INTRODUCTION

Atalis Funding relies on ICT (Information and Communications Technology) systems to achieve its business objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, monitoring daily activity and reacting promptly to incidents.

ICT systems must be protected against rapidly evolving threats that have the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure the continued delivery of services. This implies that departments must implement the minimum security measures required by the National Security Scheme, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.

The different departments must ensure that ICT security is an integral part of every stage of the system’s life cycle, from its conception to its decommissioning, through development or procurement decisions and operational activities. Security requirements and funding needs should be identified and included in planning, request for bids, and bidding documents for ICT projects.

Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS.

PREVENTION

Departments must avoid, or at least prevent as far as possible, information or services from being impaired by security incidents. To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented.

To ensure compliance with the policy, departments must:

  • Authorize systems before going into operation.
  • Regularly evaluate security, including evaluations of configuration changes made on a routine basis.

DETECTION

Since services can degrade rapidly due to incidents, ranging from a simple slowdown to stoppage, the services must monitor the operation on a continuous basis to detect anomalies in service delivery levels and act accordingly as established in Article 9 of the ENS.

Monitoring is especially relevant when establishing lines of defense in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms shall be established that reach those responsible regularly and when there is a significant deviation from the parameters that have been pre-established as normal.

ANSWER

Departments must:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate point of contact for communications regarding incidents detected in other departments or other agencies.
  • Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CERTs).

SCOPE

This policy applies to all Atalis Funding ICT systems, as well as to all Atalis Funding members, without exception.

MISSION

In response to a new technological environment where the convergence between computing and communications are facilitating a new paradigm of productivity for companies, Atalis Funding, is highly committed to maintain the promotion of research projects, technological development and innovation, in a quality environment, where the development of good practices in Information Security is essential to achieve the objectives of confidentiality, integrity, availability and legality of all information managed. Consequently, Atalis Funding, defines the following application principles to be taken into account in the framework of the Information Security Management System (ISMS):

The Management of Atalis Funding , understands its duty to ensure the security of information as an essential element for the proper performance of Atalis Funding services, and, therefore, supports the following objectives and principles:

  1. Implement the value of Information Security across Atalis Funding.
  2. To contribute, each and every person at Atalis Funding, to the protection of Information Security.
  3. To preserve the confidentiality, integrity, availability and resilience of the information, with the objective of guaranteeing that the legal and regulatory requirements, and those of our clients, related to the security of the information are met; and specifically with regard to personal data:
  4. The data will be processed in a lawful, fair and transparent manner in relation to the data subject (lawfulness, fairness and transparency).
  5. They shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes (Purpose limitation).
  6. The data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data minimization).
  7. The data shall be accurate and, if necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are promptly deleted or rectified (Accuracy).
  8. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Limitation of the retention period).
  9. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the implementation of appropriate technical or organizational measures (Integrity and confidentiality).
  10. To protect Atalis Funding’s information assets from threats, whether internal or external, deliberate or accidental, in order to guarantee the continuity of the service offered to our clients and the security of the information.
  11. Establish an information security plan that integrates activities to prevent and minimize the risk of security incidents based on the risk management criteria established by Atalis Funding.
  12. Provide the necessary means to be able to carry out the pertinent actions for the management of the identified risks.
  13. Assume responsibility for information security awareness and training as a means of ensuring compliance with this policy.
  14. Extend our commitment to information security to our employees and suppliers.
  15. Continuously improve security by establishing and regularly monitoring information security objectives.

This Policy will be maintained, updated and appropriate for Atalis Funding’s purposes, aligned with Atalis Funding’s risk management context. To this end, it will be reviewed at planned intervals or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness are maintained.

Similarly, to manage the risks faced by Atalis Funding, a formally defined risk assessment procedure is established. In turn, all policies and procedures included in the ISMS will be reviewed, approved and promoted by Atalis Funding Management.

