Security policy

Introduction

LIBELIUM COMUNICACIONES DISTRIBUIDAS S.L., hereinafter LIBELIUM, has always shown concern and care for standardisation, maintenance and security in its products, architectures and projects. This concern is reflected in the company’s Mission, Vision and Values as a fundamental basis for all the work carried out by all staff.

With the implementation of the ISO 27001 Information Security standard and the National Security Scheme ENS, this concern is complemented by formalising it for clients and suppliers and covering all aspects of security and privacy applicable to the organisation.

This policy not only covers the privacy aspects of the organisation but also extends these aspects in accordance with the minimum requirements of the ENS.

Objectives

Information security aims to ensure the quality of information and the continuous provision of services, acting preventively and monitoring daily activity, and reacting quickly and efficiently to incidents.

Information and communication technology (ICT) security is essential to protect information and ensure the continuous provision of services. To cope with constantly evolving threats, an adaptive strategy and the implementation of security measures in accordance with the National Security Scheme are required.

The Corporate Security Committee must ensure that ICT security is integrated into all stages of the lifecycle of information products and systems, from conception to retirement, to maintain the integrity and availability of the services provided.

All corporate staff must be prepared to detect and report incidents to the security management body to act accordingly in accordance with Article 7 of the ENS and to be able to prevent, react and recover from incidents.

Prevention

All corporate information users should strive to prevent security incidents that could affect information or services. To achieve this, the security officer and the security management body should implement the minimum security measures established by the ENS and any additional controls identified in a threat and risk assessment. It is crucial that the security controls and responsibilities of all staff are clearly defined and documented. To ensure compliance with the policy, you should:

• Authorise systems before going into operation.
• Regularly assess security, including assessments of configuration changes made on a routine basis.
• Request a periodic review of systems, which may be carried out by an authorised external party where necessary.

Detection

Services can degrade rapidly due to incidents. Therefore, core services should be continuously monitored to detect anomalies in service provision levels and act accordingly, as set out in Article 9 of the ENS.

Monitoring is especially relevant when establishing lines of defence in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms shall be established that reach the responsible parties regularly and when there is a significant deviation from the pre-established parameters.

Response

All users of information systems shall:

• Notify any incident related to the systems’ dimensions (availability, confidentiality or integrity) within their scope using the means established for this purpose.
• Provide any information relevant to improving the security or operability of the systems to the body responsible for administering the systems.

The security management body, led by the security officer, shall:

• Establish mechanisms to respond effectively to security incidents.
• Designate a point of contact for communications regarding incidents detected in information systems.
• Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CERTs).

Recovery

To ensure the availability of critical services, the security officer supported by the corporate security committee shall develop ICT systems continuity plans as part of its overall business continuity plan and recovery activities.

Scope

The ISO27001 scope applies to: “Information Security Management System supporting the development, manufacturing and maintenance activities of innovative products (loT hardware, Cloud On-premise or SaaS platform). In accordance with the statement of applicability Revision 02”.

The Scope of the ENS High category applies to: “The Information System that supports the consulting, design, deployment (on-premise or SaaS) and support of the monitoring, data analysis and visualisation service for the platforms provided to our customers”.

Regulatory framework

LIBELIUM is subject to the following regulations in the provision of the services provided to its clients:

• Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), applicable to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be contained in a file.
• Occupational Risk Prevention Law 31/1995 of 8 November 1995 and Royal Decree 39/1997 of 17 January 1997, approving the Prevention Services Regulations.
• The applicable collective bargaining agreement, corresponding to “Oficinas y Despachos”.
• Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
• RD-ley 13/2012 of 30 March, law on cookies.
• Royal Legislative Decree 1/1996, of 12 April, approving the revised text of the Intellectual Property Law, regularising, clarifying and harmonising the legal provisions in force on the matter.
• The reference framework that provides legal coverage for this document is established in the following sections of Royal Decree 311/2022, of 3 May, which regulates the National Security
• Scheme (hereinafter, ENS):
• ENS. Article 12. Organisation and implementation of the security process
• Security shall involve all members of the organisation. The security policy as detailed in Annex II, section 3.1, shall identify those clearly responsible for ensuring compliance and shall be known by all members of the administrative organisation.
• ENS. Annex II
• Security Measures Organisational Framework [org] Security Policy [org.1]
• Security policy [org.1]

Security Organization

Corporate Security Committee

The Corporate Security Committee shall comprise the person responsible for information and service, the person responsible for the system, the person responsible for security, and at least one additional person responsible for each of the company’s physical locations.

This Committee shall have the following functions:

• It shall coordinate all activities related to information security.
• It is responsible for drafting the Security Policy.
• It is responsible for creating and approving the rules governing the use of information systems.
• Approve the procedures for the use of information systems.
• It shall approve the training and qualification requirements for administrators, operators and users from the point of view of information systems security.

The Corporate Security Committee shall be responsible for the annual review of this Information Security Policy and for proposing its revision or maintenance. The Policy shall be approved by the same committee and disseminated so that all affected parties know it.

Information officer

The Information Officer is usually a person who holds a senior management position in the organisation. This position is responsible for using certain information and, therefore, for its protection.

The Information Officer is ultimately responsible for any error or negligence leading to a confidentiality or integrity incident.

