View Information Security Policies

Mission and Objectives of the SATEC Group in Information Security

The Management of the SATEC Group is aware of the importance of proper information handling to achieve an optimal level of quality, security, availability, and continuity in the services provided to its clients. The SATEC Group bases a significant part of its market approach towards clients on the deployment and development of infrastructures and services for information systems and telecommunications.

For the SATEC Group, a security incident involves clear tangible damages such as a loss of information, service availability, or legal implications, as well as considerable damage to the company's image. This makes security an essential factor for the proper functioning of the organization.

Objectives of the Information Security Policy

The SATEC Group has the following objectives in terms of information security:

- Ensure the confidentiality of the information handled by the SATEC Group.

- Protect the integrity of the information in all areas of its processing within the framework of the services provided.

- Ensure the availability of the information systems that support the services provided to clients.

- Verify and ensure the authenticity of the senders and receivers of the information.

- Guarantee the traceability and monitoring of activities and information within the framework of service delivery.

- Manage information security throughout the entire service lifecycle.

- Ensure risk analyses are carried out to assess existing risks and select necessary security measures while maintaining an appropriate balance between cost and benefit.

- Apply security measures focused on preventing possible incidents, errors, or deliberate attacks.

- Establish effective event and security incident management to minimize the impact or any consequences and respond timely and adequately to contractual and legal requirements, ensuring the availability and continuity of the provided service. Procedures for proper prevention, detection, response, and recovery from any security incident will be established.

- Protect information against unauthorized access and implement the necessary technical measures to ensure the required defense lines.

- Promote awareness and training of employees in information security.

- Ensure continuous improvement through established periodic reviews, consisting of monitoring, auditing, and following up on improvement plans.

Regulatory Framework

• · Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI-CE). (BOE 166 of 07-12-2002), last update 11/12/2020.
• · Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (BOE No. 44, of 05/09/2023)
• · Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons regarding the processing of personal data and the free movement of such data, GDPR.
• · Royal Decree 311/2022, of May 3, regulating the National Security Scheme.
• · Royal Legislative Decree 1/1996, of April 12, approving the revised text of the Intellectual Property Law (LPI), regularizing, clarifying, and harmonizing the provisions in force on the matter. (BOE-A-1996-8930). Including the update by art. 1 of Law 5/1998, of March 6.
• · RD 28/2003 of March 7 approving the Regulations of the Central Registry of Intellectual Property (BOE 75 03-28-03). Generally applicable for the registration of intellectual property (part of Royal Legislative Decree 1/1996, of April 12).
• · Organic Law 10/1995, of November 23, of the Penal Code, in its update dated 06/05/2021. (BOE-A-1995-25444)
• · Law 1/2019, of February 20, on Trade Secrets.
• · Law 23/2006, of July 7, amending the revised text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12 (LPI). (BOE 162 of 07-08-2006), law modifying Royal Legislative Decree 1/1996, of April 12.
• · Law 25/2013 on the promotion of electronic invoicing and the creation of an accounting registry of invoices in the Public Sector, and its development. (BOE 311 of 12-28-2013). It is applicable to services provided to Public Administrations.
• · Law 17/2001, of December 7, on Trademarks. (BOE 294 of 12-08-2001). It applies to all protection of distinctive signs, trademarks, and trade names of the SATEC Group.
• · Law 24/2015, of July 24, on Patents (BOE 177 of 07-25-2015). It applies to the protection of industrial inventions.
• · Royal Decree-law 12/2018, of September 7, on the security of networks and information systems.
• · Law 10/2021, of July 9, on remote work (BOE 164 of 07-10-2021)

Security Organization

Coordination of information security.

Information Manager

The Information Manager is responsible, within their scope of action, for:

- Determining the security needs and requirements of the information processed.
- Ensuring the proper use of information and its protection.
- Approval of information security levels cannot be delegated.

They will be appointed by General Management based on the nature of the information.

Service Manager

The Service Manager is responsible, within their scope of action, for:

- Determining the security requirements of the provided service.
- Including security specifications in the lifecycle of services and systems, along with the corresponding control mechanisms.
- Ensuring that defined processes and policies are applied.
- Approval of the service's security levels cannot be delegated.

They will be appointed by the Production Management depending on the nature of the services.

Information Security Management System Manager

The SATEC Group has an Information Security Management System Manager (ISMS Manager) responsible for controlling and coordinating security, ensuring compliance with and adequacy of existing security measures, as well as proposing and establishing improvements regarding the adaptation to the security policy, standards, and procedures based on the improvements, policies, standards, and procedures established in the general Management System.

They rely on the following for their operation:

- A technical security manager in each delegation, who will identify, analyze, and resolve any technical issues related to Security.
- A physical security manager reporting to General Services.
- Service Managers.
- Information Managers.
- System Managers.
- A Security Management Committee with sufficient authority to make organizational decisions ensuring security. The committee is composed, at a minimum, of:
- Security Manager (ISMS Manager)
- Technical Security Manager
- Service Managers (who also represent Information Managers)

The main functions of the Security Manager are:

- Recommending improvement actions, Risk Treatment, and/or corrective actions to resolve detected problems and reporting to the General Manager for management.
- Ensuring the implementation of agreed actions regarding improvements, objectives, corrective actions, Risk Treatment, detected vulnerabilities, and overseeing the proper execution of actions.
- Establishing security incident management.
- Maintaining contacts with external resources or sources on security issues.
- Evaluating changes to assets and base structures, analyzing their security implications with the assistance of the Technical Security Manager.
- Creating the ISMS documentation structure for the SATEC Group.
- Ensuring the implementation and ongoing maintenance of the ISMS in the SATEC Group in collaboration with the General Manager.

