Information security policy

 

 

 

1. Declaration of principles

 

Multiple Studio SL is a company dedicated to offering specialized graphic design services in the areas of Branding, Audiovisual, Photography, Editorial and Digital. To this end, it assumes values that it considers essential to achieve its objectives, such as the preservation of information and personal data, both its own and that of other interested parties, and the professional and personal development of all members of its work team.

 

Due to our activity, at Multiple Studio SL we are aware that information is an asset with high value for our organization and, therefore, requires adequate protection and management in order to provide continuity. to our line of business and minimize possible damage caused by failures to the integrity, availability and confidentiality of the information. Likewise, both the current legislation regarding the protection of personal data (RGPD and LOPDGDD), as well as the commitment of Multiple Studio SL with our clients, makes us especially sensitive to the processing of personal data to which we we have access in the exercise of our activity.

 

To this end, Multiple Studio SL establishes a set of management activities that aim to preserve the principles of Confidentiality, Integrity, Availability, authenticity, traceability and Regulatory Compliance of information. In turn, these principles are defined as follows:

 

  • Confidentiality: is the property that guarantees that access to information can only be exercised by authorized persons.
  • Integrity: is the property of safeguarding the accuracy and completeness of information assets.
  • Availability: is the quality that guarantees that authorized people can access the information and process it at any time when it is necessary.
  • Authenticity: is the property or characteristic that an entity is who it claims to be or that it guarantees the source from which the data comes.
  • Traceability: is the property or characteristic that the actions of an entity can be attributed exclusively to said entity.

Regulatory Compliance: is the property that ensures that the information is managed in accordance with the ethical, professional and legal principles established by the regulations that are applicable in each context.

 

Systems must be protected against rapidly evolving threats with the potential to impact information and services. Defending against these threats requires a strategy that adapts to changes in environmental conditions to ensure continued service delivery.

 

This implies that the different departments must apply the minimum security measures required by the National Security Scheme and voluntary regulations such as ISO 27001, as well as continuously monitor the levels of service provision, follow and analyze the reported vulnerabilities, and prepare an effective response to incidents to ensure continuity of services provided.

 

The different departments of the organization must ensure that security is an integral part of each stage of the system life cycle, from its conception to its decommissioning, through development or acquisition decisions and exploitation activities. Security requirements and financing needs must be identified and included in planning, requests for offers, and bidding documents for ICT projects.

 

Departments must be prepared to prevent, detect, react and recover from incidents, according to Article 8 of the ENS.

 

Within the protection of the above, the protection of privacy is embedded. Our systems process sensitive personal data and therefore, privacy protection stands as an essential pillar in the SGSI framework and is constituted as a social need that companies must respect and protect, as well as an object of legislation and/or regulation. specific throughout the world.

 

1.1. General objectives

 

The Security Policy provides the bases to define and delimit the objectives and responsibilities for the various technical, legal and organizational actions required to guarantee the security of information and privacy, complying with the applicable legal framework and global and specific policies. signature, as well as the defined procedures.

 

These actions from the point of view of security and privacy are selected and implemented based on the risk analysis and the balance between acceptable risk and cost of the measures.

 

The objective of the Security Policy is to establish the framework of action necessary to protect information and data resources against threats, internal or external, deliberate or accidental.

 

The information and data may exist in a variety of formats, with both electronic and paper media or other media, and sometimes includes critical data about the operations, strategies or activities of Multiple Studio SL and of its clients and even, where appropriate, sensitive data established by the personal data protection regulations. The loss, corruption, or theft of information or the systems that manage it has a high impact on our company.

 

Multiple Studio SL is convinced that effective management of Information Security and Privacy is an enabling element for the organization to fully understand and act appropriately to the risks to which the information is exposed, as well as to be able to respond and adapt efficiently to the growing requirements of regulatory bodies, laws, and of course its clients.

 

1.2. Commitment of Senior Management

 

The purpose of the Information Security Management System is to guarantee that information security and privacy risks are known, assumed, managed and minimized in a documented, systematic, structured, repeatable, assumable way and adapted to the changes that occur. occur in risks, the environment and technologies.

 

To this end, the management declares the commitment of Multiple Studio SL to:

 

  • Apply the principle of continuous improvement to all the organization’s processes, with the additional objective of achieving the highest degree of customer satisfaction.
  • Ensure compliance with applicable legal and regulatory requirements (particularly those relating to the protection of personal data), as well as those that the organization has voluntarily assumed in the development of Corporate Social Responsibility and the Code of Conduct.
  • To enhance the participation, communication, information and training of the professional team with the aim of making them feel involved in the work of the organization as a whole.
  • Promote the commitment of responsibility among the team members in accordance with the quality requirements, as well as those related to the privacy and security of information agreed both internally and with clients, through training actions and adequate and regular awareness-raising.
  • Ensure business continuity by developing continuity plans in accordance with recognized methodologies.
  • Perform and periodically review a risk analysis based on recognized methods that allow us to establish the level of both personal data privacy and information security at a general level and of the projects and services in progress and minimize risks by developing specific policies, technical solutions and contractual agreements with specialized organizations.
  • Commitment to information to interested parties.
  • Selection of suppliers and subcontractors based on criteria related to privacy and information security.

