Information Security Policy

1 Executive summary

In every organization there is confidential information, to a greater or lesser degree, whose loss or misuse can damage its reputation. Likewise, the deterioration or unavailability of information systems may interrupt the normal development of operations, producing negative effects on the quality of service and the company’s profits.

The main objective of this document is to mitigate the risks associated with BASETIS information systems by describing what is expected of all personnel belonging to BASETIS and who in the performance of their functions may have access to information, information systems or BASETIS resources in general, in order to protect the confidentiality, integrity and availability of the information and systems managed by BASETIS.

Likewise, it is intended to promote the use of good practices in the area of ​​information security.

For this, the workers of BASETIS give their commitment to comply with and respect the norms included in this document. This Security Policy reflects legal and ethical requirements applicable to the actions of BASETIS employees. For this purpose, it transmits the norms that develop it and the obligations to which it is subject by current legislation.


2 Reach

This policy is applicable to all Basetis employees, as well as to the service provider companies to which it applies, and to all the services that are carried out: Artificial Intelligence, Data Integration & Analytics, Design, Development, Infrastructure, Management & Business, Mobile.


3 Regulatory framework

The following legislation is taken as a reference:

      • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (RGPD).
      • Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights.

4.1 Methodological development

4.1 Observations

This Security Policy, owned by BASETIS, is available to all interested parties as documented information and is communicated within the organization.

4.2 Responsibilities

      • The Information Security Committee is responsible for ensuring that information security is properly managed throughout the organization.
      • Each member of the area / team is responsible for ensuring the protection of the organization’s information, in accordance with the established rules.
      • Each and every one of the users of the BASETIS information system is responsible for the security of the computer assets through the correct use of them, as well as the security of the information and data that they use according to the activities that they develop themselves in their workplace

 

4.3 Development of the Security Policy

General Policy Information Security

BASETIS guarantees the adequate management of the security of the information processed and / or hosted by the systems and services contemplated in the scope.

To develop this Policy, the Security Committee, with the collaboration of the rest of the areas that make up BASETIS, undertakes to:

      • Carry out a periodic risk analysis that allows maintaining an adequate view of the information security risks to which the assets are exposed and developing the necessary measures to limit and reduce said risks, defining the security measures to be established.
      • Develop a complete security regulation that regulates the conditions in which the company, within the established scope, must carry out its activity to respect the established security requirements.
      • Allocate the resources and means necessary to develop all the security measures that are determined, maintaining an adequate balance between cost and benefit.
      • Establish an information security training and awareness plan that helps all the personnel involved to know and comply with the established security measures and to participate proactively in the management of information security.
      • Develop all the necessary measures to guarantee the adequate management of security incidents that may occur, and that allow the resolution of both minor incidents and situations that may put the continuity of the activities contemplated at risk.
      • Periodically establish a set of information security objectives and indicators that allow adequate monitoring of the evolution of security within the company.
      • Establish a methodology for the review, audit and continuous improvement of the system, following a PDCA cycle that guarantees the continuous maintenance of the desired security levels.

 

BASETIS establishes the procedures and forms of action necessary to guarantee the correct development of this Policy, which are reflected in a security system, documented and known by all company personnel, and which meets the requirements established in the Standard.

 

General principles

As established in the scope of application, all personnel, both external and internal, who carry out tasks for BASETIS, must comply with the Security Policy contained in this document.

In the event of non-compliance with any of these obligations, BASETIS reserves the right to veto the personnel who have committed the offense, as well as the adoption of the disciplinary measures that are considered pertinent included in the Disciplinary Process, and that may reach the dissolution of the employment relationship between both parties.

