
Legal Page
Security Policy
INDIGITALL’s Information Security Management System pursues as a fundamental objective the protection of information by offering its workers, collaborators, suppliers and clients a safe work environment through the appropriate security measures and operational processes.
INFORMATION SECURITY POLICY
1. APPROVAL AND ENTRY INTO FORCE
Text approved on March 19, 2025, by resolution of the General Manager of SMART2ME, S.L (hereinafter INDIGITALL).
This “Information Security Policy,” hereinafter referred to as the Policy, will be effective from its date of approval and will remain in force until it is replaced by a new Policy.
2. INTRODUCTION
INDIGITALL relies heavily on ICT systems (Information and Communication Technologies) to achieve its objectives and recognizes that digital transformation has led to an increase in risks associated with the information systems that support public services. As a provider to the public sector, INDIGITALL must adequately manage these risks.
The objective of this risk management is to protect Information and Communication Technology systems from accidental or deliberate harm that could affect the availability, integrity, confidentiality, authenticity, or traceability of the information processed by INDIGITALL within the framework of services provided to the public sector, and more specifically to residential and social-health centers.
ICT systems must be protected against rapidly evolving threats that can impact the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure the continuous delivery of services. This means that departments must apply the minimum security measures required by the National Security Framework, continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure service continuity.
The different departments of INDIGITALL must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and contracting of ICT projects.
Departments must be prepared to prevent, detect, respond to, and recover from incidents, in accordance with Article 8 of the National Security Framework (ENS).
3. SCOPE
3.1 Subjective Scope
This Policy applies to all INDIGITALL personnel, as well as all individuals or entities, both internal and external, providing services to INDIGITALL, whether on their own premises or remotely.
3.2 Objective Scope
This Policy applies to INDIGITALL’s information systems related to the “marketing automation” Platform services in a SaaS model.
4. REGULATORY FRAMEWORK
The identification and maintenance of the regulatory framework will be the responsibility of INDIGITALL’s Security Officer and will be governed by the procedure for identifying and assessing legal requirements. Mandatory technical security instructions published by resolution of the Secretary of State for Digitalization and Artificial Intelligence of the Ministry of Economic Affairs and Digital Transformation, or the entity assuming those functions, will be included.
Likewise, the Security Officer will also be responsible for identifying CCN security guidelines, which will be applied to improve compliance with the National Security Framework (ENS).
5. MINIMUM SECURITY REQUIREMENTS
INDIGITALL’s Security Policy regulates the continuous management of the security process. This Policy has been established in accordance with the basic principles set out in Chapter II of the ENS and is developed considering the application of the following minimum security requirements:
a) Organization and implementation of the security process (art.13)
b) Risk analysis and management (art.14)
c) Personnel management (art.15)
d) Professionalism (art.16)
e) Authorization and access control (art.17)
f) Protection of facilities (art.18)
g) Procurement of security products and contracting of security services (art.19)
h) Minimum privilege (art.20)
i) System integrity and updating (art.21)
j) Protection of stored and in-transit information (art.22)
k) Prevention regarding other interconnected information systems (art.23)
l) Activity logging and detection of malicious code (art.24)
m) Security incidents (art.25)
n) Business continuity (art.26)
ñ) Continuous improvement of the security process (art.27)
To meet these minimum requirements, INDIGITALL will apply the security measures in Annex II of the ENS, considering:
-
The assets that make up INDIGITALL’s information system.
-
The security category of the system, as provided in Article 40.
-
The decisions made to manage identified risks.
6. BASIC PRINCIPLES
INDIGITALL’s Information Security Policy establishes the following basic principles to be observed in the use of information systems:
-
Security as a comprehensive process: Security is a process that encompasses all human, material, technical, legal, and organizational elements related to information systems.
-
Comprehensive risk-based management: Risk analysis and management are essential parts of the security process and must be ongoing and continuously updated. Risk management will help maintain a controlled environment, minimizing acceptable risks.
-
Prevention, detection, response, and preservation: Information system security must address prevention, detection, and response actions.
-
Existence of lines of defense: INDIGITALL’s information system must have a protection strategy consisting of multiple layers of security.