The ENS assigns the ‘Information Controller’ the power to establish the information security requirements. Or, in ENS terminology, the power to determine the levels of information security (although, in this case, this responsibility will rest with the CIO of the public bodies to which the service is provided).

The determination of security levels in each security dimension should be carried out within the framework established in Annex I of the National Security Scheme. It is recommended that the Security Policy support the assessment criteria insofar as they are systematic, without prejudice to the possibility of particular criteria in individual cases.

Service Responsibility

The ENS assigns to the ‘Head of Service’ the power to establish the security requirements of the service. Or, in ENS terminology, the power to determine the security levels of the services (although, in this case, the responsibility for defining the security levels will rest with the Chief Information Officer of the public bodies to which the service is provided).

The determination of security levels in each security dimension should be carried out within the framework set out in Annex I of the National Security Scheme. It is recommended that the Security Policy support the assessment criteria insofar as they are systematic, without prejudice to the possibility of particular criteria being used in individual cases.

The provision of a service should always address the security requirements of the information it handles (sometimes referred to as ‘inherited requirements’), and usually includes availability requirements, as well as other requirements such as accessibility, interoperability, etc.

Security Officer

The Security Officer should be appointed directly by management to manage and maintain the ISMS, with the support of the security administrators.

His/her responsibilities include maintaining the process of continuous system improvement working together with the process and service managers. It is also responsible for verifying compliance with this Management Manual, detecting any deviations in the system, recommending and channelling improvements and verifying and evaluating their implementation and effectiveness. With regard to management activities, he/she must plan internal audits and manage incidents relating to the services he/she manages.

A person appointed by the management who will have the following responsibilities:
Maintain and supervise the management of the security of the information handled and of the services provided by the information systems in his/her area of responsibility, in accordance with the provisions of the Organisation’s Security Policy.
Promote training and awareness of information security within his/her area of responsibility.

Security administrator

Security administrators are the team in charge of keeping the system operational, maintaining services, managing incidents and acting accordingly on a case-by-case basis.
They are responsible for the operational functioning of the Information Systems and the operational management of access to information.
They will be led by the Security Manager, who will lead the team and establish the operations.

System Manager

The System Manager should be appointed directly by the management to manage and maintain the ENS.

It should be noted that the System Manager will be responsible for, among other duties:

• Developing, operating and maintaining the Information System throughout its life cycle, its specifications, installation and verification of its correct functioning.
• Defining the topology and management system of the Information System, establishing the criteria for its use and the services available in it.
• Ensuring that the specific security measures are properly integrated within the general security framework.

The System Manager may agree to suspend the handling of certain information or the provision of a certain service if he/she is informed of serious security deficiencies that could affect the satisfaction of the established requirements. Such a decision must be agreed with those responsible for the information concerned, the service concerned and the Security Officer before being implemented.

Information processing

LIBELIUM processes personal data (names, images, email accounts and other personal data) as required by the European General Data Protection Regulation (GDPR), which came into force on 25 May 2018. The GDPR establishes a common legal framework for data protection in all member countries of the European Union (EU) and applies to all organisations that process personal data of individuals within the EU, regardless of their geographical location.

All LIBELIUM’s information systems shall comply with the regulations for the nature and purpose of the personal data covered by the aforementioned Security Document.

The security policy will be available to all interested parties at the following addresses:

• Privacy policy: https://www.libelium.com/privacy-policy/
• Cookies policy: https://www.libelium.com/cookie-policy/
• Terms of sale and use: https://www.libelium.com/terms-of-sale-and-use/

Risk Management

All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated in any of the cases listed below:

• At least once a year.
• When the type of information handled changes.
• When the services provided change.
• When a serious security incident occurs.
• When serious vulnerabilities are reported.

To harmonise risk analyses, the Corporate Security Committee shall establish a baseline assessment for the different types of information handled and the services provided.

The Corporate Security Committee shall streamline the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

Obligations of staff

All members of LIBELIUM are obliged to know and comply with this Information Security Policy and the Security Regulations. The Corporate Security Committee is responsible for providing the necessary means to ensure that the information reaches those affected.

All LIBELIUM members shall attend an ICT security awareness session at least once a year. An ongoing awareness programme shall be established to cater to all LIBELIUM members, particularly new recruits.

Persons responsible for the use, operation or administration of ICT systems shall be trained in the secure operation of the systems to the extent that they need it to perform their work. Training shall be mandatory before taking up a responsibility, whether it is their first assignment or a change of job or job responsibilities.

Third parties

When LIBELIUM provides services to other organisations or handles information from other organisations, they shall be made aware of this Information Security Policy; channels shall be established for reporting and coordinating the respective Committees, and procedures shall be established for reacting to security incidents.

When LIBELIUM uses third-party services or transfers information to third parties, they shall be made aware of this Security Policy and the Security Regulations that apply to such services or information. Such third party shall sign and comply with the terms of the agreement. It shall be subject to the obligations outlined in such regulations and may develop its own operating procedures to comply with them.

It will ensure that third-party personnel are adequately trained and security-aware to at least the same level as set out in this Policy. It will also request relevant documentation from the third party to substantiate this if necessary.

Where any aspect of the Policy cannot be satisfied by a third party, as required in the above paragraphs, a report from the Security Officer will be required specifying the risks incurred and how they are to be addressed. Approval of this report will be required from those responsible for the information and services concerned before proceeding.