Bizneo depends on information systems. These systems are diligently managed, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity or traceability of the information processed and the services provided.
Aware of the importance of information security, and in line with the path that marks our own identity, Bizneo has promoted the establishment of an information security management system (hereinafter, ISMS) under the ISO 27001 standard and according to the requirements of Royal Decree 311/2022, of May 3rd, which regulates the National Security Scheme in the field of Electronic Administration (hereinafter, ENS) in order to identify, evaluate and minimize the risks to which its information and that of its customers is exposed, as well as to ensure compliance with the established objectives.
The purpose of this Security Policy is to ensure the quality of information and the continued provision of services, acting preventively and monitoring the daily activity, as well as to provide a framework for the establishment of security objectives that allow Bizneo to develop a company culture, a way of working and making decisions, aligned with the security of information and respect for personal data are a constant.
Information systems are protected against rapidly evolving threats, whose potential damage affects the confidentiality, integrity, availability, intended use (traceability) and value of information (authenticity) of services. To defend against these threats, a strategy has been defined that adapts to changes in environmental conditions to ensure the continuous provision of our services.
Bizneo's different departments ensure that security is an integral part of each stage of the system's life cycle, from its conception to its decommissioning, including development or acquisition decisions and operation activities.
Bizneo is prepared to prevent, detect, react and recover from incidents, in accordance with Article 12 of the ENS, therefore it has acted in order to enhance different aspects of information security:
Legal and Regulatory Framework
Bizneo shall conduct its activities in accordance with the legal and regulatory framework in force. It is committed to comply with all relevant laws and regulations related to information security, including but not limited to those indicated in the document "ISMS Applicable Legislation".
Bizneo integrates ENS and ISO 27001 into the organization's security policy to provide a more complete and robust structure to address specific aspects of information security, both nationally and internationally. In addition, the adoption of these standards enhances the company's credibility, demonstrating its commitment to security best practices.
Security Organizational Framework
This security policy has been established in accordance with the basic principles outlined in Chapter II of Royal Decree 311/2022 and has been developed by applying the following minimum requirements:
Security organization
Bizneo has identified and defined the security roles and functions necessary to ensure the protection of information. Each role has clearly defined responsibilities (Responsibilities Authority and Competence ENS).
Bizneo has appointed a Security Committee that will oversee the monitoring and compliance of the ISMS. The Security Committee is formed by corporate and responsibility positions within the organization. The list of constituent members of the Security Committee is defined in the procedure created for this purpose (PS00 - ISMS Manual). The Security Committee will have the following functions and responsibilities:
• Coordinate all activities related to ICT security.
• Responsible for drafting the Security Policy
• Responsible for creating and approving the regulations framing the use of ICT services
• Approve the procedures related to the use of ICT services
• Approve the training and qualification requirements for administrators, operators, and users from an ICT security perspective
Furthermore, the functions and responsibilities of the Security Officer, Information Officer, and Service Officer have been defined, as well as their relationship with the Security Committee.
To describe the process and hierarchy for resolving authority conflicts that may occur during the management of the ENS among critical profiles with security responsibilities, Bizneo has defined the functions for conflict resolution before the responsible parties and applies to all specific ENS management profiles (ENS Responsibilities, Authority, and Competence).
The Information Security Officer, the Service Officer, and the Information Officer will be appointed by Management upon the proposal of the Security Committee. These appointments will be reviewed every 2 years or when the position becomes vacant.
The following organizational chart shows the positions with functions or responsibilities related to information security. Escalation in the absence of any of these responsible parties will follow the hierarchical lines indicated in this diagram.
Risk analysis and management
All systems subject to this Policy have been evaluated through a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:
regularly, at least once a year
when the information handled changes
when the services provided change
when a serious security incident occurs
when serious vulnerabilities are reported
System categorization
Bizneo through the drafting of the corresponding procedure (PS00 - SGSI Manual), has defined the criteria to determine the required level of security in each dimension. Essential elements, information, and services are analyzed for this purpose, revolving around them the criteria that the person responsible for each type of information and each service can use, considering that the authority to determine the system category belongs to the responsible party.
The National Security Scheme establishes in its Annex II security measures conditioned to the assessment of the security level in each dimension and the security category (article 40) of the respective information system. In turn, the security category of the system is calculated based on the highest security level of the evaluated dimensions.
Personnel management and professionalism
All Bizneo members are obligated to know and comply with this Information Security Policy and the Security Regulations, with the Security Committee being responsible for implementing the necessary measures to ensure the information reaches those affected.
All employees will receive a security awareness session at least once a year. Additionally, a continuous awareness program will be established to sensitize all Bizneo members, particularly new hires, which aligns with other implemented standards.
The staff dedicated to security tasks is appropriately qualified, given the sensitivity and complexity of some of these tasks. This applies to all phases of the security process lifecycle (installation, maintenance, incident management, and dismantling). To this end, the staff receives the specific training necessary to ensure the security of information technologies applicable to systems and services subject to the ENS.
