Security policy

Bizneo depends on information systems. These systems are diligently managed, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity or traceability of the information processed and the services provided.

Aware of the importance of information security, and in line with the path that marks our own identity, Bizneo has promoted the establishment of an information security management system (hereinafter, ISMS) under the ISO 27001 standard and according to the requirements of Royal Decree 311/2022, of May 3, which regulates the National Security Scheme in the field of Electronic Administration (hereinafter, ENS) in order to identify, evaluate and minimize the risks to which its information and that of its customers is exposed, as well as to ensure compliance with the established objectives.

The purpose of this Security Policy is to guarantee the quality of the information and the continuous provision of services, acting preventively and supervising the daily activity, as well as to provide a reference framework for the establishment of security objectives that allow Bizneo to develop a company culture, a way of working and making decisions, aligned with the security of information and that respect for personal data are a constant.

Information systems are protected against rapidly evolving threats, whose potential damage affects the confidentiality, integrity, availability, intended use (traceability) and information value (authenticity) of services. To defend against these threats, a strategy has been defined that adapts to changing environmental conditions to ensure the continuous provision of our services.

Bizneo's different departments ensure that security is an integral part of every stage of the system's life cycle, from its conception to its decommissioning, including development or acquisition decisions and operation activities.

Bizneo is prepared to prevent, detect, react and recover from incidents, in accordance with Article 12 of the ENS, therefore it has acted in order to enhance different aspects of information security:

Legal and Regulatory Framework

Bizneo shall carry out its activities in accordance with the legal and regulatory framework in force. It undertakes to comply with all relevant laws and regulations related to information security, including, but not limited to those indicated in the document "ISMS Applicable Legislation".

Bizneo integrates ENS and ISO 27001 into the organization's security policy to provide a more complete and robust structure to address specific aspects of information security, both nationally and internationally. In addition, the adoption of these standards enhances the company's credibility, demonstrating its commitment to security best practices.

Security Organizational Framework

This security policy has been established in accordance with the basic principles indicated in Chapter II of Royal Decree 311/2022 and has been developed by applying the following minimum requirements:

Security organization

In accordance with the National Security Scheme (ENS), our organization adopts the following basic principles to ensure information security:

  1. Integral Security

  2. Risk Management

  3. Prevention, Detection and Response

  4. Lines of Defense

  5. Continuous Reevaluation

  6. Roles and Responsibilities

  7. Proportional Security

  8. Documentation and Registration

Bizneo has identified and defined the security roles and functions necessary to ensure the protection of information. Each role has clearly defined responsibilities (Responsibilities Authority and Competence ENS).

Bizneo has appointed a Security Committee that will oversee the monitoring and compliance of the ISMS. The Security Committee is formed by corporate positions and positions of responsibility within the organization. The list of constituent members of the Security Committee is defined in the procedure created for this purpose (PS00 - ISMS Manual). This Security Committee will have the following functions and responsibilities:

  • Coordinate all activities related to ICT security.

  • He is responsible for drafting the Security Policy.

  • It is responsible for the creation and approval of the rules that frame the use of ICT services. • Approve the procedures for action regarding the use of ICT services.

  • Approve the training and qualification requirements for administrators, operators and users from the point of view of ICT security.

Likewise, the roles and responsibilities of the Security Manager, the Information Manager and the Services Manager have been defined, as well as their relationship with the Security Committee.

In order to describe the process and hierarchy for resolving authority conflicts that may occur during ENS management between critical profiles with security responsibilities, Bizneo has defined the roles for resolving conflicts before those responsible and that applies to all specific ENS management profiles (see ENS Authority and Competence Responsibilities).

The Information Security Manager, the Service Manager and the Information Manager shall be appointed by the Management on the proposal of the Security Committee. These appointments will be reviewed every 2 years or when the position becomes vacant.

The following organization chart shows the positions with functions or responsibilities related to information security. The escalation in the absence of any of these responsible will be made according to the hierarchical lines marked in this diagram.