All personnel who access BASETIS information systems must follow the following rules of action:

        • Protect the confidential information belonging to or assigned by third parties to BASETIS from any unauthorized disclosure, modification, destruction or incorrect use, whether accidental or not.
        • Protect all information systems and telecommunications networks against unauthorized access or use, interruptions of operations, destruction, misuse or theft.
        • To obtain access to its own information systems or under the supervision of BASETIS, it will be necessary to have authorized access.
        • It will be necessary to know, accept and comply with this Policy before being able to access BASETIS information systems. 
        • Additionally, all personnel with specific responsibilities within the indicated ambit of action must ensure that the following measures are met:
          • (a) In general, all design, development, implementation and operation must incorporate identification, authentication, access control, auditing and integrity mechanisms, which will be specified for each specific case.
          • (b) Secure and unique identifications must be incorporated for user authentication.
          • (c) For proper security operation, security tasks must be shared between users, administrators and those directly in charge of security itself.
          • (d) All possible precautions should be taken to physically protect systems and prevent them from theft, destruction or interruption.
        • (f) There must be a system recovery plan in the event of theft, destruction or interruption of service.
        • (g) The confidentiality of the information stored must be ensured, both in electronic and non-electronic format.
        • (h) All those involved in the business continuity plan (disaster recovery plan) must know and know how to apply said this plan when necessary.
        • (i) The personnel of the system’s area must have knowledge of the procedures for the recovery of personal data, the sanitization of the supports of personal data and the procedure for the entry / exit of said supports.

 

The Head of the Information Security System (RSGSI) centralizes the global efforts to protect BASETIS assets, in order to ensure the correct functioning of the information technologies that support the organization’s processes. In a generic way, assets include all forms of information, in addition to the people and technology that support the information processes.

The Responsible for the Information Security System will have an updated inventory on the suppliers that will have the following information: name and person in charge of the contract, phone number and contact email, person in charge of the contract in BASETIS, activities developed by the supplier of the service, work start date and end date. For each provider, the users and corporate equipment used must also be reported. The person in charge of the provider in BASETIS must inform the Information Security System Manager area when there are alterations to any of these data.

Confidentiality of information

The confidentiality of information is defined as the guarantee that the information is not improperly disclosed to entities or processes.

In order to preserve it:

        • The personnel who have access to BASETIS information must consider that such information, by default, has the character of Confidential. Only information from BASETIS to which you have had access through the means of public dissemination of information may be considered non-confidential information.
        • Users will protect the confidential information to which they have access, against unauthorized or accidental disclosure, modification, destruction or misuse, whatever the medium in which that information is contained.
        • The maximum reserve will be kept indefinitely and confidential information will not be issued abroad in any type of support, unless it is duly authorized.
        • The fewest number of paper reports containing confidential information will be used and they will be kept in a safe place and out of the reach of third parties.
        • In relation to the use of contact agendas provided by BASETIS (for example, GmaiI) the staff will only enter certain personal data that are essential such as name and surname, the functions or positions held, as well as the postal or electronic address, telephone and number professional fax machines.
        • No external collaborator in specific projects or works should possess, for uses not proper to their responsibility, any material or information of their own or entrusted to BASETIS both now and in the future.
        • In the event that, for reasons directly related to the job, the BASETIS employee comes into possession of confidential information contained in any type of support, it must be understood that such possession is strictly temporary, with an obligation of secrecy and without it confers any right of possession, ownership or copy over said information.
        • Likewise, the BASETIS employee must return the or assets mentioned immediately after the completion of the tasks that have led to the temporary use of them and, in any case, at the end of the relationship with the organization. The continued use of the information in any format or medium other than the one agreed upon and without the knowledge of BASETIS will not imply, in any case, a modification of this point.
        • All these obligations will continue in force after the completion of the activities that the staff develop for BASETIS.

 

Failure to comply with these obligations may constitute a crime of revealing secrets, provided for in article 197 of the Penal Code, which may give the right to demand compensation.

To guarantee the security of Personal Data stored in automated files, staff must observe the following rules of action, in addition to the considerations already mentioned:

        • Staff may only create temporary files containing personal data when necessary for the performance of their work. These temporary files will never be located in local disk drives of the staff’s workstations (personal computers) and must be destroyed when they are no longer useful for the purpose for which they were created.
        • The output of computer media containing personal data, outside the premises where said information is located, may only be authorized by the person responsible for said information or file.
        • The owner of the information will be in charge of verifying the definition and correct application of the procedures for making backup copies and data recovery.
        • Computer media containing personal data must allow the type of information they contain to be identified, inventoried and stored in a place where access is restricted to authorized personnel.

