{"id":1520,"date":"2025-03-31T11:27:18","date_gmt":"2025-03-31T11:27:18","guid":{"rendered":"https:\/\/indigitall.ankaa.dev\/?page_id=1520"},"modified":"2025-07-08T11:21:12","modified_gmt":"2025-07-08T11:21:12","slug":"security-policy","status":"publish","type":"page","link":"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/","title":{"rendered":"Security Policy"},"content":{"rendered":"","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false},"class_list":["post-1520","page","type-page","status-publish","hentry"],"acf":{"flexible_content":[{"acf_fc_layout":"hero_utility_page","pretitle":"Legal Page","title":"Security Policy"},{"acf_fc_layout":"legal_text","info_items":[{"title":"name","text":"SMART2ME, S.L"},{"title":"CIF","text":"B86653938"},{"title":"ADDRESS","text":"Paseo de la Castellana, 139, 28020 Madrid"},{"title":"PHONE","text":"+1 (213) 336-4050"},{"title":"EMAIL","text":"rgdp@indigitall.ankaa.dev"}],"content":"INDIGITALL\u2019s Information Security Management System pursues as a fundamental objective the protection of information by offering its workers, collaborators, suppliers and clients a safe work environment through the appropriate security measures and operational processes.\r\n<div class=\"relative\">\r\n<div class=\"prose text-pretty dark:prose-invert inline leading-normal break-words min-w-0 [word-break:break-word]\">\r\n<h1 id=\"information-security-policy\" class=\"font-display first:mt-xs mb-3 mt-8 text-lg font-[500] leading-[1.5em] lg:text-xl dark:font-[475]\">INFORMATION SECURITY POLICY<\/h1>\r\n<h2 id=\"1-approval-and-entry-into-force\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">1. APPROVAL AND ENTRY INTO FORCE<\/h2>\r\n<p class=\"my-0\">Text approved on March 19, 2025, by resolution of the General Manager of SMART2ME, S.L (hereinafter INDIGITALL).\r\nThis \u201cInformation Security Policy,\u201d hereinafter referred to as the Policy, will be effective from its date of approval and will remain in force until it is replaced by a new Policy.<\/p>\r\n\r\n<h2 id=\"2-introduction\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">2. INTRODUCTION<\/h2>\r\n<p class=\"my-0\">INDIGITALL relies heavily on ICT systems (Information and Communication Technologies) to achieve its objectives and recognizes that digital transformation has led to an increase in risks associated with the information systems that support public services. As a provider to the public sector, INDIGITALL must adequately manage these risks.\r\nThe objective of this risk management is to protect Information and Communication Technology systems from accidental or deliberate harm that could affect the availability, integrity, confidentiality, authenticity, or traceability of the information processed by INDIGITALL within the framework of services provided to the public sector, and more specifically to residential and social-health centers.\r\nICT systems must be protected against rapidly evolving threats that can impact the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure the continuous delivery of services. This means that departments must apply the minimum security measures required by the National Security Framework, continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure service continuity.\r\nThe different departments of INDIGITALL must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception to decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and contracting of ICT projects.\r\nDepartments must be prepared to prevent, detect, respond to, and recover from incidents, in accordance with Article 8 of the National Security Framework (ENS).<\/p>\r\n\r\n<h2 id=\"3-scope\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">3. SCOPE<\/h2>\r\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\">3.1 Subjective Scope<\/h2>\r\n<p class=\"my-0\">This Policy applies to all INDIGITALL personnel, as well as all individuals or entities, both internal and external, providing services to INDIGITALL, whether on their own premises or remotely.<\/p>\r\n\r\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\">3.2 Objective Scope<\/h2>\r\n<p class=\"my-0\">This Policy applies to INDIGITALL\u2019s information systems related to the \u201cmarketing automation\u201d Platform services in a SaaS model.<\/p>\r\n\r\n<h2 id=\"4-regulatory-framework\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">4. REGULATORY FRAMEWORK<\/h2>\r\n<p class=\"my-0\">The identification and maintenance of the regulatory framework will be the responsibility of INDIGITALL\u2019s Security Officer and will be governed by the procedure for identifying and assessing legal requirements. Mandatory technical security instructions published by resolution of the Secretary of State for Digitalization and Artificial Intelligence of the Ministry of Economic Affairs and Digital Transformation, or the entity assuming those functions, will be included.\r\nLikewise, the Security Officer will also be responsible for identifying CCN security guidelines, which will be applied to improve compliance with the National Security Framework (ENS).