With specific regard to the protection of personal data, Multiple Studio SL undertakes to comply with the principles indicated in the reference legislation.

 

These are:

 

  • Principle of “legality, transparency and loyalty”. The data must be processed in a lawful, fair and transparent manner for the interested party.
  • Principle of “purpose”. The data must be processed for one or more specific, explicit and legitimate purposes and, on the other hand, it is prohibited for data collected for specific, explicit and legitimate purposes to be subsequently processed in a manner incompatible with those purposes.
  • Principle of “data minimization”. Apply technical and organizational measures to guarantee that data is processed that is only necessary for each of the specific purposes of the processing, reducing the extent of the processing, limiting the retention period and its accessibility to what is necessary.
  • Principle of “accuracy”. Have reasonable measures so that the data is updated, deleted or modified without delay when it is inaccurate with respect to the purposes for which it is processed.
  • Principle of “limitation of the conservation period”. The conservation of data must be limited in time to the achievement of the purposes pursued by the processing.
  • Principle of “security” Carry out a risk analysis aimed at determining the technical and organizational measures necessary to guarantee the integrity, availability and confidentiality of the personal data processed.
  • Principle of “active responsibility” or “demonstrated responsibility”. Maintain ongoing due diligence to protect and guarantee the rights and freedoms of natural persons whose data is processed based on an analysis of the risks that the processing represents for those rights and freedoms, so that we can guarantee and demonstrate that the processing complies with the provisions of the RGPD and the LOPDGD.
  • Direct, support and supervise the information security management system, as established in RD 311.2022 and subsequent modifications, as well as in ISO 27001, and seek to achieve its objectives. .

The management of Multiple Studio SL is committed to supporting and promoting the principles established in this Policy, for which it asks the staff of Multiple Studio SL to assume and abide by the forecasts of the documented management system for the ENS.

 

1.3. Security Policy Development

 

This Security Policy complements the security policies of Multiple Studio SL in different matters and will be developed through security regulations that address specific aspects. The security regulations will be available to all members of the organization who need to know them, in particular to those who use, operate or manage information and communications systems.

 

The documentation related to Information Security will be classified into three levels, so that each document at one level is based on those at a higher level:

 

  • First level: Security policy.
  • Second level: Safety regulations and procedures.
  • Third level: Reports, records and electronic evidence.

2. Declaration of principles

 

2.1. Prevention

 

Departments must avoid, or at least prevent to the extent possible, information or services from being harmed by security incidents. To do this, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented.

 

To ensure compliance with the policy, departments must:

 

  • Authorize the systems before starting operation.
  • Regularly assess security, including assessments of routinely made configuration changes.
  • Request periodic review by third parties in order to obtain an independent evaluation.
2.2. Detection

 

As services can rapidly degrade due to incidents, ranging from a simple slowdown to stopping, services must continuously monitor operations to detect anomalies in service delivery levels and act accordingly as set out in Article 9 of the ENS.

 

Monitoring is especially relevant when lines of defense are established in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms will be established that reach those responsible regularly and when a significant deviation occurs from the parameters that have been pre-established as normal.

 

2.3. Answer

 

Departments must:

 

  • Establish mechanisms to respond effectively to security incidents.
  • Designate point of contact for communications regarding incidents detected in other departments or in other organizations.
  • Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CERT).
2.4. Recovery

 

To ensure the availability of critical services, departments should develop systems continuity plans as part of their overall plan for business continuity and recovery activities.

 

2.5. Security Organization

 

This policy applies to all Multiple Studio SL systems and to all members of the organization, without exceptions.

 

Multiple Studio SL is committed to providing its services in a managed manner and complying with the requirements established in its Integrated Management System so that an uninterrupted service is guaranteed in accordance with the requirements of availability, security and quality towards the clients.

 

Due to our activity, at Multiple Studio SL we know that information is an asset with a high value for our organization and especially that of our clients and requires, therefore, adequate protection and management with in order to provide continuity to our line of business and minimize possible damage caused by failures in Information Security.