 

Commercially Sensitive Information (ICS)

Companies that carry out regulated activities are prohibited from sharing commercially sensitive information with the companies of the group to which they belong, in the event that they carry out liberalized activities.

For this reason, it is necessary that in the execution of the contracted service BASETIS keep the confidentiality of the commercially sensitive information that the different client companies provide.

Thus, to facilitate compliance with the regulations regarding the separation of activities, a clause that includes said obligation on the part of the supplier will be included in the contract.

For the purposes of this point, commercially sensitive information will be considered any specific information referring to the exercise of regulated activities that is not public and that, if communicated or has been communicated to the liberalized activities, could have an appreciable influence on the result of their business or give them a competitive advantage in the development of the liberalized activities they carry out.

BASETIS will submit to the treatment that clients have established for said information. Likewise, it will ensure that all human resources involved in the execution of the service respect the duty of confidentiality in the terms that have been indicated.

 

Control of physical access to BASETIS facilities.

The following standards are established:

      • Personnel may not stay or perform work in areas not previously defined without supervision.
      • Access to external support personnel will be limited to the BASETIS work areas. This access, like that of any other outsider who requires access to these areas, will be assigned only when necessary and authorized, and always under the supervision of authorized personnel. The control system will keep a record of all access by outsiders.
      • Visitors will be accompanied to the BASETIS offices and the system will record the date and time of their entry and exit. Access will only be allowed after identification of the contact person in BASETIS.

 

Appropriate use of resources

The resources that BASETIS makes available to the staff, regardless of their type (IT, data, software, networks, communication systems, etc.), are available exclusively to fulfill the obligations and purpose of the operation for which they were designed and implanted. All personnel who use these resources must know that they do not have the right to confidentiality in their use. It is strictly prohibited:

        • The use of these resources for activities not related to the purpose of the service, or the excess in their use.
        • The search or exploitation of vulnerabilities in any application or equipment.
        • The equipment and / or applications that are not specified as part of the software or standards of BASETIS’s own computing resources or under its supervision.
        • Introducing obscene, threatening, immoral or offensive content into information systems or the corporate network.
        • Voluntarily introduce any type of malware (programs, macros, applets, ActiveX controls, etc.), grayware, logical device, physical device or any other type of order sequence that causes or is likely to cause any type of alteration or damage to the information resources. The provider will have the obligation to use antivirus programs and their updates to prevent the entry into the systems of any element intended to destroy or corrupt computer data.
        • Try to obtain other rights or accesses different from those that have been assigned to them.
        • Attempting to distort or falsify the information systems “log” records.
        • Trying to decipher the encryption keys, systems or algorithms and any other security element that intervenes in the telematic processes.
        • Possessing, developing or executing programs that could interfere with the work of other users, or damage or alter computer resources.
        • Attempting to destroy, alter, render useless or in any other way to damage electronic data, programs or documents. These acts could constitute a crime of damages, according to current legislation.
        • Store personal data in the local disk drives of the user’s workstations (personal computers).
        • Any file entered in the corporate network or in the user’s workplace through automated media, the Internet, email or any other means, must meet the requirements established in these standards and, especially, those referring to intellectual property, protection of personal data and virus control.
        • Connect non-corporate computers to the BASETIS communications network, except the one enabled for it (Basetis Guests), available for visits, SUPPLIERS, etc. that need a connection with Internet access.

 

Protection against malware

The resources that the worker uses to provide the service to BASETIS must follow the following indications:

        • Systems will be kept up to date with the latest available security updates.
        • Antivirus software should be installed and used on all servers, if any, and on all personal computers to reduce the operational risk associated with viruses or other malicious software.
        • Antivirus software should always be enabled. An automatic update of the virus definition files will be established on both personal computers and servers, where appropriate, as well as blocking against the detection of computer viruses.
        • All software must be properly licensed or open software, so the use of pirated software, crackers, etc. is expressly prohibited.
        • In the event that any malware is detected on one of the computers connected to the BASETIS network, said computer will be disconnected from said network without prior notice being necessary. The Responsible for the Information Security System will notify the corresponding area with the available means of the problem found and will proceed to eliminate the malware detected. The connection back to the corporate network must be authorized by the Information Security System Manager, who will request all the necessary information about the equipment in order to ensure its cleanliness.

