Bizneo depends on information systems. These systems are diligently managed, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity or traceability of the information processed and the services provided.
Aware of the importance of information security, and in line with the path that marks our own identity, Bizneo has promoted the establishment of an information security management system (hereinafter, ISMS) under the ISO 27001 standard and according to the requirements of Royal Decree 3/2010, of January 8, 2010, which regulates the National Security Scheme in the field of Electronic Administration (hereinafter, ENS) in order to identify, evaluate and minimize the risks to which its information and that of its customers is exposed, as well as to ensure compliance with the established objectives.
The purpose of this Security Policy is to ensure the quality of information and the continued provision of services, acting preventively and supervising the daily activity, as well as to provide a framework for the establishment of security objectives that allow Bizneo to develop a company culture, a way of working and decision making, aligned with the security of information and respect for personal data are a constant.
The Management particularly values and establishes as a main criterion for the estimation of its risks the assessment of the availability and confidentiality of its information and even more that of its customers. Thus, it is committed to develop, implement, maintain and continuously improve its ISMS with the aim of continuous improvement in the way we provide our services and in the way we treat our customers' information. Therefore, Bizneo's different departments ensure that security is an integral part of each stage of the system's life cycle, from its conception to its decommissioning, including development or acquisition decisions and operation activities.
Therefore, it is Bizneo's policy to establish annual objectives in relation to Information Security, to comply with legal, contractual and business requirements, to carry out training and awareness activities on Information Security for all staff and to establish the responsibility of employees in relation to the reporting of security violations and to comply with the inherent ISMS policies and procedures.
Bizneo is prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS, therefore we have acted in order to enhance different aspects of information security:
i. In terms of prevention
All departments involved must avoid, or at least prevent as far as possible, information or services from being impaired by security incidents. To this end, the security measures determined by the ENS, as well as additional controls identified through a threat and risk assessment, shall be implemented. These controls, and the security roles and responsibilities of all personnel, will be clearly defined and documented.
To ensure compliance with the policy, departments must:
Authorize systems before going into operation.
Regularly evaluate security, including evaluations of configuration changes made on a routine basis.
Request periodic review by third parties in order to obtain an independent assessment.
Evaluate the existing risk in view of the possibility of connecting to other interconnected information systems by virtue of the provisions of Art. 11.k) of the ENS.
ii. In terms of detection
Since services can degrade rapidly due to incidents, ranging from a simple slowdown to their stoppage, Bizneo continuously monitors the operation to detect anomalies in the service provision levels and act accordingly according to the provisions of Article 9 of the ENS.
Monitoring is especially relevant when establishing lines of defense in accordance with Article 8 and Art.11.l) of the ENS. Therefore, detection, analysis and reporting mechanisms are established to inform those responsible on a regular basis and when there is a significant deviation from the parameters that have been pre-established as normal.
iii. In terms of response
Bizneo has implemented procedures in order to:
Establish mechanisms to respond effectively to security incidents in accordance with the provisions of Art. 11.m) of the ENS.
Designate points of contact for communications regarding detected incidents.
Establish protocols for the exchange of information related to the incident.
iv. In terms of recovery
In order to guarantee the availability of critical services and based on the requirements established in Art. 11.o) of the ENS, Bizneo has developed information systems continuity plans as part of its general business continuity plan and recovery activities.
This Information Security Policy will always be aligned with the company's general policies and with those that serve as a framework for other internal management systems, such as quality policies.
In Madrid, on June 14, 2023
Santiago Salas
Bizneo CEO