<\/p>\r\n\r\n<h2 id=\"5-minimum-security-requirements\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">5. MINIMUM SECURITY REQUIREMENTS<\/h2>\r\n<p class=\"my-0\">INDIGITALL\u2019s Security Policy regulates the continuous management of the security process. This Policy has been established in accordance with the basic principles set out in Chapter II of the ENS and is developed considering the application of the following minimum security requirements:<\/p>\r\n<p class=\"my-0\">a)\u2003Organization and implementation of the security process (art.13)\r\nb)\u2003Risk analysis and management (art.14)\r\nc)\u2003Personnel management (art.15)\r\nd)\u2003Professionalism (art.16)\r\ne)\u2003Authorization and access control (art.17)\r\nf)\u2003Protection of facilities (art.18)\r\ng)\u2003Procurement of security products and contracting of security services (art.19)\r\nh)\u2003Minimum privilege (art.20)\r\ni)\u2003System integrity and updating (art.21)\r\nj)\u2003Protection of stored and in-transit information (art.22)\r\nk)\u2003Prevention regarding other interconnected information systems (art.23)\r\nl)\u2003Activity logging and detection of malicious code (art.24)\r\nm)\u2003Security incidents (art.25)\r\nn)\u2003Business continuity (art.26)\r\n\u00f1)\u2003Continuous improvement of the security process (art.27)<\/p>\r\n<p class=\"my-0\">To meet these minimum requirements, INDIGITALL will apply the security measures in Annex II of the ENS, considering:<\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">The assets that make up INDIGITALL\u2019s information system.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">The security category of the system, as provided in Article 40.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">The decisions made to manage identified risks.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<h2 id=\"6-basic-principles\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">6. BASIC PRINCIPLES<\/h2>\r\n<p class=\"my-0\">INDIGITALL\u2019s Information Security Policy establishes the following basic principles to be observed in the use of information systems:<\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\"><strong>Security as a comprehensive process:<\/strong> Security is a process that encompasses all human, material, technical, legal, and organizational elements related to information systems.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Comprehensive risk-based management:<\/strong> Risk analysis and management are essential parts of the security process and must be ongoing and continuously updated. Risk management will help maintain a controlled environment, minimizing acceptable risks.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Prevention, detection, response, and preservation:<\/strong> Information system security must address prevention, detection, and response actions.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Existence of lines of defense:<\/strong> INDIGITALL\u2019s information system must have a protection strategy consisting of multiple layers of security.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Continuous monitoring and periodic reassessment:<\/strong> Continuous monitoring allows for the detection of abnormal activities or behaviors and timely response. Ongoing evaluation will measure progress, and security measures will be periodically reassessed and updated to ensure their effectiveness as risks and protection systems evolve.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<h2 id=\"7-information-security-objectives\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">7. INFORMATION SECURITY OBJECTIVES<\/h2>\r\n<p class=\"my-0\">INDIGITALL establishes the following Security objectives:<\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">Guarantee the protection of information.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Physical security:<\/strong> INDIGITALL places information systems in secure areas, protected by physical access controls appropriate to their level of criticality.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Access control:<\/strong> INDIGITALL limits access to information assets by users, processes, and other information systems through the implementation of identification, authentication, and authorization mechanisms tailored to the criticality of each asset.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Acquisition, development, and maintenance of information systems:<\/strong> INDIGITALL considers security aspects in all phases of the information systems lifecycle.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Ensure continuous service delivery:<\/strong> INDIGITALL implements appropriate procedures to ensure the availability of information systems and maintain business process continuity.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Data protection:<\/strong> INDIGITALL adopts the necessary technical and organizational measures to manage risks arising from the processing of personal data.