Risk analysis and management

All systems subject to this Policy have been evaluated through a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:

  • regularly, at least once a year

  • when the information handled changes

  • when the services provided change

  • when a serious security incident occurs

  • when serious vulnerabilities are reported

System categorization

Bizneo through the drafting of the corresponding procedure (PS00 - ISMS Manual) has defined the criteria to determine the level of security required in each dimension. For this purpose, the essential elements, information and services, are analyzed, pivoting around them the criteria that the person in charge of each type of information and service, and the criteria for the security level required in each dimension.

Each service may use, considering that the power to determine the category of the system corresponds to the person in charge of the system. The National Security Scheme establishes in its Annex II security measures conditioned to the assessment of the security level in each dimension and to the security category (Article 40) of the respective information system. In turn, the security category of the system is calculated on the basis of the highest security level of the dimensions assessed.

Personnel management and professionalism

All members of Bizneo have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the Security Committee to implement the necessary measures to ensure that the information reaches those affected.

All employees will receive a security awareness session at least once a year. In addition, an ongoing awareness program will be established to sensitize all Bizneo members, particularly new hires, which is aligned with other standards implemented.

Personnel dedicated to security tasks are appropriately qualified, given the sensitivity and complexity of some of these tasks. This applies to all phases of the security process life cycle (installation, maintenance, incident management and decommissioning). To this end, personnel receive the specific training necessary to ensure the security of the information technologies applicable to the systems and services subject to the ENS.

Logically, the same requirements required internally must be demanded to any supplier providing security-related services. To this end, Bizneo has promoted a procedure for the evaluation of suppliers in order to ensure a level of security similar to that required by the entity.

Authorization and access control

The first step to ensure that information and systems are protected is to limit access to them. For this reason, it has been defined who, and to what extent, will have access to the resources, so that everyone has the necessary access to perform their tasks, but not to equipment or data that should not be within their reach.

Likewise, Bizneo'sinformation systems have authorization mechanisms to allow access and to deny and revoke it when necessary.

Facility protection

The facilities are protected against damage to the systems they house and against access by unauthorized persons. Access to our facilities is secured and is regulated in the procedure established for this purpose.

Acquisition of security products and contracting of security services

Bizneo establishes the business and information security requirements for its information systems, whether they are new or existing and to be expanded or improved.

Thus, any new acquisition of security products and services that may affect the ISMS must first be evaluated from the point of view of functionality and security requirements. After validation, the product will be formally tested to determine whether it complies with the requirements.

All contracted services must be evaluated before being put into production in order to ensure that they comply with the minimum security requirements defined in this Information Security Policy and the Security Regulations in force.

Least privilege

The Information Security System implemented in Bizneo follows the Principle of Least Privilege according to which system users are granted the minimum access levels (or permissions) necessary to perform the following functions.

The objective is to restrict access to information and resources to what is strictly necessary to fulfill a specific task.

This principle of least privilege ensures that each party (be it a process, a user or a program) can only access what is essential for its legitimate purpose, not granting unnecessary privileges. However, this principle is not limited only to human user access but also applies to applications, systems or connected devices that require privileges to perform necessary tasks.

Limiting privileges reduces exposure to cyber-attacks and prevents "privilege creep".

System integrity and updating

To ensure the integrity of the information systems at all times, any physical and logical changes are made only after formal approval and through a formal procedure.

To this end, systems are updated in a controlled manner and according to the security status required at any given time. Changes in manufacturers' specifications, the appearance of new vulnerabilities, the issuance of updates and patches affecting the systems are analyzed in order to take the necessary measures to ensure that the systems and their security level are not degraded, while also managing the risks introduced by the changes to be made.

Protection of stored and in-transit information

A significant part of the information life cycle corresponds to its storage and transport. Information must be protected at all times. Appropriate procedures have been developed for this purpose, covering both electronic and paper-based information, as well as policies for the handling and processing of information.

Prevention against other interconnected information systems

Prevention against other interconnected information systems is a crucial aspect for Bizneo. To this end, measures have been established to ensure security when information systems are connected to each other, taking into account aspects such as perimeter protection, access control or the proper recording of activity in order to detect possible anomalies or unusual behavior in the interconnection.