 

To do this, the organization:

 

  • You will adequately protect the confidentiality, availability, integrity, authenticity and traceability of your information assets by introducing a series of controls to manage relevant security risks.
  • You will prioritize the protection and safeguarding of your customers and customer data as a business priority.
  • You will establish, implement, monitor, maintain and continually improve your information security management as part of your broader business management approach, and maintain Accredited Certification to appropriate standards.
  • You will manage any information security breaches in a timely and responsible manner, and invest in appropriate detection, response and remediation strategies.
  • At planned intervals, you will test your information security controls and your responses to scenarios that may cause a threat to your operations.
  • You will provide appropriate resources to the organization to establish, maintain and improve the security environment as appropriate to the changing risk landscape.
  • You will invest in staff competencies to carry out their tasks and provide staff with appropriate training and awareness relevant to their role and the information they have access to.
  • You will ensure that our suppliers and partner organizations do the same, and that they establish and enforce security standards for those to whom we transmit any information.
2.6. Security Committee

 

The members of the Security Committee will be designated in a founding document, which will indicate the designated person and the position they must hold.

 

The Secretary of the Security Committee will be the RESPONSIBLE FOR SECURITY and will have the following functions:

  • Convenes the meetings of the Security Committee.
  • Prepares the topics to be discussed at Committee meetings, providing timely information for decision-making.
  • Prepare the minutes of the meetings.
  • she is responsible for the direct or delegated execution of the Committee’s decisions. </ li>
  • The Security Committee will report to the General Director.

The Security Committee will have the following functions:

 

  • Address the concerns of Senior Management and the different departments.
  • Regularly report on the status of information security to Senior Management.
  • Promote continuous improvement of the information security management system.
  • Develop the Organization’s evolution strategy regarding information security.
  • Coordinate the efforts of the different areas in terms of information security, to ensure that the efforts are consistent, aligned with the strategy decided on the matter, and avoid duplication.
  • Prepare (and regularly review) the Security Policy for approval by Management.
  • Approve the information security regulations.
  • Coordinate all security functions of the organization.
  • Ensure compliance with applicable legal and sector regulations.
  • Ensure the alignment of security activities with the organization’s objectives.
  • Coordinate the Continuity Plans of the different areas, to ensure seamless action in case they must be activated.
  • Coordinate and approve, where appropriate, the project proposals received from the different security areas, being responsible for managing regular control and presentation of the progress of the projects and announcing possible deviations.</li >
  • Receive security concerns from the entity’s Management and transmit them to the relevant departmental managers, obtaining from them the corresponding responses and solutions that, once coordinated, must be communicated to the Management .
  • Obtain regular reports from departmental security managers on the status of the organization’s security and possible incidents. These reports are consolidated and summarized for communication to the entity’s Management.
  • Coordinate and respond to concerns transmitted through those responsible for departmental security.
  • Define, within the Corporate Security Policy, the assignment of roles and the criteria to achieve the relevant guarantees regarding segregation of functions
  • Develop and approve the training and qualification requirements for administrators, operators and users from the point of view of information security.
  • Monitor the main residual risks assumed by the Organization and recommend possible actions regarding them.
  • Monitor the performance of security incident management processes and recommend possible actions regarding them. In particular, ensure the coordination of the different security areas in the management of information security incidents.
  • Promote the performance of periodic audits that allow verification of compliance with the organization’s security obligations.
  • Approve plans to improve the Organization’s information security. In particular, it will ensure the coordination of different plans that can be carried out in different areas.
  • Prioritize security actions when resources are limited.
  • Ensure that information security is taken into account in all projects from their initial specification to their start-up. In particular, it must ensure the creation and use of horizontal services that reduce duplication and support the homogeneous functioning of all ICT systems.
  • Resolve responsibility conflicts that may arise between different managers and/or between different areas of the Organization.
2.6.1. Roles: Functions and responsibilities</h6

 

  • Ultimate responsibility for the use made of certain information and, therefore, for its protection.
  • Ultimately responsible for any error or negligence that leads to an incident of confidentiality or integrity (in terms of data protection) and availability (in terms of information security).
  • Establish security information requirements.
  • Determine and approve information security levels.
  • Approve the categorization of the system with respect to information.
  • Those that are indicated in the documents within the scope of the ENS.

Service Manager

 

  • Establish the service requirements regarding security.
  • Determine the security levels of the services.
  • Approve the categorization of the system with respect to services.
  • Those that are indicated in the documents within the scope of the ENS.

Security Manager

 

Its functions will be the following:

 

  • Maintain the security of the information managed and the services provided by the information systems in their area of responsibility, in accordance with the provisions of the organization’s Information Security Policy.</li li>
  • Promote training and awareness on information security within their area of responsibility.
  • Approve the applicability statement.
  • Channel and supervise, both compliance with the security requirements of the service provided or solution provided, as well as communications related to information security and incident management for the scope of said service (POC).
  • Those that are indicated in the documents within the scope of the ENS.
  • The Head of Security will be the secretary of the Security Committee with the functions indicated in section 3.5.1 of this policy.
  • In accordance with the principle of “segregation of functions and tasks” included in art. 10 of the ENS, the Security Manager will be a different figure from the System Manager.