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Compliance:<\/strong> INDIGITALL adopts the necessary technical and organizational measures to comply with current legal regulations regarding information security.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<h2 id=\"8-mission\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">8. MISSION<\/h2>\r\n<p class=\"my-0\">INDIGITALL was founded in February 2013 with the mission of crossing digital borders and adapting each marketing campaign to the preferences of each client across all digital channels through the use of artificial intelligence, ensuring that every interaction is relevant and effective. In this way, an authentic connection is forged, as if each client had a personalized assistant at their disposal. INDIGITALL\u2019s goal is to increase the competitiveness of companies through their digital transformation and the consequent use of automated marketing tools to develop an omnichannel and sustainable strategy. INDIGITALL\u2019s emerging focus is technological innovation.<\/p>\r\n\r\n<h2 id=\"9-compliance-with-articles\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">9. COMPLIANCE WITH ARTICLES<\/h2>\r\n<p class=\"my-0\">To comply with the articles of Royal Decree 311\/2022, of May 3, which regulates the National Security Framework, various security measures proportional to the nature of the information and services to be protected have been implemented, taking into account the category of the affected systems.\r\nCompliance with the ENS articles is detailed in the \u201cStatement of Applicability\u201d document.<\/p>\r\n\r\n<h2 id=\"10-policy-development\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">10. POLICY DEVELOPMENT<\/h2>\r\n<p class=\"my-0\">The INDIGITALL Information Security Committee has approved the development of a management system, which will be established, implemented, maintained, and improved in accordance with security standards. This system will be adapted and serve to manage the controls of the National Security Framework. The system will be documented and will allow for the generation of evidence of controls and compliance with the objectives set by the Committee. There will be a document management procedure that will establish guidelines for structuring the system\u2019s security documentation, its management, and access.\r\nThe Information Security Committee is responsible for the annual review of this Policy, proposing improvements if necessary, for approval by the General Manager of INDIGITALL.\r\nThis Security Policy is mandatory and is structured at the documentary level in the following hierarchical levels:<\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\"><strong>First level:<\/strong> Information Security Policy.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Second level:<\/strong> Security Regulations.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\"><strong>Third level:<\/strong> Security Procedures.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<p class=\"my-0\">The Information Security Officer (CISO), with the support of the Quality area, must review this regulation at least annually, proposing improvements if necessary.\r\nINDIGITALL staff and third-party companies must be familiar with this Security Policy, as well as all regulations, procedures, technical instructions, or other documentation that may affect the performance of their duties.<\/p>\r\n\r\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\">10.1 First Regulatory Level: ICT Security Policy<\/h2>\r\n<p class=\"my-0\">The ICT Security Policy is the highest-level regulatory instrument in INDIGITALL\u2019s security regulatory structure. It must be approved by the General Manager of INDIGITALL.<\/p>\r\n\r\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\">10.2 Second Regulatory Level: Information Security Regulations<\/h2>\r\n<p class=\"my-0\">The ICT Security Regulations are mid-level instruments that cover a specific area of security. The body responsible for their approval is the INDIGITALL Security Committee.<\/p>\r\n\r\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\">10.3 Third Regulatory Level: ICT Security Procedures<\/h2>\r\n<p class=\"my-0\">ICT Security Procedures are lower-level instruments, drafted in greater detail, and applicable to a specific area. The person responsible for their approval is the Security Officer.<\/p>\r\n\r\n<h2 id=\"11-security-organization\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">11. SECURITY ORGANIZATION<\/h2>\r\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\">11.1 Security Roles or Profiles<\/h2>\r\n<p class=\"my-0\">To ensure compliance and adaptation to the required regulatory measures, security roles or profiles have been created, and the positions or bodies that will occupy them have been designated as follows:<\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">Information Officer: Juan Carlos de Vela Benavides<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Service Officer: Xavier Omella Claparols<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Security Officer: Marcos Fort\u00fan Arranz<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">System Officer: Jes\u00fas Moreira Rubio<\/p>\r\n<\/li>\r\n<\/ul>\r\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\">11.2 Information Security Committee<\/h2>\r\n<p class=\"my-0\">INDIGITALL has established an Information Security Committee, as a collegiate body, and it is composed of the following members:<\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">General Manager: General Manager of INDIGITALL.