 

Exchange of information

The following standards are established:

        • Users must not hide or manipulate their identity under any circumstances.
        • In cases where BASETIS assigns a generic user, an updated list of the people who use said generic user will be kept at all times.
        • The distribution of information, whether in digital or paper format, will be carried out through the devices provided by BASETIS for this purpose and with the sole purpose of facilitating the functions of the position. BASETIS reserves, depending on the risk identified, the implementation of control, recording and auditing measures on these dissemination devices.

In relation to the exchange of information, the following activities will be considered unauthorized:

        • Transmission or reception of material protected by Copyright in violation of the Intellectual Protection Law.
        • Transmission or receipt of all kinds of pornographic material, messages or jokes of an explicit sexual nature, racial discrimination statements and any other kind of statement or message classifiable as offensive or illegal.
        • Transfer of files to unauthorized third parties of BASETIS material or material that is in some way or another confidential.
        • Transmission or reception of files that violate the Law on Protection of Personal Data or BASETIS guidelines.
        • Transmission or reception of games and / or applications not related to the business.
        • Participation in Internet activities such as newsgroups, games, betting or others that are not directly related to the business.
        • All activities that could damage the good reputation of BASETIS are prohibited on the Internet and elsewhere. This also refers to activities carried out for the economic benefit of the user or third parties, and to activities of a political nature.
        • Any output of information that contains personal data (both on computer media, on paper or by email) may only be carried out by authorized personnel and with due permission.
        • If the processing of personal data is carried out outside the premises where the file is located, such processing must be expressly authorized by the person responsible for the file and, in any case, the level of security corresponding to the type of file must be guaranteed.
        • The transmission of high-level personal data through telecommunications networks will be carried out by encrypting said data or using any other mechanism that guarantees that the information is not intelligible or manipulated by third parties.

 

Use of email

The email account is considered a tool that the organization must provide for the performance of the work.

The following general criteria are established:

        • Each user of BASETIS computer systems will have a specific and unique email account, exclusively assigned to said user (xxx@basetis.com)
        • External users will not have a BASETIS email address.

Exceptionally, in consideration of justified circumstances, and always with prior express authorization, an external user may have a BASETIS email address. In this case, the person responsible for the BASETIS service and / or project for which that person will work must submit the corresponding request to the Systems team and once approved an account is created in the same way as that of an internal user, but it is assigned to a different organizational unit called “Externals”. For practical purposes there are no differences in the accounts. If necessary, access to services will be restricted.

The use of email by external users will be subject to the following rules:

        • E-mail is considered one more work tool provided to the user in order to be used according to the use for which it is intended. This consideration will empower BASETIS to implement control systems designed to ensure the protection and proper use of this resource. This power, however, will be exercised while safeguarding the dignity of the user and their right to privacy.
        • The BASETIS email system should not be used to send fraudulent, obscene, threatening messages or other similar types of communications.
        • Users should not create, send or forward advertising or pyramid messages (messages that extend to multiple users).
        • The transmission via email of information containing high-level personal data is not allowed, unless the electronic communication is encrypted and the sending is expressly allowed.
        • The transmission via email of BASETIS confidential information is not allowed unless the electronic communication is well encrypted and the sending is expressly allowed.

