Security Policy
1. APPROVAL AND EFFECTIVE DATE
The text was approved on March 19, 2025, by the General Director of SMART2ME, S.L (hereinafter INDIGITALL). This “Information Security Policy” (hereinafter, Policy) shall be effective from the date of approval and shall remain in effect until replaced by a new Policy.
2. INTRODUCTION
INDIGITALL heavily depends on ICT (Information and Communication Technology) systems to achieve its objectives. It acknowledges that digital transformation has led to an increase in risks associated with information systems supporting public services. As a public sector provider, INDIGITALL must properly manage these risks.
The goal of this risk management is to protect ICT systems from accidental or intentional harm that may affect the availability, integrity, confidentiality, authenticity, or traceability of the information processed by INDIGITALL within the framework of public sector services, specifically for residential and healthcare centers.
ICT systems must be protected against rapidly evolving threats that can impact the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy must be in place that adapts to environmental changes to ensure continuous service delivery. This implies that departments must implement the minimum security measures required by the National Security Framework (ENS), continuously monitor service performance levels, track and analyze reported vulnerabilities, and prepare an effective incident response to guarantee service continuity.
Different INDIGITALL departments must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development, acquisition, and operational activities. Security requirements and financial needs must be identified and incorporated into planning, bid requests, and ICT project contracting.
Departments must be prepared to prevent, detect, respond to, and recover from incidents in accordance with Article 8 of the ENS.
3. SCOPE
3.1 Subjective Scope
This Policy applies to all INDIGITALL personnel and all individuals or entities, both internal and external, providing services to INDIGITALL, whether on-site or remotely.
3.2 Objective Scope
This Policy applies to INDIGITALL’s information systems related to “marketing automation” platform services in a SaaS model.
4. REGULATORY FRAMEWORK
The identification and maintenance of the regulatory framework shall be the responsibility of INDIGITALL’s Security Officer and shall be governed by the procedure for identifying and assessing legal requirements. It shall include mandatory technical security instructions published through resolutions of the Secretary of State for Digitalization and Artificial Intelligence of the Ministry of Economic Affairs and Digital Transformation or the entity assuming those functions.
Additionally, the Security Officer shall be responsible for identifying CCN security guidelines applicable to improving compliance with the ENS.
5. MINIMUM SECURITY REQUIREMENTS
INDIGITALL’s Security Policy regulates the continuous management of the security process. This Policy has been established in accordance with the basic principles set forth in Chapter II of the ENS and is developed considering the following minimum security requirements:
a) Organization and implementation of the security process (art.13). b) Risk analysis and management (art.14). c) Personnel management (art.15). d) Professionalism (art.16). e) Authorization and access control (art.17). f) Facility protection (art.18). g) Acquisition of security products and contracting security services (art.19). h) Minimum privilege (art.20). i) System integrity and updates (art.21). j) Protection of stored and transmitted information (art.22). k) Prevention regarding interconnected information systems (art.23). l) Activity logging and malicious code detection (art.24). m) Security incidents (art.25). n) Business continuity (art.26). ñ) Continuous improvement of the security process (art.27).
To comply with these minimum requirements, INDIGITALL will apply the security measures in Annex II of the ENS, considering:
The assets that constitute INDIGITALL’s information system.
The security category of the system, as provided in Article 40.
Decisions made to manage identified risks.
6. BASIC PRINCIPLES
INDIGITALL’s Information Security Policy establishes the following fundamental principles for the use of information systems:
Security as an integral process: Security encompasses all human, material, technical, legal, and organizational elements related to information systems.
Comprehensive risk-based management: Risk analysis and management are essential to security and should be a continuous and regularly updated activity.
Prevention, detection, response, and preservation: The security of the information system must include actions related to prevention, detection, and response aspects.
Multiple lines of defense: INDIGITALL’s information system must have a protection strategy composed of multiple security layers.
Continuous monitoring and periodic reevaluation: Continuous monitoring enables the detection of abnormal activities or behaviors and ensures an appropriate response.
7. INFORMATION SECURITY OBJECTIVES
INDIGITALL establishes the following security objectives:
Ensure information protection.
Physical security: INDIGITALL places information systems in secure areas, protected by appropriate physical access controls.
Access control: INDIGITALL limits access to information assets through identification, authentication, and authorization mechanisms.
System acquisition, development, and maintenance: INDIGITALL considers security aspects in all phases of the system lifecycle.
Ensure continuous service delivery: INDIGITALL implements procedures to guarantee system availability and business continuity.
Data protection: INDIGITALL adopts technical and organizational measures to manage risks associated with personal data processing.
Compliance: INDIGITALL ensures compliance with applicable information security regulations.
8. MISSION
Founded in February 2013, INDIGITALL aims to transcend digital boundaries, tailoring each marketing campaign to individual customer preferences across all digital channels through artificial intelligence. This ensures each interaction is relevant and effective, fostering authentic connections as if each customer had a personal assistant. INDIGITALL’s objective is to enhance business competitiveness through digital transformation and automated marketing tools, driving an omnichannel and sustainable strategy. Technological innovation is at the core of INDIGITALL.