Logically, the same internal requirements must be demanded from any provider offering security-related services. To this end, Bizneo has promoted a procedure for evaluating providers to ensure a security level similar to that required by the entity.
Authorization and access control
The first step to ensuring that information and systems are protected is to limit access to them. Therefore, it has been defined who, and to what extent, will have access to resources, so that each person has the necessary access to perform their tasks, but not to equipment or data that should not be within their reach.
Additionally, Bizneo information systems have authorization mechanisms to allow access, deny it, and revoke it when necessary.
Facility protection
The facilities are protected against damage that could affect the systems they house and against unauthorized access. Access to our facilities is secured and regulated by the procedure established for this purpose.
Acquisition of security products and contracting of security services
Bizneo establishes business and information security requirements for its information systems, whether they are new or existing and expanded or improved.
Thus, any new acquisition of security products and services that may affect the SGSI must be previously evaluated, from a functional and necessary security requirements perspective. After validation, the formal testing of the product will proceed, indicating if it meets the requirements.
Any contracted service must be evaluated before its production release to ensure it meets the minimum security requirements defined in this Information Security Policy and the current Security Regulations.
Least privilege
The Information Security System implemented at Bizneo follows the Principle of Least Privilege, which grants system users the minimum access levels (or permissions) necessary to perform their functions, aiming to restrict access to information and resources only to what is strictly necessary to fulfill a specific task.
This principle of least privilege ensures that each part (whether a process, user, or program) can only access what is essential for its legitimate purpose, not granting unnecessary privileges. However, this principle is not limited to human user access but also applies to applications, systems, or connected devices that require privileges to perform necessary tasks.
By limiting privileges, exposure to cyber-attacks is reduced, and “privilege accumulation” is avoided.
System integrity and updating
To always ensure the integrity of information systems, any physical and logical change is made only after formal approval and through a formal procedure.
To this end, systems are updated in a controlled manner according to the required security state at any given time. Changes in manufacturer specifications, the emergence of new vulnerabilities, the issuance of updates and patches affecting the systems are analyzed to take the necessary measures to prevent the degradation of systems or their security level, managing the risks introduced by the changes to be made.
A significant part of the information lifecycle corresponds to its storage and transport. Information must be protected at all times. To this end, appropriate procedures have been developed, covering both electronic and paper-based information, as well as policies for handling and processing information.
Prevention against other interconnected information systems is a crucial aspect for Bizneo. Measures have been established to ensure security when information systems connect, considering aspects such as perimeter protection, access control, or proper activity logging to detect possible anomalies or unusual behaviors in the interconnection.
Any connection to or from interconnected services will be made following the guidelines defined in the CCN-STIC guides published for this purpose.
Activity logging and malware detection
The company monitors its information and processing systems, logging them as security incidents, reviewing the operation and failure logs of its systems to identify problems. Therefore, Bizneo's systems usage monitoring activities respect legal privacy requirements and are used to verify the effectiveness of implemented security controls and compliance with access control policies.
Additionally, corporate equipment, through the use of next-generation antivirus with centralized management, has tools for protection, detection, recovery, and elimination of malicious code.
Security incidents
Bizneo management has established a formal notification procedure by which all personnel must report security-related incidents through the established channel immediately and without delay. This ensures a quick and effective response to security incidents and weaknesses.
Business continuity
The company has established a procedure to address interruptions in business activity and protect critical processes from the effects of significant failures in information systems and ensure their immediate restoration. For this purpose, a business continuity plan (see PROSI-11 Business Continuity Plan) has been implemented to reduce the impact on Bizneo's infrastructure, and consequently on the company, and the recovery of information assets (whether due to accidents, equipment failure, deliberate acts, etc.) so that the department's processes reach an acceptable level of continuity through corrective and preventive recovery measures.
Continuous improvement of the security process
Management highly values and establishes as the main criterion for risk assessment, the evaluation of the confidentiality, integrity, and availability of critical information of the company and its clients, as well as ensuring the traceability and authenticity of these.
Thus, it is committed to developing, implementing, maintaining, and continuously improving this Security Policy and its Management System with the goal of continuous improvement in the way services are provided and information is handled.
Personal data
Bizneo processes personal data. In this regard, and in compliance with current data protection legislation, considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity risks for the rights and freedoms of natural persons, Bizneo has applied appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which includes, among others:
the pseudonymization and encryption of personal data;
the ability to ensure the confidentiality, integrity, availability, and resilience of processing systems and services;
the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident;
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
Documentation and Communication
This Information Security Policy will be available as documented information and communicated within the organization. Additionally, it will be shared with relevant interested parties, such as authorities, operators, and public transport users, as appropriate.
Review and Update
This policy will be reviewed annually or sooner if there are significant changes in Bizneo's operational or technological environment. Management is committed to keeping this policy aligned with the company's objectives and applicable information security requirements.
This Information Security Policy will always be aligned with the company's general policies and those that serve as a framework for other internal management systems, such as quality policies.
Madrid, April 30, 2024
Santiago Salas
CEO Bizneo