Information Security Policy

Espiral MS considers that information is one of the relevant assets to offer products and services to our customers and, therefore, requires adequate protection. Therefore, Espiral MS includes Information Security Management within its Management System as a mechanism to establish clear guidelines and security measures for:

– guarantee the confidentiality1, integrity2 and availability3 of the information,

– ensure compliance with the security requirements established by the organization itself and those agreed with its customers,

– ensure compliance with applicable laws, regulations and standards,

– guarantee the continuity of the organization and its business operations.

The infrastructure that supports the services, as well as the information and applications that manage the services provided by Espiral MS are within the scope of the Information Security Management System, which is integrated into the Management System, and therefore the policies, objectives and procedures established therein are applicable.

The application used for asset management and risk analysis makes it possible to evaluate risk by service. For this purpose, the services included in the Management System have been defined and the information assets involved in each of them have been identified.

The internal support staff of Espiral MS is responsible for establishing and maintaining the necessary security measures for the correct provision of services. Any security incident in the systems that support the service must be reported and recorded.

Target

The objective of this Information Security Policy is to establish clear guidelines and security measures to protect the organization’s confidential information, ensure the availability and reliability of information systems, and comply with applicable security regulations and standards.

The Security Policy is mandatory for all personnel. It is also applicable to the entire scope established in the Framework below.

Commitments

The Security Committee will promote the implementation of all organizational, procedural, physical and logical controls necessary to adequately protect the information assets of Espiral MS, as indicated in this policy or other elements of the regulatory body (derived policies, procedures, baselines, technical instructions, etc.), and channeling them to the different areas and business processes.

In Espiral MS the importance of Information Security is manifested in a more concrete way in:

– Commitment to confidentiality: The company is committed to protecting the confidentiality of information, ensuring that only authorized persons have access to it. Access to systems and data should be restricted and granted only to authorized users based on their role and need-to-know. And appropriate authentication controls must be implemented.

– Commitment to information integrity: The company is committed to ensuring the integrity of the information, avoiding any unauthorized modification or alteration.

– Commitment to information availability: The company is committed to ensuring the continuous availability of information for authorized users. This implies the implementation of protection measures against interruptions and failures, applying the appropriate business continuity plans.

– Commitment to appropriate security incident response: The company has established an incident management process that includes the notification, investigation, response and recovery from security incidents. The organization will seek to implement any improvements that may help prevent similar incidents in the future.

– Commitment to risk management: The company is committed to identifying, assessing and managing information security risks.

– Commitment to privacy protection: The company is committed to protecting the privacy of individuals’ personal information by complying with applicable data protection laws and regulations and obtaining appropriate consent where necessary.

– Commitment to education and awareness: The company is committed to raising awareness and training in information security for all employees, as well as the promotion of good practices in the use of technological resources.

– Commitment to monitoring and compliance: The company is committed to conducting regular internal and external audits to ensure compliance with security policies and standards. In addition, it is committed to taking timely action when security violations are identified.

– Commitment to continuous improvement: The company is committed to continuously review and improve information security controls, considering technological advances, new threats and lessons learned from previous incidents.

– Commitment to external collaboration: The company is committed to collaborating with external bodies and entities, such as government agencies and threat intelligence sharing organizations, to share relevant information and collaborate in the fight against cybercrime.

If you want to know our entire Security Policy, click here.