9. COMPLIANCE WITH ARTICLES
To comply with the articles of Royal Decree 311/2022, INDIGITALL has implemented various security measures proportional to the nature of the information and services being protected, considering the category of affected systems.
Compliance with ENS articles is detailed in the “Statement of Applicability.”
10. POLICY DEVELOPMENT
INDIGITALL’s Information Security Committee has approved the development of a management system, which will be established, implemented, maintained, and improved in accordance with security standards. This system will be adapted to and will manage the controls of the National Security Framework. The system will be documented and will generate evidence of the controls and compliance with the objectives set by the Committee. A document management procedure will be established to define the guidelines for structuring system security documentation, its management, and access.
The Information Security Committee is responsible for the annual review of this Policy, proposing improvements as necessary for approval by the General Director of INDIGITALL.
This Information Security Policy is mandatory and is structured into the following hierarchical levels:
First Level: Information Security Policy.
Second Level: Security Regulations.
Third Level: Security Procedures.
The Information Security Officer (CISO), with the support of the Quality area, must review this regulation at least annually, proposing improvements as necessary.
INDIGITALL personnel and third-party companies must be familiar with this Security Policy, along with all security regulations, procedures, technical instructions, and other relevant documentation affecting their duties.
10.1 First Regulatory Level: ICT Security Policy
The ICT Security Policy is the highest-level regulatory instrument in INDIGITALL’s security regulatory framework. It must be approved by the General Director of INDIGITALL.
10.2 Second Regulatory Level: Information Security Standards
ICT Security Standards are mid-level instruments covering specific security areas. The entity responsible for their approval is the INDIGITALL Security Committee.
10.3 Third Regulatory Level: ICT Security Procedures
ICT Security Procedures are lower-level instruments, drafted in greater detail and applicable to a specific scope. The Security Officer is responsible for their approval.
11. SECURITY ORGANIZATION
11.1 Security Roles and Profiles
To ensure compliance with and adaptation to the legally required measures, security roles and profiles have been created, and the positions or bodies that will occupy them have been designated as follows:
Information Officer: Juan Carlos de Vela Benavides
Service Officer: Xavier Omella Claparols
Security Officer: Marcos Fortún Arranz
System Officer: Jesús Moreira Rubio
11.2 Information Security Committee
INDIGITALL has established an Information Security Committee as a collegial body, composed of the following members:
General Director: General Director of INDIGITALL.
Members:
Service Officer
System Officer
Security Officer
Additionally, other INDIGITALL members may be incorporated into the Committee’s work, including specialized working groups of internal, external, or mixed nature.
The Information Security Committee will hold sessions at INDIGITALL facilities or remotely on a semi-annual basis, with prior notice issued by the General Director of the Committee. Extraordinary meetings may be held whenever necessary due to specific circumstances.
11.3 Responsibilities Associated with the National Security Framework (ENS)
Below are the functions and responsibilities assigned to each ENS security role:
Functions of the Information and Service Officer:
Establish and approve the security requirements applicable to the service and information within the framework established in Annex II of the ENS, following a proposal from the ENS Security Officer and/or Information Security Committee.
Accept residual risk levels affecting the Service and Information.
Functions of the Security Officer (CISO/RSF):
Maintain and verify the appropriate level of security for managed information and electronic services provided by information systems.
Manage, supervise, and maintain the physical security of INDIGITALL’s facilities.
Promote training and awareness in security matters.
Assign responsibilities for risk analysis execution, applicability declaration, security measure identification, necessary configuration determination, and system documentation preparation.
Provide advice on determining system categories, in collaboration with the System Officer and/or Information Security Committee.
Participate in developing and implementing security improvement plans and, when necessary, in continuity plans, validating their execution.
Manage external or internal system reviews.
Handle certification processes.
Submit security changes and other system requirements for approval by the Security Committee.
Functions of the System Officer:
Suspend or halt access to information or services upon detecting severe security deficiencies.
Implement and manage INDIGITALL’s Information Systems throughout their lifecycle, including cybersecurity control implementation, operation, and functionality verification.
Define the topology and management of the Information System, establishing usage criteria and available services.
Ensure that specific security measures are properly integrated within the overall security framework.
Collaborate with the Security Officer in investigating and resolving cyber incidents affecting INDIGITALL’s Information Systems, applying knowledge gained from previous incidents to minimize future risks.
Perform system security administration functions, including:
Managing, configuring, and updating hardware and software related to security mechanisms and services.
Managing authorizations granted to system users, particularly privileges, including activity monitoring to ensure compliance with authorizations.
Approving changes to the current Information System configuration.
Ensuring strict compliance with established security controls.
Enforcing approved procedures for managing the Information System.
Overseeing hardware and software installations, modifications, and improvements to ensure security integrity.
Monitoring security status using security event management tools and technical audit mechanisms.
Where justified by system complexity, the System Officer may appoint delegated system officers with direct functional dependency, responsible for designated tasks.
Functions of the Information Security Committee:
Address requests related to Information Security from the Administration and various security roles or areas, regularly informing them of the current security status.
