Electrònica Saltó, SLU, as a company dedicated to the development, support and implementation of software, assumes its commitment to the security of information, committing itself to the appropriate management of this, with the aim of offering all its stakeholders the best guarantees regarding the security of the information used.
For all of the above, the Management establishes the following information security objectives:
– Provide a framework for increasing resilience to provide an effective response to critical security situations.
– Ensure the rapid and efficient recovery of services in the face of any physical disaster or contingency that may occur and that could jeopardise the continuity of operations.
– Prevent information security incidents as far as technically and economically feasible, as well as mitigate the information security risks generated by our activities.
– To guarantee the confidentiality, integrity, availability, authenticity and traceability of information.
In order to achieve these objectives, it is necessary:
- Continuously improve our information security system.
- Comply with applicable legal requirements and any other requirements we subscribe to in addition to our commitments to our clients, as well as the continuous updating of these.
- Identify potential threats, as well as the impact on business operations that these threats, should they materialise, could cause.
- Preserve the interests of its main stakeholders (customers, shareholders, employees and suppliers), reputation, brand and value creation activities.
- Work together with our subcontractors and sub-suppliers in order to improve the provision of TU services, the continuity of services and the security of information, which will result in greater efficiency in our activity.
- To evaluate and guarantee the technical competence of our staff, as well as to ensure that they are adequately motivated to participate in the continuous improvement of our processes, providing the appropriate training and internal communication so that they develop the good practices defined in the system.
- To guarantee the correct state of the facilities and adequate equipment, so that they are in line with the activity, objectives and goals of the company.
- To guarantee a continuous analysis of all the relevant processes, establishing the relevant improvements in each case, according to the results obtained and the established objectives.
- Structure our management system in a way that is easy to understand.
Our management system has the following structure:
Regulatory framework
– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
– Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.
– Royal Legislative Decree 1/1996, of 12 April 1996, the Intellectual Property Act.
– Royal Decree-Law 2/2018, of 13 April, amending the revised text of the Intellectual Property Law.
– Royal Decree 3/2010, of 8 January, on the development of the National Security Scheme as amended by Royal Decree 951/2015, of 23 October.
– REGULATION (EU) 910:2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (European eIDAS Regulation).
– Prevention of Occupational Risks Law 31/1995 of 8 November 1995 and Royal Decree 39/1997 of 17 January 1997, approving the Prevention Services Regulations.
– Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
– RD-Law 13/2012 of 30 March, the cookies’ law.
– Royal Legislative Decree 1/1996, of 12 April, which approves the revised text of the Law on Intellectual Property, regularising, clarifying and harmonising the current legal provisions on the subject.
– Resolution of 7 October 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instructions of the Security Status Report.
– Resolution of 13 October 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instructions in accordance with the National Security Scheme.
– Resolution of 27 March 2018, of the Secretary of State for Public Administration, approving the Technical Security Instructions for Auditing the Security of Information Systems.
– Resolution of 13 April 2018, of the Secretary of State for Public Administration, approving the Technical Security Instructions for Security Incident Notification.
– Royal Decree 311/2022, of 3 May, regulating the National Security Scheme
Management of the system
The management of our system is entrusted to the person in charge of Management and the system will be available in our information system in a repository, which can be accessed according to the access profiles granted according to our current access management procedure.
These principles are assumed by the Management, which has the necessary means and provides its employees with sufficient resources for their fulfilment, and they are set out and made public through this Integrated Management Systems Policy.
Roles and responsibilities
The security roles or functions defined in Saltó are:
Responsible for the information:
– Take the decisions related to the information processed.
Responsible for the services:
– Coordinate the implementation of the system
– Continuous improvement of the system.
Responsible for security:
– Determine the suitability of technical measures
– Provide the best technology for the service.
Responsible for the system:
– Coordinate the implementation of the system
– Continuous improvement of the system.
Management:
– Provide the necessary resources for the system.
– Leading the system
This definition is completed in the job profiles and in the system documents.
The procedure for its designation and renewal will be ratification in the security committee.
The committee for the management and coordination of security is the body with the greatest responsibility within the information security management system, so that all the most important decisions related to security are agreed by this committee. The members of the information security committee are:
– Head of information.
– Head of services.
– Head of security.
– System manager.
– Company Management (sole administrator).
These members are appointed by the committee, the only body that can appoint, renew and dismiss them.
The safety committee is an autonomous, executive body with autonomy to make decisions, and its activities must not be subordinated to any other element of our company.
This policy is complemented by the rest of the policies, procedures and documents in force to develop our management system.
Date of approval of the policy: 03/10/2024.
Version: 1.1