-
Continuous monitoring and periodic reassessment: Continuous monitoring allows for the detection of abnormal activities or behaviors and timely response. Ongoing evaluation will measure progress, and security measures will be periodically reassessed and updated to ensure their effectiveness as risks and protection systems evolve.
7. INFORMATION SECURITY OBJECTIVES
INDIGITALL establishes the following Security objectives:
-
Guarantee the protection of information.
-
Physical security: INDIGITALL places information systems in secure areas, protected by physical access controls appropriate to their level of criticality.
-
Access control: INDIGITALL limits access to information assets by users, processes, and other information systems through the implementation of identification, authentication, and authorization mechanisms tailored to the criticality of each asset.
-
Acquisition, development, and maintenance of information systems: INDIGITALL considers security aspects in all phases of the information systems lifecycle.
-
Ensure continuous service delivery: INDIGITALL implements appropriate procedures to ensure the availability of information systems and maintain business process continuity.
-
Data protection: INDIGITALL adopts the necessary technical and organizational measures to manage risks arising from the processing of personal data.
-
Compliance: INDIGITALL adopts the necessary technical and organizational measures to comply with current legal regulations regarding information security.
8. MISSION
INDIGITALL was founded in February 2013 with the mission of crossing digital borders and adapting each marketing campaign to the preferences of each client across all digital channels through the use of artificial intelligence, ensuring that every interaction is relevant and effective. In this way, an authentic connection is forged, as if each client had a personalized assistant at their disposal. INDIGITALL’s goal is to increase the competitiveness of companies through their digital transformation and the consequent use of automated marketing tools to develop an omnichannel and sustainable strategy. INDIGITALL’s emerging focus is technological innovation.
9. COMPLIANCE WITH ARTICLES
To comply with the articles of Royal Decree 311/2022, of May 3, which regulates the National Security Framework, various security measures proportional to the nature of the information and services to be protected have been implemented, taking into account the category of the affected systems.
Compliance with the ENS articles is detailed in the “Statement of Applicability” document.
10. POLICY DEVELOPMENT
The INDIGITALL Information Security Committee has approved the development of a management system, which will be established, implemented, maintained, and improved in accordance with security standards. This system will be adapted and serve to manage the controls of the National Security Framework. The system will be documented and will allow for the generation of evidence of controls and compliance with the objectives set by the Committee. There will be a document management procedure that will establish guidelines for structuring the system’s security documentation, its management, and access.
The Information Security Committee is responsible for the annual review of this Policy, proposing improvements if necessary, for approval by the General Manager of INDIGITALL.
This Security Policy is mandatory and is structured at the documentary level in the following hierarchical levels:
-
First level: Information Security Policy.
-
Second level: Security Regulations.
-
Third level: Security Procedures.
The Information Security Officer (CISO), with the support of the Quality area, must review this regulation at least annually, proposing improvements if necessary.
INDIGITALL staff and third-party companies must be familiar with this Security Policy, as well as all regulations, procedures, technical instructions, or other documentation that may affect the performance of their duties.
10.1 First Regulatory Level: ICT Security Policy
The ICT Security Policy is the highest-level regulatory instrument in INDIGITALL’s security regulatory structure. It must be approved by the General Manager of INDIGITALL.
10.2 Second Regulatory Level: Information Security Regulations
The ICT Security Regulations are mid-level instruments that cover a specific area of security. The body responsible for their approval is the INDIGITALL Security Committee.
10.3 Third Regulatory Level: ICT Security Procedures
ICT Security Procedures are lower-level instruments, drafted in greater detail, and applicable to a specific area. The person responsible for their approval is the Security Officer.
11. SECURITY ORGANIZATION
11.1 Security Roles or Profiles
To ensure compliance and adaptation to the required regulatory measures, security roles or profiles have been created, and the positions or bodies that will occupy them have been designated as follows:
-
Information Officer: Juan Carlos de Vela Benavides
-
Service Officer: Xavier Omella Claparols
-
Security Officer: Marcos Fortún Arranz
-
System Officer: Jesús Moreira Rubio
11.2 Information Security Committee
INDIGITALL has established an Information Security Committee, as a collegiate body, and it is composed of the following members:
-
General Manager: General Manager of INDIGITALL.