Provide advisory services in Information Security matters.
Resolve responsibility conflicts between different administrative units.
Promote continuous improvement of the Information Security management system by:
Coordinating security efforts across different areas to ensure consistency and alignment with the security strategy, avoiding redundancies.
Proposing Information Security improvement plans, allocating necessary budgets, and prioritizing security actions when resources are limited.
Ensuring Information Security considerations are incorporated into all projects from initial specifications to operational deployment. This includes the creation and use of standardized services that minimize redundancies and promote uniformity across all ICT systems.
Monitoring major residual risks assumed by the Administration and recommending appropriate actions.
Tracking security incident management and recommending response actions.
Reviewing and regularly updating the Information Security Policy for approval by the competent authority.
Drafting security regulations for approval in coordination with the General Directorate.
Verifying information security procedures and related documentation for approval.
Developing training programs to educate and raise awareness among staff on Information Security and personal data protection.
Establishing training and qualification requirements for administrators, operators, and users from an Information Security perspective.
Promoting periodic ENS and data protection audits to verify compliance with the Administration’s Information Security obligations.
11.4 Designation Procedures
The creation of the Information Security Committee, appointment of its members, and designation of Responsible Officers identified in this Policy have been carried out by INDIGITALL’s General Director and communicated to relevant stakeholders.
The members of the Committee, as well as security roles, will be reviewed every three years or upon vacancy.
11.5 RACI Matrix: Responsibility Assignment Matrix
| Task | DG | RI | RS | DPD | CISO/RSF | CIO |
|---|---|---|---|---|---|---|
| Security Policy | A | C | C | C | R | C |
| Determination of System Category | C | C | A/R | C | ||
| Risk Analysis | I | R | A/R | R | ||
| Statement of Applicability | I | R | A/R | R | ||
| Information Security Standards and Procedures | I | A/R | R | |||
| Security Incident Response | I | I | C | I | A/R | R |
| Security of Service and Information Systems Lifecycle | C | A/R |
A: Accountable (makes the decision, authorizes, and approves).
R: Responsible (is responsible for executing the work).
C: Consulted (is consulted before making the decision).
I: Informed (is informed of the decisions made).
12. CONFLICT RESOLUTION
The INDIGITALL Information Security Committee will handle the resolution of conflicts and/or differences of opinion that may arise between security roles.
13. PERSONAL DATA
INDIGITALL will only process personal data when it is appropriate, relevant, and not excessive, and when it relates to the scope and purposes for which it was obtained. Likewise, INDIGITALL will adopt the necessary technical and organizational measures to comply with the current Data Protection regulations, in accordance with the Personal Data Protection Policy approved by the INDIGITALL Presidency.
In compliance with Regulation (EU) 2016/679 of the European Parliament and Council, of April 27, 2016, regarding the protection of natural persons concerning the processing of personal data and the free movement of such data (General Data Protection Regulation – GDPR), and its transposition into Spanish legislation through Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights, appropriate measures have been implemented, such as the legal legitimacy analysis of each data processing activity, risk analysis, impact assessment when the risk is high, activity logging, and the appointment of a Data Protection Officer.
14. THIRD PARTIES
When providing services to other organizations or handling information from other organizations, they will be made aware of this Information Security Policy. INDIGITALL will define and approve the channels for information coordination and the action procedures for responding to security incidents, as well as other security-related activities carried out by INDIGITALL in collaboration with other entities.
When INDIGITALL uses third-party services or shares information with third parties, they will be informed of this Security Policy and the existing Security Regulations applicable to such services or information. Third parties will be subject to the obligations established in the aforementioned regulations, while retaining the ability to develop their own operational procedures to comply with them. Specific procedures for communication and incident resolution will be established. It will be ensured that third-party personnel are adequately trained in security matters, at least to the level required by this Security Policy.
Additionally, considering the obligation to comply with the Technical Security Instructions established in the second additional provision of Royal Decree 311/2022, and in accordance with the Resolution of October 13, 2016, of the State Secretariat for Public Administrations, which approves the Technical Security Instruction in compliance with the National Security Framework, it is required that private sector operators providing services or solutions to public entities, to which the National Security Framework is applicable, must be able to present the corresponding Declaration of Conformity with the National Security Framework for BASIC category systems, or the Certification of Conformity with the National Security Framework for MEDIUM or HIGH category systems.
If any aspect of this Security Policy cannot be met by a third party as required in the previous paragraphs, a report from the ENS Security Officer specifying the risks incurred and how they will be managed will be required. This report must be approved by the responsible officers for the affected information and services before proceeding.
15. CONTINUOUS IMPROVEMENT
Information security management is a continuously evolving process. Therefore, INDIGITALL must implement a continuous improvement process, which will include, among other actions:
Review of the Information Security Policy.
Review of services and information and their categorization.
Annual execution of risk analysis.
Conducting internal and external audits.
Review of security measures.
Review and update of regulations and procedures.
For INDIGITALL, proper information security management is an ongoing and collective challenge necessary for the organization’s continuity.