 

Internet connectivity

The use of the internet by users will be subject to the following rules:

        • Internet is a work tool. All activities on the Internet must be related to tasks and work activities. Users should not search for or visit sites that do not support the service provided to BASETIS.
        • All traffic to and from the Internet will be inspected for threats. In the event that a computer is accessing sites classified as malicious (pornography, gaming, etc.) or outside the business, it may be disconnected from the network without prior notice being necessary.
        • BASETIS reserves the right to, as permitted by the legal framework, and without prior notice, limit total or partial access to the Internet from the organization’s computer network and terminals.
        • Access to the Internet from the corporate network is restricted by means of control devices incorporated in it. The use of other means of connection must be previously validated and will be subject to the above considerations on the use of the Internet.
        • Users should not use the name, symbol, BASETIS logo or symbols similar to it, in any Internet element (email, web pages, etc.) not justified by strictly work activities.
        • The transfer of data from or to the Internet will only be allowed in connection with the activities of the service provided to BASETIS. The transfer of files not related to these activities (for example, downloading computer games, sound files and multimedia content) is prohibited, and the use of P2P software or torrents is expressly prohibited.

 

Responsibility of the user

Every user, by the mere fact of being one, assumes certain responsibilities:

        • Each user will be responsible for their identifier (company account) and everything derived from it, so it is essential that it is only known by the user himself; You should not reveal it to other users under any circumstances.
        • The user will be responsible for all the actions registered in the BASETIS computer systems with their identifier.
        • Users must follow the policies defined in relation to password management.
        • Users should ensure that computers are protected when unattended.

The following clean desk standards will be established to protect paper documents and removable storage devices in order to reduce the risks of unauthorized access, loss and damage of information, both during normal working hours and outside of it:

        • Store under lock and key, when appropriate, paper documents and computer media, in secure furniture when they are not being used, especially outside working hours.
        • Do not leave computers assigned to critical functions unattended and block their access when strictly necessary.
        • Ensure the confidentiality of documents both at the information reception and sending points (postal mail, scanners and fax machines) and at the duplicating equipment (photocopier, fax and scanner).
        • The reproduction or sending of information with this type of device is the responsibility of the user.
        • Listings with personal data or confidential information must be stored in a secure place to which only authorized personnel have access.
        • Listings with personal data or confidential information must be safely deleted once they are no longer necessary.

If incidents or weaknesses related to information security are identified, users are prohibited from conducting tests to detect and / or use this alleged weakness or security incident.

 

User equipment

The following principles are established on the computer equipment associated with the user’s position:

        • All user stations with connectivity to BASETIS computing resources will be controlled by Helpdesk / Systems.
        • No user will try by any means to violate the security system and authorizations, nor will they have tools that can do so.
        • The capture of network traffic by users is prohibited, unless auditing tasks expressly authorized by the BASETIS Information Security System Manager area are being carried out.
        • When a position is unattended for a short period of time, the user must activate its lock. When the work day is over, the equipment should be turned off.

 

User IDs and passwords

All personnel who access BASETIS information systems within their ambit of work are responsible for ensuring that data, applications and computer resources are used only for the development of the operations for which they were created and implemented. .

These personnel are obliged to use BASETIS resources and the data contained in them without engaging in activities that may be considered illicit or illegal.

To obtain access to information systems, these personnel must have authorized access (user identifier and password) over which, as users of information systems, they must observe the following principles of action and good practices:

        • When the user receives their access identifier to the BASETIS systems, it is considered that they formally accept the current Security Policy.
        • Users must keep their access credentials confidential.
        • All users with access to an information system will have a single access authorization composed of a user identifier and password.
        • The first log on from external computers is notified to the account manager (Systems team). In this case, it is valid with the user who has made the log on, which was actually him or her. Successive “log on” from that computer are no longer notified because it is considered a valid computer. If that log on had not been made by the user, we proceed to investigate the cause and change the user’s password.
        • Users are responsible for all activity related to the use of their authorized access.
        • Users must not use any authorized access from another user, even if they have the owner’s authorization.
        • Users will have authorized access only to those data and resources that they require for the development of their functions.
        • Users should not include passwords in automated login processes, for example, those stored in a macro or function key.
        • Passwords will be made up of a combination of alphabetic and numeric characters. Everything related to user passwords is included in the Access Control Policy.
        • Users must not reveal their identifier and / or password to another person under any circumstances or keep it in writing in view or within the reach of third parties.
        • Users should not use the same passwords for personal and professional use.
        • The temporary authorized accesses will be configured for a short period of time. Once this period has expired, the systems will be deactivated.
        • In relation to personal data, exclusively the personnel authorized to do so in the Security Document may grant, alter or cancel the authorized access to the data and resources, in accordance with the criteria established by the person responsible for the file.
        • If a user suspects that her authorized access (user identifier and password) is being used by another person, she must immediately change her password and contact the helpdesk area to notify the incident.