Any connection to or from interconnected services will be made following the guidelines defined in the CCN-STIC guidelines published for this purpose.

Activity logging and malware detection

The company carries out the monitoring of its information and processing systems by registering them as security incidents, reviewing the operation and failure log of its systems to identify the problem. Thus, the activities of monitoring the use of Bizneo's systems respect the legal requirements of privacy and are used to verify the effectiveness of the security controls implemented and compliance with the access control policy.

Likewise, corporate computers, through the use of state-of-the-art antivirus with centralized management, have tools for the protection, detection, recovery and elimination of malicious code.

Security incidents

Bizneo's management has established a formal notification procedure whereby all personnel must notify security related incidents through the established channel immediately and without delay. This ensures a quick and effective response to security incidents and weaknesses.

Business continuity

The company has established a procedure to act against business interruptions and protect critical processes from the effects of major failures in information systems and ensure their immediate restoration. To this end, a business continuity plan has been implemented (see PROSI-11 Business Continuity Plan) to reduce the impact on Bizneo'sinfrastructure, and consequently on the company, and the recovery of information assets (whether due to accidents, equipment failure, deliberate acts, etc.) in such a way that the department's processes reach an acceptable level of continuity through corrective and preventive recovery measures.

Continuous improvement of the security process

Management, for its part, places special value on and establishes as the main criterion for estimating its risks, the assessment of the confidentiality, integrity and availability of the company's and its customers' critical information, as well as ensuring the traceability and authenticity of this information.

Thus, it is committed to develop, implement, maintain and continuously improve this Security Policy and its Management System with the objective of continuous improvement in the way they provide their services and in the way they treat information.

Personal data

Bizneo processes personal data. In this sense, and in compliance with current legislation on data protection, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons, Bizneo has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include, among others:

  • the pseudonymization and encryption of personal data;

  • the ability to ensure the confidentiality, integrity, availability, and resilience of processing systems and services;

  • the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident;

  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

Documentation and Communication

This Information Security Policy shall be made available as documented information and communicated within the organization. In addition, it will be shared with relevant stakeholders, such as authorities, operators and users of public transport, as appropriate.

Review and Update

This policy will be reviewed annually or earlier if there are significant changes in Bizneo's operating or technological environment. Senior management is committed to keeping this policy aligned with the company's objectives and applicable information security requirements.

This Information Security Policy will always be aligned with the company's general policies and with those that serve as a framework for other internal management systems, such as quality policies.

In Madrid, on July 16, 2024

Santiago Salas

CEO Bizneo

Bizneo HR Logo

Most recommended HR Software

  • Contact

    Linkedin icon LinkedinYoutube icon Youtube

  • How to start

    • Write us here

    • Would you rather call us?

    • HR software España +34 910 19 48 00

Our website uses cookies

Here you can set your cookies:

These cookies are necessary for the Website to function and cannot be disabled on our systems. They are usually set to respond to actions made by you to receive services, such as adjusting your privacy preferences, logging into the site, or filling out forms. You can set your browser to block or alert you to the presence of these cookies, but some parts of the Web site will not function. These cookies do not store any personally identifiable information.

Off
On

Estas cookies nos permiten contar las visitas y fuentes de circulación para poder medir y mejorar el desempeño de nuestro sitio. Nos ayudan a saber qué páginas son las más o menos populares, y ver cuántas personas visitan el sitio. Toda la información que recogen estas cookies es agregada y, por lo tanto, anónima. Si no permite estas cookies no sabremos cuándo visitó nuestro sitio, y por lo tanto no podremos saber cuándo lo visitó.

Off
On

Estas cookies pueden estar en todo el sitio Web, colocadas por nuestros socios publicitarios. Estos negocios pueden utilizarlas para crear un perfil de sus intereses y mostrarle anuncios relevantes en otros sitios. No almacenan información personal directamente, sino que se basan en la identificación única de su navegador y dispositivo de acceso al Internet. Si no permite estas cookies, tendrá menos publicidad dirigida.