Information Security Policy
1. CONTEXT
For practically all the business processes of the entities that make up PONS, information is the essential common thread for their execution with guarantees of efficiency and quality, thereby achieving the fulfilment of the strategic objectives formally established by the Management.
The main dimensions of information security that must be guaranteed in the execution of any business process are:
- Confidentiality: Ensuring that information can only be accessed by authorised individuals, entities or processes.
- Integrity: Ensuring that information is generated, modified and deleted only by authorised individuals, entities or processes.
- Availability: Ensuring that information can be accessed when authorised individuals, entities or processes require it.
- Traceability Ensuring that information related to access and the activity carried out by individuals, entities or processes is available in order to conduct any necessary analysis of abnormal behaviour patterns.
On the other hand, other security dimensions are presented, such as the authentication of the parties or non-repudiation , which, in the same way, must be guaranteed when the security value of the information in the context of the business process in which it is being stored, processed, or transmitted, so requires.
The Information Security Policy is based on clear, well-defined principles that ensure compliance with the strategic guidelines, legal requirements, as well as the contractual requirements formalised with third parties or stakeholders. As such, this Policy is established as the main instrument used by PONS to ensure the secure use of information and communications technologies.
The regulations (security standards, procedures and instructions) that emanate from or derive from the PONS Information Security Policy will become part of it once they have been disclosed, and will be mandatory for all employees and third parties who make use of said information.
Employees shall be responsible for guaranteeing the security of the information they process, store or transmit while they perform their duties, and they must know, understand and comply with the guidelines and rules related to information security, ensuring the correct application of the protective measures enabled.
Access to information by employees will be limited to what is strictly necessary for the correct performance of the formally assigned functions, thus guaranteeing compliance with the least privilege policy. Therefore, the information controllers identified in the different entities that make up PONS will take into account all the technical and organisational security measures to define and maintain the appropriate privileges of access to information, depending on the activities of each job.
Failure to comply with the Information Security Policy guidelines could lead to internal administrative sanctions.
Management shall ensure that this Information Security Policy is understood and implemented in all entities belonging to PONS, providing the necessary resources to achieve the objectives defined in this framework for action.
2. OBJECTIVES
The Information Security Policy is established as the high-level document that formalises the different guidelines for action in the field of security adopted by PONS, and which will be developed in greater detail in the corresponding security regulations drawn up for this purpose.
Under this premise, the Information Security Policy therefore focuses on the following main objectives:
- Compliance with applicable legal regulations in the area of information security that has an impact on the context of the main activity carried out.
- Contributing to fulfilling the formally established mission and strategic objectives.
- Guaranteeing that the different information assets are suitably protected based on the degree of sensitivity and criticality achieved by the same (security value of the information assets according to the different aspects considered, and this security value being formalised in the corresponding Information Value Model).
- Aligning information security with the requirements of the business by formalising and executing the process of analysing and evaluating the risks to which the different information assets are exposed, defining a strategy to mitigate the risks related to the scope of information security
- Guaranteeing effective responsiveness to potential information security incidents, minimising the respective operational, financial and reputational impact.
- Facilitating the dimensioning of the resources required to correctly implement the technical and organisational security measures included in the security regulations documented for such purposes.
- Promoting the use of good practices in information security, as well as creating a culture of security in the context of the organisational structure.
- Promote the definition, implementation and maintenance of a Business Continuity Plan for the critical processes identified after the execution of the Business Impact Analysis (BIA).
- Establishing review, monitoring, auditing and continuous improvement mechanisms with the aim of maintaining the appropriate security levels required by the business model.
3. SCOPE
The scope of the Information Security Policy includes all the information assets existing in the different entities that make up PONS, and which act as a support infrastructure for the possible execution of its business processes.
4. REGULATORY FRAMEWORK
The formalisation of the Information Security Policy, as well as the security regulations derived
from it, will take into account and integrate the following applicable legal regulations:
- Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, GDPR – General Data Protection Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Organic Law 3/2018 of 5 December 2018 on Protection of Personal Data and Guarantee of Digital Rights (hereinafter Law 3/2018).
- Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (hereinafter LSSICE).
5. PRINCIPLES
In order to ensure compliance with the security objectives identified above, the Information
Security Policy formalises the application of certain security principles.