 

Software

The following principles are established about the software:

        • All personnel who access BASETIS information systems must only use the indicated software versions and follow their rules of use.
        • All staff are prohibited from installing illegal copies of any program, including standardized ones.
        • Use of non-validated software is prohibited.
        • The use of software without its respective license is prohibited.
        • The use of cracked or pirated software is prohibited.

 

Access management

There is a formal Policy for the registration, granting, alteration and revocation of access to users, applicable to all BASETIS Information systems.

The following principles are established:

        • There is a formal Policy for the management of user access to the systems.
        • The communication of the rules and responsibilities in the use of BASETIS information systems to users must be ensured when assigning them any access to the systems.
        • For each system there is a set of profiles and privileges that are attributed to users according to their needs.
        • The access privileges to the systems are attributed to the users considering the effective needs for the performance of their functions, and should not be attributed either by excess or by default.
        • BASETIS systems, by default, block access to unauthorized users, until the person responsible for a system / application does not issue said authorization.
        • The access privileges to the systems guarantee a correct segregation of functions. In cases where the segregation of duties cannot be guaranteed, appropriate compensatory controls are in place.
        • Any request for the attribution or modification of access privileges to BASETIS systems is made through the Area Manager and / or the RSGSI.
        • Accesses and respective privileges are only implemented on systems after obtaining all necessary approvals.
        • A formal record is kept of all authorized users and their respective access privileges to BASETIS systems.
        • The modifications in the access needs to the systems must be accompanied by the adjustments to the access rights.
        • The access privileges to the systems attributed to users are automatically revoked when their professional relationship with BASETIS ends.
        • A periodic review is carried out in order to eliminate or block redundant or unnecessary accounts.
        • Users must have associated individual identifiers (user ID), protected by password.
        • The use of generic identifiers (generic or group accounts) should be allowed only in exceptional cases duly justified, approved and registered.
        • Generic accounts are associated with an individual user responsible for that account.
        • The nomenclature used in the generation of the identifiers obeys rules defined by BASETIS.
        • The user identifier allows you to recognize your identity, but never your privilege levels.
        • The identifier must be personal, exclusive and unique for all systems (when technically feasible).
        • The identifiers of users who no longer have a link with BASETIS cannot be attributed to other users.
        • In the cases of high turnover areas referred to in the previous point, there must be a formal approval of the exception by the person in charge of the area.
        • For exceptions, a history of the people associated with a user ID and the duration of said association (start and end dates) must be recorded and maintained.
        • BASETIS reserves the right to, without prior notice, block, suspend, modify and monitor the users of its systems and their respective access privileges.

 

Intellectual property

In relation to Intellectual Property, the following principles will apply:

        • Users who access the Internet from the BASETIS computer network and terminals are responsible for respecting the intellectual property rights applicable to the accessed content.
        • Compliance with legal restrictions on the use of material protected by intellectual property regulations will be guaranteed.
        • Users may only use material authorized by BASETIS for the development of their functions.
        • The use of computer programs without the corresponding license is strictly prohibited.
        • Likewise, the use, reproduction, assignment, transformation or public communication of any type of work or invention protected by intellectual property without due authorization is prohibited.
        • BASETIS will only authorize the use of material produced by it, or material authorized or supplied to it by its owner, in accordance with the agreed terms and conditions and the provisions of current regulations.