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Members:\r\n\u00b7 Service Officer\r\n\u00b7 System Officer\r\n\u00b7 Security Officer<\/p>\r\n<\/li>\r\n<\/ul>\r\n<p class=\"my-0\">Optionally, other INDIGITALL members may join the Committee\u2019s work, including specialized working groups, whether internal, external, or mixed.\r\nThe Information Security Committee will hold its sessions at INDIGITALL\u2019s premises or remotely on a semi-annual basis, following a call to that effect by the General Manager of said Committee. In any case, the Committee may hold extraordinary meetings when circumstances require.<\/p>\r\n\r\n<h2 id=\"113-responsibilities-associated-with-the-national\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">11.3 Responsibilities Associated with the National Security Framework<\/h2>\r\n<p class=\"my-0\">Below are the detailed functions and responsibilities established for each of the ENS security roles:<\/p>\r\n<p class=\"my-0\"><strong>Functions of the Information and Service Officer<\/strong><\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">Establish and approve the security requirements applicable to the service and information within the framework established in Annex II of the ENS, upon proposal to the ENS Security Officer and\/or the Information Security Committee.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Accept the levels of residual risk affecting the Service and the Information.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<p class=\"my-0\"><strong>Functions of the Security Officer (CISO\/RSF)<\/strong><\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">Maintain and verify the appropriate level of security for the information handled and the electronic services provided by the information systems.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Manage, supervise, and maintain the physical security of INDIGITALL\u2019s facilities.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Promote training and awareness in security matters.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Appoint those responsible for conducting risk analysis, the statement of applicability, identifying security measures, determining necessary configurations, and preparing system documentation.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Provide advice for determining the system category, in collaboration with the System Officer and\/or the Information Security Committee.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Participate in the development and implementation of security improvement plans and, where appropriate, in continuity plans, proceeding to their validation.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Manage external or internal system reviews.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Manage certification processes.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Submit to the Security Committee the approval of changes and other system requirements.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<p class=\"my-0\"><strong>Functions of the System Officer<\/strong><\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">Suspend or halt access to information or service delivery if aware of serious security deficiencies.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Implement and manage INDIGITALL\u2019s Information Systems throughout their lifecycle, including the implementation of cybersecurity controls, as well as their operation and verification of proper functioning.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Define the topology and management of the Information System, establishing usage criteria and available services.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Ensure that specific security measures are properly integrated within the general security framework.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Collaborate with the Security Officer in investigating and resolving cyber incidents affecting INDIGITALL\u2019s Information Systems and apply the knowledge gained from the analysis of past cyber incidents to reduce the likelihood or impact of future incidents.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Carry out the functions of the system security administrator:\r\n\u00b7 Management, configuration, and updating, where appropriate, of the hardware and software on which security mechanisms and services are based.