-
Members:
· Service Officer
· System Officer
· Security Officer
Optionally, other INDIGITALL members may join the Committee’s work, including specialized working groups, whether internal, external, or mixed.
The Information Security Committee will hold its sessions at INDIGITALL’s premises or remotely on a semi-annual basis, following a call to that effect by the General Manager of said Committee. In any case, the Committee may hold extraordinary meetings when circumstances require.
11.3 Responsibilities Associated with the National Security Framework
Below are the detailed functions and responsibilities established for each of the ENS security roles:
Functions of the Information and Service Officer
-
Establish and approve the security requirements applicable to the service and information within the framework established in Annex II of the ENS, upon proposal to the ENS Security Officer and/or the Information Security Committee.
-
Accept the levels of residual risk affecting the Service and the Information.
Functions of the Security Officer (CISO/RSF)
-
Maintain and verify the appropriate level of security for the information handled and the electronic services provided by the information systems.
-
Manage, supervise, and maintain the physical security of INDIGITALL’s facilities.
-
Promote training and awareness in security matters.
-
Appoint those responsible for conducting risk analysis, the statement of applicability, identifying security measures, determining necessary configurations, and preparing system documentation.
-
Provide advice for determining the system category, in collaboration with the System Officer and/or the Information Security Committee.
-
Participate in the development and implementation of security improvement plans and, where appropriate, in continuity plans, proceeding to their validation.
-
Manage external or internal system reviews.
-
Manage certification processes.
-
Submit to the Security Committee the approval of changes and other system requirements.
Functions of the System Officer
-
Suspend or halt access to information or service delivery if aware of serious security deficiencies.
-
Implement and manage INDIGITALL’s Information Systems throughout their lifecycle, including the implementation of cybersecurity controls, as well as their operation and verification of proper functioning.
-
Define the topology and management of the Information System, establishing usage criteria and available services.
-
Ensure that specific security measures are properly integrated within the general security framework.
-
Collaborate with the Security Officer in investigating and resolving cyber incidents affecting INDIGITALL’s Information Systems and apply the knowledge gained from the analysis of past cyber incidents to reduce the likelihood or impact of future incidents.
-
Carry out the functions of the system security administrator:
· Management, configuration, and updating, where appropriate, of the hardware and software on which security mechanisms and services are based.
· Management of authorizations granted to system users, particularly the privileges granted, including monitoring the activity carried out in the system and its correspondence with what is authorized.
· Approve changes to the current configuration of the Information System.
· Ensure that established security controls are strictly followed.
· Ensure that approved procedures for managing the Information System are applied.
· Supervise hardware and software installations, modifications, and improvements to ensure that security is not compromised and that they always comply with the relevant authorizations.
· Monitor the security status provided by security event management tools and technical audit mechanisms.
· When system complexity justifies it, the System Officer may appoint delegated system officers as deemed necessary, who will report directly to them and be responsible within their scope for all actions delegated to them. Likewise, specific functions of the responsibilities assigned may also be delegated to others.
Functions of the Information Security Committee
The Security Committee shall have the following functions:
-
Address requests regarding Information Security from the Administration and from different security roles and/or areas, regularly reporting on the state of Information Security.
-
Advise on Information Security matters.
-
Resolve responsibility conflicts that may arise between different administrative units.
-
Promote the continuous improvement of the Information Security management system. To this end, it shall:
· Coordinate efforts of different areas in Information Security to ensure consistency, alignment with the decided strategy, and to avoid duplication.
· Propose Information Security improvement plans with corresponding budget allocations, prioritizing security actions when resources are limited.
· Ensure that Information Security is considered in all projects from their initial specification to their operational launch. In particular, it must ensure the creation and use of horizontal services that reduce duplication and support homogeneous operation of all ICT systems.
· Monitor the main residual risks assumed by the Administration and recommend possible actions regarding them.
· Monitor security incident management and recommend possible actions regarding them.
· Regularly draft and review the Information Security Policy for approval by the competent authority.
· Draft Information Security regulations for approval in coordination with General Management.
· Verify Information Security procedures and other documentation for approval.
· Develop training programs to educate and raise awareness among staff on Information Security and, in particular, on personal data protection.
· Develop and approve training and qualification requirements for administrators, operators, and users from the perspective of Information Security.