 

 Incidence

In the case of detecting any incident related to information systems, the following rules will be followed:

        • All personnel must contact the Responsible for the Information Security System (RSGSI) in case they detect any incident related to BASETIS information or IT resources that may affect the SGSI.
        • Any user may send the Information Security System Manager (RSGSI) to (iso27001@basetis.com) suggestions and / or weaknesses, which may be related to information security and the guidelines contemplated in this Policy.
        • The Responsible for the Information Security System must be notified of any incident that is detected and that affects or may affect the security of personal data: loss of lists and / or diskettes, suspicions of improper use of authorized access by others people, data recovery, etc.
        • BASETIS centralizes the collection, analysis and management of the incidents received.

 

4.4 Security requirements for outsourcing

The supplier company (SUPPLIER) must document and apply the adequate system to ensure the following requirements:

        • The affected personnel must know and apply the Security Policy.
        • Applicable regulatory and regulatory requirements must be met.
        • BASETIS will provide the supplier with a document with the guidelines to follow for connection to its corporate network and the installation of workstations.
        • The list of authorized users and the access log will be available for verification by the person responsible for the service.
        • Occasional access to the facilities by unauthorized persons must be recorded. These people will be duly identified and accompanied at all times by authorized personnel.
        • The person responsible for the service by BASETIS may personally verify these conditions or delegate to another person from BASETIS or to another specialized company. Access should be provided for aspects related to internal or external audits when BASETIS deems it appropriate.
        • The SUPPLIER will notify the Information Security System Manager (iso27001@basetis.com) if there has been a security breach or any change in the security system at the time it is detected. Said breach will be considered a non-conformity according to its ISO 27001 Information Security system.
        • The system must take into account the Return / Destruction Policy for data and assets once the service has ended. If any breach of these requirements is detected, it will be registered in your ISO 27001 Information Security system where the pertinent corrective and preventive actions will be established and it will be followed up until its closure within a maximum period agreed with the person responsible for the service.

BASETIS reserves the right to demand:

        • The implementation of any mechanism that BASETIS deems necessary to guarantee the security of access to your data and assets. Likewise, it may demand the appropriate penalties and / or guarantees based on the risks of non-compliance or deterioration of the service assets.
        • The presence and collaboration of all collaborating companies and suppliers and their best help in restoring – under the direct coordination of BASETIS – the normal activity of their business operations, after they have been interrupted by an emergency or disaster.
        • The holding of business continuity or contingency policies and plans that allow ensuring the continuity of the activities of these companies in the event that they are affected by a catastrophe or disaster situation. Similarly, BASETIS reserves the right to audit the existence and degree of implementation of the aforementioned plans.

4.5 Monitoring and control (Continuous improvement)

The BASETIS SGSI must continually improve the suitability, adequacy and its effectiveness through internal and external audits, Management Review, risk analysis, Non-Conformities, and corrective actions, among other tools of the management system. .

For this reason, to ensure said improvement, and to ensure the correct use of the aforementioned resources, through the formal and technical mechanisms that are deemed appropriate, BASETIS will check, either periodically or when for specific security or service reasons it results convenient, the correct use of said resources by all users. In case of appreciating that someone uses applications and / or data incorrectly, mainly, as well as any other computer resource, such circumstance will be communicated to her and she will be provided, where appropriate, the necessary training for the correct use of resources.

In case of bad faith in the incorrect use of the applications and / or data, mainly, as well as any other computer resource, BASETIS will exercise the actions that legally protect it for the protection of your rights.


5 Update of the Security Policy

Due to the evolution of technology itself, security threats and new legal contributions on the matter, BASETIS reserves the right to modify this Policy when necessary.

The review will include evaluation opportunities to improve the policy and an information security management approach in response to changes in the organizational environment, business circumstances, legal conditions, or changes in the technical environment. The results of the security management reviews, but also of the general activities of BASETIS relevant to the scope of application of the SGSI, will be taken into account.

The changes made in this Policy will be disclosed to all the workers of the organization, as well as to the service provider companies to which it applies, using the means that are considered pertinent. It is the responsibility of each supplier company to ensure the reading and knowledge of the most recent BASETIS Security Policy by its personnel.


6  Others

6.1 Abbreviations, Acronyms and Definitions

LOPD Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights

RSGSI Responsible for the Information Security Management System

ICS Commercially sensitive information