\r\n\u00b7 Management of authorizations granted to system users, particularly the privileges granted, including monitoring the activity carried out in the system and its correspondence with what is authorized.\r\n\u00b7 Approve changes to the current configuration of the Information System.\r\n\u00b7 Ensure that established security controls are strictly followed.\r\n\u00b7 Ensure that approved procedures for managing the Information System are applied.\r\n\u00b7 Supervise hardware and software installations, modifications, and improvements to ensure that security is not compromised and that they always comply with the relevant authorizations.\r\n\u00b7 Monitor the security status provided by security event management tools and technical audit mechanisms.\r\n\u00b7 When system complexity justifies it, the System Officer may appoint delegated system officers as deemed necessary, who will report directly to them and be responsible within their scope for all actions delegated to them. Likewise, specific functions of the responsibilities assigned may also be delegated to others.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<p class=\"my-0\"><strong>Functions of the Information Security Committee<\/strong>\r\nThe Security Committee shall have the following functions:<\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">Address requests regarding Information Security from the Administration and from different security roles and\/or areas, regularly reporting on the state of Information Security.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Advise on Information Security matters.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Resolve responsibility conflicts that may arise between different administrative units.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Promote the continuous improvement of the Information Security management system. To this end, it shall:\r\n\u00b7 Coordinate efforts of different areas in Information Security to ensure consistency, alignment with the decided strategy, and to avoid duplication.\r\n\u00b7 Propose Information Security improvement plans with corresponding budget allocations, prioritizing security actions when resources are limited.\r\n\u00b7 Ensure that Information Security is considered in all projects from their initial specification to their operational launch. In particular, it must ensure the creation and use of horizontal services that reduce duplication and support homogeneous operation of all ICT systems.\r\n\u00b7 Monitor the main residual risks assumed by the Administration and recommend possible actions regarding them.\r\n\u00b7 Monitor security incident management and recommend possible actions regarding them.\r\n\u00b7 Regularly draft and review the Information Security Policy for approval by the competent authority.\r\n\u00b7 Draft Information Security regulations for approval in coordination with General Management.\r\n\u00b7 Verify Information Security procedures and other documentation for approval.\r\n\u00b7 Develop training programs to educate and raise awareness among staff on Information Security and, in particular, on personal data protection.\r\n\u00b7 Develop and approve training and qualification requirements for administrators, operators, and users from the perspective of Information Security.\r\n\u00b7 Promote the performance of periodic ENS and data protection audits to verify compliance with the Administration\u2019s Information Security obligations.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<h2 id=\"114-designation-procedures\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">11.4 Designation Procedures<\/h2>\r\n<p class=\"my-0\">The creation of the Information Security Committee, the appointment of its members, and the designation of the Officers identified in this Policy have been carried out by the General Manager of INDIGITALL and communicated to the interested parties.\r\nThe members of the Committee, as well as the security roles, will be reviewed every three years or upon a vacancy.<\/p>\r\n\r\n<h2 id=\"115-raci-matrix-responsibility-assignment-matrix\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">11.5 RACI Matrix: Responsibility Assignment Matrix<\/h2>\r\n<table>\r\n<tbody>\r\n<tr>\r\n<td>Task<\/td>\r\n<td><strong>DG<\/strong><\/td>\r\n<td><strong>RI<\/strong><\/td>\r\n<td><strong>RS<\/strong><\/td>\r\n<td><strong>DPD<\/strong><\/td>\r\n<td><strong>CISO\/RSF<\/strong><\/td>\r\n<td><strong>CIO<\/strong><\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Security Policy<\/td>\r\n<td>A<\/td>\r\n<td>C<\/td>\r\n<td>C<\/td>\r\n<td>C<\/td>\r\n<td>R<\/td>\r\n<td>C<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Determination of System Category<\/td>\r\n<td>C<\/td>\r\n<td>C<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>A\/R<\/td>\r\n<td>C<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Risk Analysis<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>I<\/td>\r\n<td>R<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>A\/R<\/td>\r\n<td>R<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Statement of applicability<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>I<\/td>\r\n<td>R<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>A\/R<\/td>\r\n<td>R<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>I.S. standards and procedures<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>I<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>A\/R<\/td>\r\n<td>R<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Security incident response<\/td>\r\n<td>I<\/td>\r\n<td>I<\/td>\r\n<td>C<\/td>\r\n<td>I<\/td>\r\n<td>A\/R<\/td>\r\n<td>R<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>Information systems and services lifecycle security<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>&nbsp;<\/td>\r\n<td>C<\/td>\r\n<td>A\/R<\/td>\r\n<\/tr>\r\n<tr>\r\n<td colspan=\"2\">A: Accountable (makes the decision, authorizes and approves. R: Responsible (is responsible for the performance of the work).<\/td>\r\n<td colspan=\"5\">C: Consulted (you are consulted before the decision is made).I: Informed (you are informed of the decisions made).12. CONFLICT RESOLUTION<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<p class=\"my-0\">The Information Security Committee of INDIGITALL will be responsible for resolving conflicts and\/or differences of opinion that may arise between security roles.<\/p>\r\n\r\n<h2 id=\"13-personal-data\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">13. PERSONAL DATA<\/h2>\r\n<p class=\"my-0\">INDIGITALL will only process personal data when it is adequate, relevant, and not excessive and is related to the scope and purposes for which it was obtained. Likewise, it will adopt the necessary technical and organizational measures to comply with the applicable Data Protection regulations in each case, in accordance with the Personal Data Protection Policy approved by the Presidency of INDIGITALL.\r\nIn accordance with Regulation (EU) 2016\/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation), and its transposition into Spanish law by Organic Law 3\/2018, of December 5, on Personal Data Protection and guarantee of digital rights, appropriate measures have been adopted, such as the analysis of the legal legitimacy of each data processing activity carried out, risk analysis, impact assessment if the risk is high, activity logging, and the appointment of a Data Protection Officer.<\/p>\r\n\r\n<h2 id=\"14-third-parties\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">14. THIRD PARTIES<\/h2>\r\n<p class=\"my-0\">When providing services to other organizations or handling information from other organizations, they will be informed of this Information Security Policy. INDIGITALL will define and approve the channels for information coordination and the procedures for responding to security incidents, as well as all other actions carried out by INDIGITALL in relation to Security with other organizations.\r\nWhen INDIGITALL uses third-party services or transfers information to third parties, they will be informed of this Security Policy and the existing Security Regulations applicable to those services or information.\r\nSuch third parties will be subject to the obligations established in the aforementioned regulations and may develop their own operating procedures to comply with them. Specific procedures for communication and incident resolution will be established. It will be ensured that third-party personnel are adequately aware of security matters, at least to the same level as established in this Security Policy.\r\nLikewise, taking into account the obligation to comply with the Technical Security Instructions established in the second additional provision of Royal Decree 311\/2022, and considering the Resolution of October 13, 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security Framework, which establishes that private sector operators providing services or solutions to public entities, for which compliance with the National Security Framework is required, must be able to present the corresponding Statement of Conformity with the National Security Framework for BASIC category systems, or the Certification of Conformity with the National Security Framework for MEDIUM or HIGH category systems.\r\nWhen any aspect of this Security Policy cannot be satisfied by a third party as required above, a report from the ENS Security Officer will be required, specifying the risks incurred and how to address them. Approval of this report by the officers responsible for the affected information and services will be required before proceeding.<\/p>\r\n\r\n<h2 id=\"15-continuous-improvement\" class=\"mb-2 mt-6 text-base font-[500] first:mt-0 md:text-lg dark:font-[475] [hr+&amp;]:mt-4\">15. CONTINUOUS IMPROVEMENT<\/h2>\r\n<p class=\"my-0\">Information security management is a process subject to ongoing updates. Therefore, INDIGITALL must implement a continuous improvement process, which will involve, among other actions:<\/p>\r\n\r\n<ul class=\"marker:text-textOff list-disc\">\r\n \t<li>\r\n<p class=\"my-0\">Review of the Information Security Policy.