5.1 SECURITY AS AN INTEGRAL PROCESS
Security is understood as an integral process made up of all the human, material, technical,
legal and organizational elements related to the information systems used to support the
execution of business processes. In this sense, therefore, all security activities will be carried
out from this perspective, avoiding any specific action or circumstantial treatment.
Maximum attention will be paid to the awareness of the people involved in the execution of business processes, and that of the hierarchical managers in order to prevent ignorance, lack of organization and coordination or adequate instructions, from constituting sources of risk for information security.
5.2 RISK-BASED SECURITY MANAGEMENT
Risk analysis and management is an essential part of the security process, and must be a continuous and permanently updated activity.
Risk management will allow the maintenance of a controlled information environment, minimizing risks to acceptable levels formalized by Management.
The reduction of risk to such levels will be achieved through the application of security
measures, in a balanced manner and proportionate to the nature of the information processed,
the services to be provided and the risks to which the different information assets used are
exposed.
5.3 PREVENTION, DETECTION AND RESPONSE
Information security must include actions related to the aspects of prevention, detection and response, in order to minimise existing vulnerabilities, and to ensure that threats do not materialise or, if they do, do not seriously affect the information or services provided.
Prevention measures, which may incorporate components aimed at deterrence or reduction of the exposure surface, should reduce the possibility of threats materialising.
The detection measures will be aimed at early warning of any scenario of threat materialization.
The response measures, which will be managed in a timely manner, will be aimed at restoring information and services that may have been affected by a security incident.
5.4 EXISTENCE OF LINES OF DEFENSE
It must be ensured that the protection strategy is made up of multiple layers of security, arranged in such a way that, when one of the layers is compromised, it is possible to react appropriately to incidents that could not be avoided, reducing the probability that they can spread.
The lines of defence must be made up of measures of an organisational, physical and logical nature.
5.5. VIGILANCIA CONTINUA Y REEVALUACIÓN PERIÓDICA
Continuous surveillance will allow the detection of anomalous activities or behaviour and their timely response.
The permanent evaluation of the security status of information assets will allow their evolution to be measured, detecting vulnerabilities and identifying configuration deficiencies.
The security measures will be re-evaluated and updated periodically, adapting their effectiveness to the evolution of risks and protection systems, and may lead to a rethinking of safety, if necessary.
5.6. DIFERENCIACIÓN DE RESPONSABILIDADES
Responsibility for information security shall be differentiated from responsibility for the operation of information systems.
6. THIRDS
When any of the entities that make up PONS requires the participation of third parties for the provision of a service, it will make them participants in the security regulations that are of consideration in the context of said collaboration, being subject to the obligations established in said regulations.
The specific procedures for reporting and resolving security incidents that may arise during the provision of the service will be formalised.
When any aspect of the safety regulations cannot be satisfied by a third party, the authorisation of the ISMS Manager will be required after identifying the risks incurred and how to deal with them, and it will not be possible to formalise the procurement prior to obtaining said authorisation. In any case, these authorisations, depending on their categorisation, will be reported to the Safety Committee so that the appropriate decisions can be taken.
Approved exceptions shall be duly recorded in the Register of Exceptions.
7. REVISION
The Information Security Policy will be reviewed annually by the Security Committee or when there is a significant change (security management approach, business circumstances, legal changes, changes in the technical environment, recommendations made by supervisory authorities and trends related to threats and vulnerabilities) that requires it.
In the event that a new version of the Information Security Policy is created, formal approval by the Executive Committee shall be required prior to its disclosure.
8. APPLICABLE PENALTIES
Failure to comply with or violate, duly accredited, of the guidelines contained in the Information Security Policy or in the practices of action and security measures identified in the regulations derived from it, could lead to the application of internal administrative sanctions.
Exceptions to this Information Security Policy must be previously justified by the application of a formal risk acceptance process. Such exceptions must be entered in the Register of Exceptions, and will be monitored by the Security Committee.
9. ENTRY INTO FORCE
Approved by the Executive Committee on 14 September 2024.
Its entry into force repeals any other Policy that existed for such purposes, in addition to its publication on the corporate Intranet.
10. REVISION CONTROL
Version | Date | Change | Request by |
---|---|---|---|
1.0 | 08/09/2021 | First version of the document | Not applicable |
2.0 | 19/10/2023 | Changes in the Security Committee | Not applicable |
3.0 | 01/04/2024 | Version update to meet requirements of new ISO 27001 standard | Not applicable |


Awards and Recognitions
International
