Information Security Policy
- The Information Security Policy of CASA TARRADELLAS aims to establish a series of measures to guarantee the security of the information that is treated in the company.
Objective
The information processed at CASA TARRADELLAS is an asset with great value for the organization and consequently it is necessary that it is duly protected. For these purposes, measures must be implemented to guarantee the following aspects:
- Availability: ensure that users can access information when they need it.
- Integrity: ensure that information is complete and accurate.
- Confidentiality: ensure that the information is only accessible to authorized users.
- Business strategy: information is one of the most important assets for companies insofar as it contains confidential data of strategic value to the company. In this sense, the information must be duly protected to guarantee the protection of the business.
- Compliance with regulations and contracts: ensuring information security is also essential to ensure compliance with contractual commitments as well as current regulations.
- Security against threats: in an environment increasingly threatened by attacks on information systems, it is essential to implement policies to control and restrict unauthorized access.
Measures to be implemented
Through the Information Security Policy and the other policies that hang on it, a series of measures are intended to be implemented with the aim of guaranteeing this information security. These measures are oriented in a series of principles provided for in the Information Security Policy and which by way of summary are the following.
- Ensure compliance of all information systems with applicable regulations, both external and internal
- Manage the risk so that they reach an acceptable level
- Carry out staff training and awareness tasks
- Guarantee the availability, integrity and confidentiality of the company’s information and data
- Establish measures that are proportional to the identified risks
- Make clear the responsibility of all members and collaborators of the company with regard to information security
- Recurrently review the degree of effectiveness of the controls and thus establish a process of continuous improvement
Roles and responsibilities
Information security is everyone’s business and, in this sense, all of us who are part of CASA TARRADELLAS have the responsibility to implement the measures that are necessary to guarantee this security, among which the following are mentioned:
- Keep professional secrecy regarding the information of CASA TARRADELLAS as well as with respect to the personal data to which you have access
- Do not transfer confidential information or personal data to third parties without the necessary authorization
- Report any incident detected to affect information security
- Ensure that information and personal data are properly stored securely, including information on a physical medium which must be stored in closed cabinets (trying in any case to limit the use of information on physical media)
- Use corporate devices only for professional purposes and following the indications of access and use indicated by the company
Without prejudice to the foregoing, CASA TARRADELLAS has defined the following roles and responsibilities responsible for ensuring information security:
- Security Committee: body responsible for promoting, controlling, and monitoring compliance with the security measures necessary to guarantee information security. It also acts as a point of contact with the competent authorities in case incidents are detected.
- ICT Systems Manage: develop, operate, and maintain the information system and implement the necessary security measures.
- Owner of the Asset: ensure compliance with the security measures that are implemented as well as report incidents that are detected and propose improvements.
- Legal Services: ensure compliance with current regulations on data protection and information security.
Specific Policies
Within the framework of the Information Security Policy, the following most relevant specific policies have been defined on specific measures that are mandatory for all users:
- Access control: limiting access to assets and information to prevent unauthorized access.
- Classification of information: guarantee the correct protection of information according to its nature and degree of sensitivity.
- Physical and environmental security: guarantee unauthorized access as well as losses, damages, thefts, and compromise of the company’s physical and digital assets.
- User-oriented measures: ensure that there is (i) adequate use of assets, (ii) a clean workplace to avoid loss of information, (iii) that information is exchanged securely, (iv) guarantee security in the use of corporate devices, (v) control the installation and use of appropriate software to guarantee their security.
- Making copies and continuity plans: guarantee that the company owns and maintains secure backup copies of the information if it is necessary to resort to them in case of incident.
- Prevention and detection of viruses and other malicious software: ensure the installation and use of programs to protect the organization against viruses or malicious software.
- Management of technical vulnerabilities: adopt measures to address technical vulnerabilities in their applications.
- Cryptographic controls: the use of cryptographic controls to protect the confidentiality and integrity of information.
- Security in communications: protect the information stored on the network.
- Privacy and protection of personal information: ensure compliance with data protection regulations.
- Relationship with suppliers: guarantee that all these measures are also complied with respect to suppliers.
The implementation of information security measures also protects the following assets:
