SECURITY policy

Information Security Policy

1. Organization and Implementation of the Security Process (Art. 13)

Information is a critical and valuable asset for ALPINE SECURITY S.L. (hereinafter, ALPINE SECURITY) as it is essential for the development of its activity. ALPINE SECURITY strives to manage this information accurately, comprehensively and to ensure its availability.

Information security refers to protecting information against a wide range of threats, with the aim of ensuring business continuity, minimizing risks, and maximizing the return on investments and opportunities.

Therefore, the importance of implementing security measures that safeguard information from both internal and external threats is recognized. These threats can include human error, malicious actions (such as fraud, embezzlement, sabotage, or privacy breaches), technical errors, and force majeure events, such as natural disasters.

The management of ALPINE SECURITY is responsible for establishing security policies. The adoption of these directives by the Company will minimize the possible risks it faces in the development of its commercial activities.

2. Scope

This Information Security Policy is applicable to all those individuals who have or may access ALPINE SECURITY's information, either directly or through information systems, during the performance of their functions.

Accordingly, the scope of this Information Security Policy includes:

  • All ALPINE SECURITY employees, regardless of their status as permanent or temporary employees, as well as any person external to ALPINE SECURITY who has access to the information managed or owned by the organization.
  • All information and information systems owned or managed by ALPINE SECURITY.

3. Regulatory Framework

The regulatory framework in the field of information security in which ALPINE SECURITY carries out its activity, essentially, is the following:

  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.
  • RD 311/2022, of 3 May, which regulates the National Security Scheme in the field of Electronic Administration.
  • ENS. Article 12. Organization and implementation of the security process.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
  • Law 34/2002, of 11 July, on Electronic Commerce Information Services, LSSICE.
  • ICT Security Guide CCN-STIC 805 ENS. Information Security Policy.
  • ICT Security Guide CCN-STIC 801 ENS. Responsibilities and functions.
  • The applicable collective agreement, corresponding to "Consultancy companies, and market and public opinion studies".
  • Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
  • UNE-EN-ISO 9001, UNE-ISO-IEC 27001.

4. Objectives

The purpose of this Information Security Policy is to establish guidelines for the formulation of security regulations, in order to safeguard and guarantee the fundamental principles of information security: confidentiality, integrity, availability and traceability.

In the preparation of this document and the achievement of the established objectives, the following key aspects have been considered:

  • The Company's information and information systems are critical assets that require protection and assurance of their availability.
  • ALPINE SECURITY information must be protected in accordance with legal requirements, its value, its degree of criticality and its level of sensitivity.
  • The responsibility for protecting these assets lies with all employees and external collaborators who have access to the information.
  • The security measures applied to the information must be established considering its classification, which will determine its level of confidentiality, integrity, availability and traceability. These measures should be determined through continuous risk assessment.

5. Declaration of Principles

The principles that underpin the Information Security Regulations are the following:

  • Information is protected throughout its lifecycle, from its creation or reception, through its processing, communication, transport, storage, dissemination to third parties and eventual destruction.
  • ALPINE SECURITY is responsible for protecting information against unauthorized access, improper disclosure or loss.
  • Each employee has the responsibility and duty to adequately protect the information in accordance with the established security regulations.
  • All personnel, including external personnel or third parties who have access to the information, are subject to ALPINE SECURITY's security regulations.

6. Information Security Policy Considerations

  • The Information Security Policy has been approved by the Management of ALPINE SECURITY.
  • Both the content of this policy and the Information Security Regulations are mandatory for all ALPINE SECURITY personnel, including external contractors.
  • Compliance with the Information Security Policy is essential to protect ALPINE SECURITY's legal rights. Any individual who breaches this policy will be subject to such disciplinary and legal action as ALPINE SECURITY Management deems appropriate.
  • The Information Security Policy is a dynamic document that must be updated and modified as necessary.
  • The Management of ALPINE SECURITY undertakes to promote the necessary actions so that both the internal staff of ALPINE SECURITY and the external personnel and third parties are aware of and apply all the aspects included in this policy.

7. Information Security Regulations

In order to achieve the objectives and principles set out in this policy, a series of regulations have been created that establish the general rules of information security and are organized into specific domains. These regulations serve as the basis for the development of concrete security measures, which are formalized through the implementation of procedures.

The regulations have been defined following the CIS Critical Security Controls (CIS Controls) standard, which provides an internationally recognized framework of reference for security.

CIS01 – Inventory and Control of Business Assets

Control for actively managing all company assets, including end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers, in both physical and virtual infrastructure, as well as remote and cloud environments. This will allow for an accurate inventory of all assets that need to be monitored and protected within the company, and help identify and remove unauthorized or unmanaged assets.

CIS02 – Software Asset Inventory and Control

Control for the management of all software (operating systems and applications) in the company's network by carrying out inventories, monitoring and correction. Only authorized software must be allowed to install and run, while unauthorized or unmanaged software that is found must be prevented from installing and/or running.

CIS03 – Data Protection

Control for the development of processes and technical controls to securely identify, classify, handle, retain and delete data.

CIS04 – Secure Configuration of Enterprise Assets and Software

Control to establish and maintain secure configuration of enterprise assets (user devices, including laptops and mobiles; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

CIS05 – Account Management

Control to define processes and tools for assigning and managing the authorization of user account credentials, including administrator accounts, as well as service accounts, for enterprise assets and software.

CIS06 – Access Control Management

Control to define processes and tools for creating, assigning, managing, and revoking credentials and access privileges for user, administrator, and service accounts for enterprise assets and software.

CIS07 – Continuous Vulnerability Management

Control to develop a plan to assess and continuously track vulnerabilities across all assets within the company's infrastructure, in order to remediate and reduce the window of opportunity for attackers. Monitor public and private industry sources for new information on threats and vulnerabilities.

CIS08 – Audit Log Management

Define procedures for collecting, alerting, reviewing, and retaining event audit logs that could help detect, understand, or recover from an attack.

CIS09 – Email and Web Browser Protection

Control for improved protection and threat detection of email and web vectors, as these are opportunities for attackers to manipulate human behavior through their compromise.

CIS10 – Malware Defenses

Control to prevent or control the installation, propagation, and execution of malicious applications, code, or scripts on enterprise assets.

CIS11 – Data Recovery

Control to establish and maintain data recovery practices sufficient to restore in-scope business assets to a pre-incident state of trust.

CIS12 – Network Infrastructure Management

Control to actively establish, deploy, and manage (track, report, remediate) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

CIS13 – Network Monitoring and Defense

Control to operate processes and tools to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.

CIS14 – Security Awareness and Skills Training

Control to establish and maintain a security awareness program to influence workforce behavior so that they are security-conscious and properly trained to reduce cybersecurity risks to the company.

CIS15 – Service Provider Management

Control to develop a process to evaluate service providers that hold sensitive data or are responsible for a company's critical IT platforms or processes, to ensure that these providers protect those platforms and data appropriately.

CIS16 – Application Software Security

Control to manage the security lifecycle of software developed, hosted, or acquired internally to prevent, detect, and fix security weaknesses before they can impact the business.

CIS17 – Incident Response Management

Control to establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to quickly prepare, detect, and respond to an attack.

CIS18 – Penetration Testing

Control to test the effectiveness and resilience of enterprise assets by identifying and exploiting weaknesses in controls (people, processes, and technology) and simulating an attacker's goals and actions.

8. Safety Features

ALPINE SECURITY has appointed a Security Committee with its Roles and Responsibilities. The ENS Information Security Committee is made up of:

  • Security Manager
  • Systems Manager
  • Information Controller
  • Service Manager
  • Data Protection Officer (DPO)
  • Internal Auditor

The Security Committee will have alternates for each of its members. Appointments are established by the organization's management and are reviewed every 2 years or when a position becomes vacant. Differences in criteria will be dealt with within the Security Committee; the criteria of the Executive Directorate will prevail in all cases.

Information Officer

  • Accept the residual risks with respect to the information, calculated in the risk analysis.
  • Determine the requirements of the information processed.
  • Ensure the security of information in its different aspects: physical protection, protection of services and respect for privacy.
  • Be aware of policy changes (laws, regulations or sectoral practices) that affect the Organization.
  • Adopt the necessary technical and organisational measures to guarantee the security of personal data and prevent their alteration, loss, processing or unauthorised access.

Service Manager

  • Determine the security requirements of the services provided to clients.
  • Review and approve the security levels of the services.
  • Include safety specifications in the life cycle of services and systems, accompanied by the corresponding control procedures.
  • Assess the consequences of a negative impact on the security of services.
  • Assume ownership of the risks on the services.

Systems Manager

  • Develop, operate and maintain the System throughout its life cycle, its specifications, installation and verification of its correct operation.
  • Define the topology and management policy of the System, establishing the criteria for use and the services available in it.
  • Define the policy for connecting or disconnecting new computers and users in the System.
  • Implement and control the specific security measures of the System and ensure that these are properly integrated within the general security framework.
  • Determine the authorized hardware and software configuration to be used in the System.
  • Approve any substantial modification of the configuration of any element of the System.
  • Carry out the risk analysis and management process in the System.
  • Investigate security incidents that affect the System and, where appropriate, report them to the Security Manager.
  • Establish contingency and emergency plans, carrying out frequent exercises for staff to become familiar with.

Security Officer

  • Determine decisions to meet information and service security requirements.
  • Work to achieve total security of the company's data, as well as its privacy.
  • Supervise, control and manage access to the company's information and its workers.
  • Develop a set of response measures for information-related security incidents, including disaster recovery.
  • Ensure compliance with regulations related to information security.
  • In the case of outsourced services, the ultimate responsibility always lies with the organisation receiving the services.
  • Maintain the security of the information handled and the services provided by the information systems in their area of responsibility.
  • Promote training and awareness in information security.
  • Guarantee the proper use of computer equipment within their area of responsibility.
  • Supervise and coordinate the team in charge of carrying out the response measures in case of security breaches.
  • Act as Point of Contact (POC) for information security with Customers.
  • Carry out security operations to fight fraud and information theft.
  • Design the Training Plan, within the scope of the ENS, for ALPINE SECURITY people who provide services in Public Administration projects.

Data Protection Officer (DPO)

  • Inform and advise the controller or processor and the employees dealing with the processing of their obligations under the Regulation and other data protection provisions.
  • Monitor compliance with data protection provisions, including the assignment of responsibilities, awareness raising and training of personnel involved in processing operations, and the corresponding audits.
  • Provide advice on the data protection impact assessment and monitor its implementation in accordance with Article 35.
  • Cooperate with the supervisory authority.
  • Act as the supervisory authority's contact point for matters relating to processing, including the prior consultation referred to in Article 36.
  • Perform functions paying due attention to the risks associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.

Internal Auditor

  • Appointed by the Organization's Management.
  • Responsible for evaluating and ensuring compliance with the security requirements of the information and services provided.
  • Conduct regular audits to assess compliance with information security regulations and policies.
  • Determine the effectiveness of the security measures implemented and their alignment with applicable standards and regulations.
  • Review and audit compliance with the National Security Scheme (ENS) and other relevant regulations.
  • Identify and assess risks associated with information security and propose mitigation measures.
  • Conduct periodic risk analysis and keep risk reports up to date.
  • Review and update information security policies and procedures to ensure their relevance and effectiveness.
  • Ensure that safety policies are communicated and understood by all staff.
  • Prepare audit reports and present findings and recommendations to Management.
  • Act as point of contact for information security for both Management and internal and external teams.

9. Reports

The security administrator reports to the System Manager or the Security Officer, depending on their functional dependency:

  • System security incidents or configuration, update, or remediation actions.
  • The System Manager informs the Information Manager of functional incidents related to the information for which he or she is responsible.
  • The System Manager informs the Service Manager of functional incidents related to the service for which he or she is responsible.
  • The System Manager reports to the Security Manager on security actions (in particular with regard to system architecture decisions) and consolidated summaries of security incidents.

10. Risk Analysis and Management (Art. 14)

A risk analysis will be carried out, assessing the threats and risks to which they are exposed. This analysis will be the basis for determining the security measures to be adopted. It will be repeated:

  • Regularly, at least once a year.
  • When the information handled changes.
  • When the services provided change.
  • When a serious security incident occurs.
  • When serious vulnerabilities are reported.
  • When there is a security incident related to the LOPDGDD regulations.
  • When there is a security breach related to the processed information of a user according to the LOPDGDD regulations.

At a minimum, all risks that may seriously impede the provision of services or the fulfilment of the organisation's mission must be addressed. Special priority will be given to risks that imply a cessation in the provision of services or that have an impact on said information processed during the service.

The owner of a hazard must be informed of the risks affecting their property and the residual risk to which it is subjected. When an information system goes into operation, the residual risks must have been formally accepted by its respective owner.

11. Personnel Management (Art. 15)

Personnel, own or external, related to the information systems subject to the provisions of this Royal Decree 311/2022, must be trained and informed of their duties, obligations and responsibilities in terms of security.

Their actions must be supervised to verify that the established procedures are followed, and they will apply the approved safety standards and operating procedures in the performance of their duties.

12. Professionalism (Art. 16)

The security of the information systems will be attended to, reviewed and audited by qualified, dedicated and trained personnel in all phases of their life cycle: planning, design, acquisition, deployment, operation, maintenance, incident management and decommissioning.

ALPINE SECURITY will determine the training and experience requirements necessary for the personnel to carry out their job.

13. Authorisation and Control of Access (Art. 17)

Controlled access to the information systems included in the scope of application of this Royal Decree must be limited to duly authorised users, processes, devices or other information systems, and exclusively to the permitted functions.

The access privileges of a resource (person) to the ALPINE SECURITY information system are restricted by default to the minimum necessary for the performance of its functions.

The ALPINE SECURITY information system will always be configured in such a way as to prevent a resource (person) from accidentally accessing resources with rights other than those authorized.

14. Protection of Installations (Art. 18)

The information systems and their communications infrastructure associated with ALPINE SECURITY must remain in controlled areas and have adequate and proportional access mechanisms based on the risk analysis, without prejudice to the provisions of Law 8/2011, of 28 April, which establishes measures for the protection of critical infrastructures and Royal Decree 704/2011, of 20 May, approving the Regulation on the protection of critical infrastructures.

15. Procurement of Security Products and Contracting of Security Services (Art. 19)

In the acquisition of security products or contracting of information and communication technology security services that are to be used in the information systems within the scope of application of this Royal Decree, those that have certified the security functionality related to the object of their acquisition shall be used, in proportion to the category of the system and the level of security determined.

The Certification Body of the National Scheme for the Evaluation and Certification of Information Technology Security of the National Cryptologic Centre (CCN) will determine the following aspects:

  1. The functional security and assurance requirements of the certification.
  2. Other additional security certifications that are required by regulations.
  3. Exceptionally, the criteria to be followed in cases where there are no certified products or services.

16. Minimum Privilege (Art. 20)

Information systems must be designed and configured granting the minimum privileges necessary for their correct performance, which implies incorporating the following aspects:

  1. The system will provide the essential functionality for the organization to achieve its competence or contractual objectives.
  2. The functions of operation, administration and registration of activity will be the minimum necessary, and it will be ensured that they are only carried out by authorised persons, from authorised sites or equipment.
  3. Functions that are unnecessary or inappropriate for the purpose pursued will be eliminated or deactivated by means of the configuration control. The ordinary use of the system must be simple and safe, so that unsafe use requires a conscious act on the part of the user.
  4. Security configuration guides will be applied for the different technologies, adapted to the categorization of the system, in order to eliminate or deactivate the functions that are unnecessary or inadequate.