REGULATORY FRAMEWORK

Atalis Funding’s management ensures that externally sourced documentation that is relevant to the operation of the company is known to the company’s employees who need it and is kept up to date and available at all times.

For this purpose, the means defined in this document and the procedures that develop it are used.

Reference documents

  • National Security Scheme

SECURITY ORGANIZATION

Committees, roles and responsibilities

A safety committee has been established:

  • General Management
  • Security Manager
  • Responsible for systems
  • Data Protection Officer
  • Responsible for the information
  • Responsible for the service

This safety committee has the following functions and responsibilities:

  • Address management and systems concerns.
  • Obtain a snapshot of the state of information security.
  • Promote the continuous improvement of the ISMS.
  • Elaborate the evolution strategy
  • Review the Policy, Regulations and procedures at least annually.
  • Pass the training requirements
  • Prioritize actions
  • Promote the performance of ISMS and technical audits.
  • Check that Information Security is present in all projects.

ROLES: FUNCTIONS AND RESPONSIBILITIES

Executive Management

Participates in the development of objectives and measurements. Approves policies. Approves ISMS management reviews. Validates the conclusions of system audits.

The executive management establishes Atalis Funding’s organization chart which contains more functions and roles than those specified here. In this policy we detail those responsible for information security.

Security Manager

  • Promote the security of the information handled and the electronic services provided by the information systems, with the responsibility and authority to ensure that the Information Security Management System complies with the requirements of the National Security Scheme.
  • Overseeing compliance with this Policy, its rules, derived procedures and the security configuration of the systems.
  • Establish adequate and effective security measures to comply with the security requirements established by the Service and Information Managers, following at all times the requirements of Annex II of the ENS, declaring the applicability of such measures.
  • Promote security awareness and training activities in their area of responsibility.
  • Coordinate and monitor the implementation of ENS compliance projects, in collaboration with the Systems Manager.
  • To carry out, with the collaboration of the System Manager, the mandatory risk analysis, to select the safeguards to be implemented and to review the risk management process. Likewise, together with the System Manager, accept the residual risks calculated in the risk analysis.
  • Promote periodic audits to verify compliance with information security obligations and analyze the audit reports, drawing up the conclusions to be presented to the System Manager so that the appropriate corrective measures can be adopted.
  • Coordinate the Security Management process, in collaboration with the Systems Manager.
  • Determine the category of the system according to the procedure described in Annex I of the ENS and the security measures to be applied in accordance with the provisions of Annex II of the ENS.
  • Verify that security measures are adequate for the protection of information and services.

Responsible for the system

  • Develop, operate and maintain the information system throughout its life cycle, from its specifications, installation and verification of its correct functioning.
  • Ensure that specific security measures are properly integrated into the overall security framework.
  • Conduct exercises and tests on existing security operating procedures and continuity plans.
  • Implement the necessary measures to ensure the security of the system throughout its life cycle, in agreement with the Security Manager.
  • To carry out, in collaboration with the Security Manager, the mandatory risk analysis, to select the safeguards to be implemented and to review the risk management process. Likewise, together with the Security Manager, accept the residual risks calculated in the risk analysis.
  • Prepare, in collaboration with the Security Manager, the third level security documentation (STIC Operating Procedures and STIC Technical Instructions).
  • The application of safety operating procedures.
  • Ensure that the established security controls are strictly adhered to, as well as ensuring that the approved procedures for managing the information system are applied.
  • Monitor hardware and software installations, modifications and upgrades to ensure that security is not compromised and that at all times they are in compliance with the relevant authorizations.
  • Monitor the security status of the system provided by the security event management tools and technical auditing mechanisms implemented in the system.
  • Report any anomalies, compromises or vulnerabilities related to security to their respective managers.
  • Collaborate in the investigation and resolution of security incidents, from detection to resolution.

