitoring, and emergency management, is committed to information security and its proper management in order to offer all its stakeholders the highest guarantees regarding the security of the information used. Based on the above, the Management establishes the following information security objectives:

  • Provide a framework for increasing resilience to respond effectively to critical security situations.
  • Ensure the rapid and efficient recovery of services in the event of any physical disaster or contingency that may occur and put the continuity of operations at risk.
  • Prevent information security incidents to the extent technically and economically feasible, as well as mitigate information security risks generated by our activities.
  • Ensure the confidentiality, integrity, availability, authenticity and traceability of information.

To achieve these objectives it is necessary:

  • – Continuously improve our information security system.
  • Comply with applicable legal requirements and any other requirements we may have in addition to our commitments to clients, as well as continuously update them.

The legal and regulatory framework in which we carry out our activities is:

● REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

● Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights.

● Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law

● Royal Decree-Law 2/2018, of April 13, amending the consolidated text of the Intellectual Property Law

● REGULATION (EU) 910:2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation).

● Occupational Risk Prevention Law 31/1995 of November 8 and Royal Decree 39/1997 of January 17, approving the Regulations for Prevention Services.

● Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI-CE).

● Royal Decree-Law 13/2012 of March 30, Cookie Law.

● Royal Legislative Decree 1/1996, of April 12, approving the revised text of the Intellectual Property Law, regulating, clarifying, and harmonizing the current legal provisions on the matter.

● Resolution of October 7, 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction for the State of Security Report.

● Resolution of October 13, 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security Framework.

● Resolution of March 27, 2018, of the State Secretariat for Public Service, by which the Technical Security Instruction for Auditing the Security of Information Systems is tested.

● Resolution of April 13, 2018, of the Secretariat of State for Public Service, approving the Technical Security Instruction for Notification of Security Incidents.

● Royal Decree 311/2022, of May 3, regulating the National Security Scheme

– Identify potential threats, as well as the impact on business operations that such threats may cause, if they materialize.
– Preserve the interests of its main stakeholders (customers, shareholders, employees, and suppliers), reputation, brand, and value-creating activities.
– Work jointly with our suppliers and subcontractors to improve the provision of IT services, service continuity, and information security, resulting in greater efficiency in our activities.
– Evaluate and guarantee the technical competence of our staff, as well as ensure their adequate motivation to participate in the continuous improvement of our processes, providing appropriate training and internal communication so that they develop good practices defined in the system.
– Guarantee the proper condition of the facilities and the appropriate equipment, so that they are in line with the company’s activity, objectives, and goals.
– Guarantee the continuous analysis of all relevant processes, establishing the relevant improvements in each case, based on the results obtained and the established objectives.
– Structure our management system in a way that is easy to understand. Our management system has the following structure:

The management of our system is entrusted to the Management Manager, and the system will be available in our information system in a repository, which can be accessed according to the access profiles granted according to our current access management procedure.

These principles are embraced by Management, which provides the necessary means and provides its employees with sufficient resources to ensure their compliance, and which is reflected and made public through this Integrated Management Systems Policy.

The security roles or functions defined in ESRI are

FunctionDuties and responsibilities
 Responsible for information– Make decisions regarding the information processed
 Responsible for services– Coordinate the implementation of the system
– Continuously improve the system
 Security Officer– Determine the suitability of technical measures
– Provide the best technology for the service
 System Manager– Coordinate the implementation of the system
– Continuously improve the system
 Address

– Provide the necessary resources for the system

– Lead the system

This definition is completed in the job profiles and in the system documents.

The procedure for their appointment and renewal will be ratification by the security committee.

The Security Management and Coordination Committee is the body with the highest responsibility within the information security management system, so all major security-related decisions are made by this committee. The members of the information security committee are:

  • Responsible for information.
  • Responsible for services.
  • Responsible for security.
  • System manager.
  • Company Management (managing partners)

These members are appointed by the committee, the only body that can appoint, renew and remove them.

The Safety Committee is an autonomous, executive body with decision-making authority and is not subordinate to any other component of our company.

This policy complements the rest of the policies, procedures and documents in force to develop our management system.