Providing information about the ISMS performance in the SATEC Group and proposing improvements based on:
- Nonconformities
- Corrective Actions
- Risk Analysis Results
- Internal Audits
- Security Incidents
- Suggestions
- Indicators
- Registering the ISMS improvement needs, assigning solution responsibilities, and tracking them.
- Closing Corrective Actions and ISMS Risk Treatments in coordination with the General Manager.
- Registering the status of ISMS Corrective Actions and Risk Treatments.
- Reviewing and controlling risk analysis and its management.
- Ensuring proper resource management, in coordination with Management, regarding the ISMS of the SATEC Group.
- Ensuring the security of the infrastructure necessary for the operation of the SATEC Group's IT services and physical access.
- Providing information on the management of communications and operations of equipment and systems necessary for the operation of the SATEC Group's IT services.
- Being informed about everything related to access management for the SATEC Group's systems.
- Providing information and participating in the purchase, development, and maintenance of the SATEC Group's systems.
- Establishing appropriate mechanisms for managing security incidents in the SATEC Group.
- Defining procedures and plans to ensure business continuity for the SATEC Group.
- Ensuring the technical and legal compliance of the ISMS of the SATEC Group.
- Convening meetings of the Operational Security Committee whenever its analysis and knowledge are required for any security-related task.

- The System Manager.

The System Manager is responsible for the operation of the information system, adhering to the security measures determined by the Security Manager along with the Technical Security Manager.

The main functions of the System Manager are:

- Developing, operating, and maintaining the information system throughout its lifecycle; from defining specifications to deployment and verifying its correct functioning.
- Defining the topology and management of the system; for this, they will define usage criteria and services in the information system.
- Ensuring, together with the Security Manager and the Technical Security Manager, that security measures are adequately integrated into the corporate security framework.

Security Management Committee

Their main functions are:

- Reporting to the Management Committee, the Board, and the Steering Committee when appropriate.
- Developing the Security Policy of the SATEC Group and security standards.
- Developing security procedures.
- Informing the Board about the management of information security.
- Establishing risk acceptance criteria and pre-approving risk mitigation strategies, which must ultimately be approved by the Board.
- Coordinating risk analysis, contingency plans, and disaster prevention.
- Developing medium- and long-term security objectives and strategies.
- Preparing an annual security management plan, formulating the necessary resources to be submitted for Board approval.
- Monitoring the agreements from the last Management Review meeting of the SATEC Group ISMS.
- Analyzing the Internal Audits performed.
- Analyzing the status of Risk Treatment Actions and Corrective Actions, ensuring they are taken within an appropriate timeframe.
- Analyzing the evolution and achievement of security objectives.
- Ensuring communication to all staff about the importance of understanding security objectives in compliance with security standards and their responsibilities.
- Analyzing compliance with ISMS security standards and procedures and their validity. The need for modifications or whether the desired objectives are being pursued is analyzed.
- Reviewing the ISMS review conclusions and the corrective actions and/or Risk Treatments necessary to address improvement needs, establishing execution responsibilities and deadlines.

Responsibility Designation Procedure

It will be the responsibility of the Management to assign security-related responsibilities within the SATEC Group and establish the list of information owners, as well as individuals authorized to designate resources and permissions.

Training and Awareness

The Management of the SATEC Group is committed to providing the necessary resources for appropriate training and awareness in security for all SATEC Group employees, based on the roles and responsibilities they hold in relation to this subject.

Likewise, efforts will be made to update the necessary knowledge for those responsible for security, information, and information systems.

Risk Management

All information systems and elements necessary for the delivery of services subject to this Policy must undergo a risk analysis, assessing the threats and risks to which they are exposed.

The frequency for conducting this risk analysis will be:

- At least once a year.
- When the information being handled changes.
- When the services provided or the scope within the Information Security System change.
- When a serious security incident occurs.
- When severe vulnerabilities are reported.

For traceability of risk analyses, the Security Committee will establish a reference valuation for the different types of information handled and the different services provided. The Management will ensure the availability of resources to address the security needs of the various systems, based on cost/benefit considerations.

Personal Data

The Management of the SATEC Group is aware of the importance of proper information handling to achieve an optimal level of customer service today. In particular, there is data necessary for the development of the SATEC Group's business that falls under the legal definition of personal data, requiring special care in its collection, processing, updating, and destruction.

The processing activity record, accessible only to authorized individuals, contains the affected files and corresponding responsible parties. All information systems of the SATEC Group will comply with security levels based on the classification of information and the requirements set by regulations for the nature and purpose of personal data collected in the aforementioned processing activity record.

Third Parties

In cases where the SATEC Group provides services to other entities or handles data and information from other organizations, they will be informed and involved in this Security Policy, establishing necessary communication channels as well as defining procedures for disaster or security incident management.

Likewise, when the SATEC Group requires services from third parties or transfers information, the applicable requirements outlined in this Policy and its related procedures and policies will be communicated to them, making third parties subject to the obligations established in this regulation. It must always be ensured that personnel involved in the service delivery are knowledgeable and aware of their responsibilities.

Staff Obligations

The Management of the SATEC Group expressly acknowledges and approves the policy and all related matters, ensuring that staff are aware of it and assume it as part of their job responsibilities.

Policy Development and Review

This policy is developed in the SATEC Group's Cybersecurity Policy document and the various established security procedures.

The adequacy of this policy will be reviewed at least once a year as part of the Management Review.

In Madrid, May 10, 2023

Teresa Taubmann Urquijo

General Manager of SATEC