Data Protection Officer

  • Inform and advise the data controller and its employees of their obligations in relation to the GDPR and other data protection provisions.
  • Monitor compliance with the provisions of this Regulation, other Union or Member State data protection provisions and the controller’s or processor’s policies on the protection of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits.
  • Provide advice as requested on the data protection impact assessment and monitor its implementation in accordance with Article 35.
  • Cooperate with the supervisory authority.
  • Act as a contact point for the supervisory authority for matters relating to processing, including the prior consultation referred to in Article 36, and consult, as appropriate, on any other matter.

Responsible for the service

  • Establish the security requirements of the service, including interoperability, accessibility and availability requirements.
  • Determine the security levels of the service, in agreement with the Security Manager and the System Manager.
  • Maintain the security of the information handled and the services provided by the information systems in its area of responsibility.

Responsible for the information

  • Ensure the proper use of information and, therefore, its protection.
  • Establish security information requirements.
  • Determine the security levels of the information processed, assessing the consequences of a negative impact.

Users and employees

  • Comply with the information security policy and complementary rules, procedures and instructions.
  • To protect and safeguard the company’s information, preventing its disclosure, external release, modification, accidental or unauthorized deletion or destruction, or misuse, regardless of the medium or means by which it was accessed or known.
  • Know and apply the Information Security Policy, the Information Systems Usage Rules and all other applicable policies, standards, procedures and security measures.

Any conflict or discrepancy that may arise between those responsible for information security, and which cannot be resolved by mutual agreement, shall be submitted to the organization’s management, whose decision shall be binding and shall be duly documented.

APPOINTMENT PROCEDURES

Atalis Funding’s management is responsible for making appointments to designate roles and responsibilities for information security, as well as establishing the necessary committees to ensure compliance with this policy. These appointments and internal structures will remain in internal documents.

INFORMATION SECURITY POLICY

The Security Committee shall be responsible for the annual review of this Information Security Policy and for proposing its revision or maintenance. The Policy shall be approved by the Security Committee and disseminated so that all affected parties are aware of it.

RISK MANAGEMENT

All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated:

  • Regularly, at least once a year
  • When the information handled changes
  • When the services provided change
  • When a serious security incident occurs
  • When serious vulnerabilities are reported

In order to harmonize risk analyses, the ICT Security Committee will establish a reference assessment for the different types of information handled and the different services provided. The ITC Security Committee will boost the availability of resources to meet the security needs of the different systems, promoting investments of a horizontal nature.

DEVELOPMENT OF THE INFORMATION SECURITY POLICY

This Policy will be developed by means of security regulations that will address specific aspects in the operation of Atalis Funding’s IT users. The security policy will be available to all members of Atalis Funding on a need-to-know basis, in particular to those who use, operate or administer information and communications systems.

The information security policy will be available on the following website Grants Database – Atalis Funding –

STAFF OBLIGATIONS

All members of Atalis Funding have the obligation to know and comply with this Information Security Policy and the Security Regulations.It is the responsibility of the Security Committee to provide the necessary means to ensure that the information reaches those affected.

All Atalis Funding members will attend an ICT security awareness session at least once a year. An ongoing awareness program will be established to serve all Atalis Funding members, particularly new members.

Persons with responsibility for the use, operation or administration of systems shall receive training in the safe operation of the systems to the extent that they need it to perform their work. Training shall be mandatory prior to assuming a responsibility, whether it is their first assignment or a change of job or job responsibilities.

THIRD PARTIES

When Atalis Funding provides services to other organizations or handles information from other organizations, they will be made aware of this Information Security Policy, channels will be established for reporting and coordination of the respective Security Committees and procedures will be established to react to security incidents.

When Atalis Funding uses third party services or provides information to third parties, they will be made aware of this Security Policy and the Security Regulations pertaining to such services or information. Such third party will be subject to the obligations set forth in such regulations, and may develop its own operating procedures to satisfy them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that the personnel of third parties are adequately security-aware, at least to the same level as that established in this Policy.

Where any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer will be required which sets out the risks involved and how they will be addressed. Approval of this report will be required from those responsible for the information and services concerned before proceeding further.