17. Integrity and Updating of the System (Art. 21)

The inclusion of any physical or logical element in the updated catalogue of system assets, or its modification, will require formal authorisation from the ALPINE SECURITY Security Manager.

Permanent evaluation and monitoring will allow the security status of the systems to be adapted in accordance with configuration deficiencies, identified vulnerabilities and updates that affect them, as well as the early detection of any incident that takes place on them. The responsibility will be borne by the ALPINE SECURITY security officer.

18. Protection of Information Stored and in Transit (Art. 22)

In the organisation and implementation of security, special attention will be paid to information stored or in transit through portable or mobile equipment or devices, peripheral devices, information carriers and communications over open networks, which must be specially analysed to achieve adequate protection.

Procedures will be applied to ensure the long-term recovery and preservation of electronic documents produced by the information systems within the scope of application of this Royal Decree, where required.

Any information on non-electronic support that has been a direct cause or consequence of the electronic information referred to in this Royal Decree must be protected with the same degree of security as the latter.

19. Prevention Before Other Interconnected Information Systems (Art. 23)

The perimeter of the information system will be protected, especially if it is connected to public networks, as defined in Law 9/2014, of 9 May, General Telecommunications, reinforcing the tasks of prevention, detection and response to security incidents.

20. Activity Logging and Detection of Harmful Code (Art. 24)

In order to satisfy the purpose of this Royal Decree, and in accordance with the regulations on the protection of personal data, the activities of the users will be recorded, retaining the information strictly necessary to monitor, analyze, investigate and document improper or unauthorized activities, allowing the identification of the person acting at all times.

In order to preserve the security of information systems and in accordance with the provisions of the General Data Protection Regulation, the subjects included in Article 2 may, to the extent strictly necessary and proportionate, analyze incoming or outgoing communications solely for information security purposes, so that it is possible to prevent unauthorized access to networks and information systems, stop denial-of-service attacks, and prevent malicious distribution of harmful code.

Each user who accesses the information system must be uniquely identified, so that it is known, at all times, who receives access rights, what type they are, and who has carried out a certain activity.

21. Security Incidents (Art. 25)

The entity owning the information systems within the scope of this Royal Decree shall have security incident management procedures in accordance with the provisions of Article 33, the corresponding Technical Security Instruction and, in the case of an essential service operator or a digital service provider, in accordance with the provisions of the annex to Royal Decree 43/2021, of 26 January.

Likewise, detection mechanisms, classification criteria, analysis and resolution procedures will be available, as well as channels of communication to interested parties and the registration of actions. This register will be used for the continuous improvement of the security of the system.

22. Continuity of Activity (Art. 26)

The systems shall have backups and the necessary mechanisms shall be put in place to ensure the continuity of operations in the event of loss of the usual means.

23. Continuous Improvement of the Security Process (Art. 27)

The comprehensive security process implemented must be continuously updated and improved. To this end, the criteria and methods recognized in national and international practice regarding the management of information technology security will be applied.

24. Expected Results

The expected results of the Security Policy are as follows:

  • Continuous improvement of safety management. The organization will have better security resources in the form of knowledge, procedures, and tools.
  • Consolidation of trust in the Company by customers and suppliers, accompanied by an improvement in the public image.
  • Reduction of costs derived from security incidents, through the progressive implementation of security controls.
  • Ensuring compliance with legal and ethical requirements.
© 2024 Alpine Security. All rights reserved.
Alpine logo
CLOSE

about us

blog

ring z3ro labs

our services

Advanced Threat Detection

Advanced Threat emulation

Cyber Consulting

hello@alpinesec.io