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Review of services and information and their categorization.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Annual execution of risk analysis.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Conducting internal and external audits.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Review of security measures.<\/p>\r\n<\/li>\r\n \t<li>\r\n<p class=\"my-0\">Review and updating of standards and procedures.<\/p>\r\n<\/li>\r\n<\/ul>\r\n<p class=\"my-0\">For INDIGITALL, proper management of information security constitutes a continuous and collective challenge, necessary for the continuity of the Entity.<\/p>\r\n\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n<p class=\"my-0\"><strong>Use of the Contact Form for External Communications<\/strong><\/p>\r\n<p class=\"my-0\">SMART2ME, S.L. provides its contact form, available on its website, as the official channel for any external party (clients, users, business partners, and the general public) to report technical incidents, system failures, concerns related to data protection, as well as potential breaches of internal controls, corporate policies, or the company\u2019s ethical principles.<\/p>\r\n<p class=\"my-0\">All communications received through this form: <a href=\"https:\/\/indigitall.ankaa.dev\/en\/security-form\/\">https:\/\/indigitall.ankaa.dev\/en\/security-form\/<\/a>\u00a0will be handled confidentially, in accordance with the guarantees established in this Privacy Policy and, where applicable, those set forth in the SMART2ME, S.L. Code of Conduct and Responsible Practices.<\/p>","head_col_1":"","head_col_2":"","head_col_3":"","head_col_4":"","cookies_table":null}],"hide_slider_blog":true,"slider_blog_custom_tag":null,"hide_mobile_fixed_buttons":true,"mobile_fixed_button_1":null,"mobile_fixed_button_2":null,"icon_mobile_fixed_button_2":"","download_ebook":false,"ebook_title":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Security Policy - indigitall<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security Policy - indigitall\" \/>\n<meta property=\"og:url\" content=\"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/\" \/>\n<meta property=\"og:site_name\" content=\"indigitall\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-08T11:21:12+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/\",\"url\":\"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/\",\"name\":\"Security Policy - indigitall\",\"isPartOf\":{\"@id\":\"https:\/\/indigitall.ankaa.dev\/en\/#website\"},\"datePublished\":\"2025-03-31T11:27:18+00:00\",\"dateModified\":\"2025-07-08T11:21:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/indigitall.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/indigitall.ankaa.dev\/en\/#website\",\"url\":\"https:\/\/indigitall.ankaa.dev\/en\/\",\"name\":\"indigitall\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/indigitall.ankaa.dev\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Security Policy - indigitall","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/","og_locale":"en_US","og_type":"article","og_title":"Security Policy - indigitall","og_url":"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/","og_site_name":"indigitall","article_modified_time":"2025-07-08T11:21:12+00:00","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/","url":"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/","name":"Security Policy - indigitall","isPartOf":{"@id":"https:\/\/indigitall.ankaa.dev\/en\/#website"},"datePublished":"2025-03-31T11:27:18+00:00","dateModified":"2025-07-08T11:21:12+00:00","breadcrumb":{"@id":"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/indigitall.ankaa.dev\/en\/security-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/indigitall.ankaa.dev\/en\/security-policy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/indigitall.com\/en\/"},{"@type":"ListItem","position":2,"name":"Security Policy"}]},{"@type":"WebSite","@id":"https:\/\/indigitall.ankaa.dev\/en\/#website","url":"https:\/\/indigitall.ankaa.dev\/en\/","name":"indigitall","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/indigitall.ankaa.dev\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/indigitall.ankaa.dev\/en\/wp-json\/wp\/v2\/pages\/1520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/indigitall.ankaa.dev\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/indigitall.ankaa.dev\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/indigitall.ankaa.dev\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/indigitall.ankaa.dev\/en\/wp-json\/wp\/v2\/comments?post=1520"}],"version-history":[{"count":5,"href":"https:\/\/indigitall.ankaa.dev\/en\/wp-json\/wp\/v2\/pages\/1520\/revisions"}],"predecessor-version":[{"id":8895,"href":"https:\/\/indigitall.ankaa.dev\/en\/wp-json\/wp\/v2\/pages\/1520\/revisions\/8895"}],"wp:attachment":[{"href":"https:\/\/indigitall.ankaa.dev\/en\/wp-json\/wp\/v2\/media?parent=1520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}