· Promote the performance of periodic ENS and data protection audits to verify compliance with the Administration’s Information Security obligations.
11.4 Designation Procedures
The creation of the Information Security Committee, the appointment of its members, and the designation of the Officers identified in this Policy have been carried out by the General Manager of INDIGITALL and communicated to the interested parties.
The members of the Committee, as well as the security roles, will be reviewed every three years or upon a vacancy.
11.5 RACI Matrix: Responsibility Assignment Matrix
Task | DG | RI | RS | DPD | CISO/RSF | CIO |
Security Policy | A | C | C | C | R | C |
Determination of System Category | C | C | A/R | C | ||
Risk Analysis | I | R | A/R | R | ||
Statement of applicability | I | R | A/R | R | ||
I.S. standards and procedures | I | A/R | R | |||
Security incident response | I | I | C | I | A/R | R |
Information systems and services lifecycle security | C | A/R | ||||
A: Accountable (makes the decision, authorizes and approves. R: Responsible (is responsible for the performance of the work). | C: Consulted (you are consulted before the decision is made).I: Informed (you are informed of the decisions made).12. CONFLICT RESOLUTION |
The Information Security Committee of INDIGITALL will be responsible for resolving conflicts and/or differences of opinion that may arise between security roles.
13. PERSONAL DATA
INDIGITALL will only process personal data when it is adequate, relevant, and not excessive and is related to the scope and purposes for which it was obtained. Likewise, it will adopt the necessary technical and organizational measures to comply with the applicable Data Protection regulations in each case, in accordance with the Personal Data Protection Policy approved by the Presidency of INDIGITALL.
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and its transposition into Spanish law by Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights, appropriate measures have been adopted, such as the analysis of the legal legitimacy of each data processing activity carried out, risk analysis, impact assessment if the risk is high, activity logging, and the appointment of a Data Protection Officer.
14. THIRD PARTIES
When providing services to other organizations or handling information from other organizations, they will be informed of this Information Security Policy. INDIGITALL will define and approve the channels for information coordination and the procedures for responding to security incidents, as well as all other actions carried out by INDIGITALL in relation to Security with other organizations.
When INDIGITALL uses third-party services or transfers information to third parties, they will be informed of this Security Policy and the existing Security Regulations applicable to those services or information.
Such third parties will be subject to the obligations established in the aforementioned regulations and may develop their own operating procedures to comply with them. Specific procedures for communication and incident resolution will be established. It will be ensured that third-party personnel are adequately aware of security matters, at least to the same level as established in this Security Policy.
Likewise, taking into account the obligation to comply with the Technical Security Instructions established in the second additional provision of Royal Decree 311/2022, and considering the Resolution of October 13, 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security Framework, which establishes that private sector operators providing services or solutions to public entities, for which compliance with the National Security Framework is required, must be able to present the corresponding Statement of Conformity with the National Security Framework for BASIC category systems, or the Certification of Conformity with the National Security Framework for MEDIUM or HIGH category systems.
When any aspect of this Security Policy cannot be satisfied by a third party as required above, a report from the ENS Security Officer will be required, specifying the risks incurred and how to address them. Approval of this report by the officers responsible for the affected information and services will be required before proceeding.
15. CONTINUOUS IMPROVEMENT
Information security management is a process subject to ongoing updates. Therefore, INDIGITALL must implement a continuous improvement process, which will involve, among other actions:
-
Review of the Information Security Policy.
-
Review of services and information and their categorization.
-
Annual execution of risk analysis.
-
Conducting internal and external audits.
-
Review of security measures.
-
Review and updating of standards and procedures.
For INDIGITALL, proper management of information security constitutes a continuous and collective challenge, necessary for the continuity of the Entity.
Use of the Contact Form for External Communications
SMART2ME, S.L. provides its contact form, available on its website, as the official channel for any external party (clients, users, business partners, and the general public) to report technical incidents, system failures, concerns related to data protection, as well as potential breaches of internal controls, corporate policies, or the company’s ethical principles.
All communications received through this form: https://indigitall.com/en/security-form/ will be handled confidentially, in accordance with the guarantees established in this Privacy Policy and, where applicable, those set forth in the SMART2ME, S.L. Code of Conduct and Responsible Practices.