System Manager

 

Its functions will be the following:

 

  • Develop, operate and maintain the information system throughout its life cycle, including its specifications, installation and verification of its correct operation.
  • Define the topology and management of the information system, establishing the criteria for use and the services available therein.
  • Ensure that security measures are appropriately integrated into the overall security framework.
  • Power to propose the suspension of the processing of certain information or the provision of a certain service if serious security deficiencies are detected that could affect the satisfaction of the established requirements.
  • Those that are indicated in the documents within the scope of the ENS.

Privacy Manager

 

Its functions will be the following:

 

  • Coordinate all aspects related to the adequacy of MULTIPLE STUDIO SL’s actions regarding the protection of personal data.
  • Coordinate, together with the Security Manager, compliance with the ENS with respect to the protection of personal data.
2.6.2. Appointment procedures

 

The Security Manager will be appointed by the Security Committee. The appointment will be reviewed every 2 years or when the position becomes vacant.

 

Likewise, the rest of the positions indicated in the previous section will be appointed by the Security Committee through meeting minutes.

 

2.6.3. Security Policy Review

 

The Security Committee’s mission will be the annual review of this Security Policy and the proposal for its review or maintenance. The Policy will be approved by Senior Management and disseminated so that all affected parties are aware of it.

 

2.7. Personal data

 

Multiple Studio SL, in providing its service, processes especially sensitive personal data.

 

The relative documentation, to which only authorized persons will have access, includes the records of the affected data processing activity and the corresponding data controllers. All information systems of Multiple Studio SL will comply with the security levels required by regulations for the nature and purpose of personal data.

 

2.8. Risk management

 

All systems subject to this Policy must carry out a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be repeated:

 

  • Regularly, at least once a year
  • When the information managed changes
  • When the services provided change
  • When a serious security incident occurs
  • When serious vulnerabilities are reported

To harmonize risk analyses, the Security Committee will establish a reference assessment for the different types of information handled and the different services provided. The Security Committee will boost the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

 

2.9. Personnel obligations

 

All members of Multiple Studio SL have the obligation to know and comply with this Security Policy and the Security Regulations, and it is the responsibility of the Security Committee to provide the necessary means so that the information reaches those affected.

 

All members of Multiple Studio SL will attend an information security awareness session at least once a year. A continuous awareness program will be established to serve all members of Multiple Studio SL, particularly those newly incorporated.

 

Persons with responsibility for the use, operation or administration of systems will receive training in the safe operation of the systems to the extent they need it to perform their jobs. Training will be mandatory before assuming a responsibility, whether it is your first assignment or whether it is a change of job or responsibilities therein.

 

2.10. Third parts

 

When Multiple Studio SL provides services to other public or private organizations or handles information from other public or private organizations, they will be made participants in this Security Policy, channels will be established for reporting and coordination of the respective Committees. Security and action procedures will be established to react to security incidents.

 

When Multiple Studio SL uses third-party services or transfers information to third parties, they will be made participants in this Security Policy and the Security Regulations that apply to said services or information. Said third party will be subject to the obligations established in said regulations, and may develop its own operating procedures to satisfy it. Specific procedures for reporting and resolving incidents will be established. It will be ensured that third party personnel are adequately security-aware, at least to the same level as that established in this Policy.

 

When any aspect of the Policy cannot be satisfied by a third party as required in the previous paragraphs, a report from the Security Manager will be required that specifies the risks incurred and how to treat them. Approval of this report by those responsible for the affected information and services will be required before moving forward.

 

3. Applicable legislation

 

The laws that are considered applicable to the ISMS are detailed below, along with a definition of the area responsible for evaluating their impact on the organization.

 

Law / Regulation Responsibility
Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations Legal Advice
Law 40/2015, of October 1, establishes and regulates the bases of the legal regime of Public Administrations, the principles of the system of responsibility of Public Administrations and the sanctioning power, as well as the organization and operation of the General Administration of the State and its institutional public sector for the development of its activities Legal Advice
Royal Decree 311/2022, of May 3, which regulates the National Security Scheme. Legal Advice
Organic Law 1/2015, of March 30, which modifies Organic Law 10/1995, of November 23, of the Penal Code Legal Advice
Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, relating to the protection of natural persons with regard to the processing of personal data and the free circulation of these data</ td> Legal Advice
Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights Legal Advice
Law 34/2002 on Information Society Services (LSSI) Legal Advice
Law 22/11, of 11/11/1987, on Intellectual Property Legal Advice