1. Introduction

Information security is a fundamental pillar of BASETIS’s business strategy. The purpose of the Information Security Policy (hereinafter, the Policy) is to adopt a set of measures aimed at preserving the confidentiality, integrity, and availability of information, which constitute the three basic components of information security.

BASETIS is committed to adopting best practices to protect information assets. This Policy establishes the principles and guidelines governing information security throughout the organisation.

2. Mission

BASETIS’s purpose is to put people at the centre and build relationships based on trust (Developing trust). BASETIS understands Information Security as the indispensable basis for sustaining that trust, guaranteeing the excellence and continuity of our services (Committing services), protecting well-being and privacy (Thinking of people), and contributing to an ethical, secure, and responsible digital environment (Pushing social change).

3. Commitments

BASETIS is committed to:

• Complying with the applicable requirements for Information Security.
• Providing the necessary economic, financial, and personnel resources for the implementation, maintenance, and continuous improvement of the Management System.
• Communicating this policy to all interested parties.
• Establishing and reviewing the security objectives annually to ensure their adequacy and effectiveness.

4. Security Objectives

At BASETIS, the fundamental objective of the security strategy is to ensure business continuity, preserve the confidentiality, integrity, and availability of information, and minimise the risk of damage by preventing security incidents and reducing their potential impact when they are unavoidable.

To ensure the correct operation of the Management System, the Security Committee, together with the Global Area (Management), annually determines the priority security objectives and strategies.

The Security Committee carries out a quarterly monitoring of the established objectives, measuring the progress of the KPIs defined for each of them.

5. Values

Information security management at BASETIS is based on the following values, which must always be present in any activity related to information processing, and to which it is committed:

Confidentiality of Information

The information to which users have access will be protected against unauthorised or accidental disclosures, regardless of the medium in which that information is contained. Likewise, efforts will be made to preserve the confidentiality of commercially sensitive client information to which BASETIS may have access.

Integrity of Information

It will be guaranteed that the information is accurate, complete, and cannot be modified or destroyed in an unauthorised manner.

Availability of Information

BASETIS is responsible for ensuring that authorised users have access to the information and associated information systems when necessary for the correct performance of operations.

Responsibility for Security

BASETIS fosters a culture in which every person understands and assumes their responsibility in the protection of information.

Risk Management

An approach based on risk management will be adopted. Risk analysis will be an essential part of the information security process. This risk management will allow for the maintenance of a controlled environment.

Security by Design (or Security by Default)

Information security must be considered as part of regular operations, being present and applied throughout the entire process of design, development, and maintenance of information systems.

Continuous Improvement

To guarantee the continuous maintenance of security levels and the effectiveness of the Information Security Management System, internal and external audits, periodic reviews, definition of security training and awareness plans, preparation of a risk treatment plan, etc., must be carried out.

6. Review of the Information Security Policy

Due to the evolution of technology itself, security threats, and new legal contributions in the matter, BASETIS reserves the right to modify this Policy when necessary. The review will include evaluation opportunities to improve the policy and an approach to information security management in response to changes in the organisational environment, business circumstances, legal conditions, or changes in the technical environment.