Global | En
MENU
VASS Corporate Policy on Information Security, Privacy and Business Continuity Management
1 Approval and entry into force
Compliance with this Information Security, Business Continuity and Privacy Policy is mandatory from 1 February 2025, indefinitely, for all personnel within its scope.
This version of the Information Security, Business Continuity and Privacy Policy is effective from 1 February 2025 until it is replaced by a new version. This version supersedes the previous version, which was approved on 01/04/2024 by the IT Management Committee of VASS Consultoría de Sistemas SL.
2 Purpose
The Management of VASS Consultoría de Sistemas SL (hereinafter VASS), within the strategy defined for business development, considers information security, business continuity and privacy to be fundamental aspects for ensuring the achievement of business objectives and compliance with current legislation. Therefore, it is committed to maintaining an adequate level of security in line with the business in the processes associated with the services provided by the organisation, in order to offer its internal and external customers the highest guarantees in terms of the quality of these services.
The management of VASS is committed to managing and protecting its information and services in an appropriate manner, as well as ensuring the continuity of its business through the implementation, maintaining and improving an Integrated Information Security, Business Continuity and Privacy Management System (hereinafter, SIG) applying the requirements of the UNE ISO/IEC 27001, UNE-ISO/IEC 27701, UNE-ISO/IEC 27018 and UNE-EN-ISO 22301 standards and those of its stakeholders, the TISAX® (Trusted Information Security Assessment Exchange) standard for projects carried out for the automotive industry, all of them in their current versions and within the legal and regulatory framework in force, such as Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme (ENS) and its amendment by Royal Decree 951/2015, of 23 October.
This document constitutes VASS's Information Security, Business Continuity and Privacy Policy, which establishes the guidelines and principles that will govern how VASS will manage and protect your information and services through said SIG.
3 Terms and Definitions
SIG: Integrated Information Security, Business Continuity and Privacy Management System. A set of interrelated or interacting elements (organisational structure, policies, activity planning, responsibilities, processes, procedures and resources) used by an organisation to establish an information security and business continuity policy and objectives and to achieve those objectives, based on a risk management and continuous improvement approach.
ENS: National Security Scheme, regulated by Royal Decree 3/2010 of 8 January and amended by Royal Decree 951/2015 of 23 October, applicable to the field of public sector e-government. Its purpose is to establish security policy and create the necessary conditions for confidence in the use of electronic media, through measures to ensure the security of systems, data, communications and electronic services, enabling the exercise of rights and the fulfilment of duties through these media.
TISAX® (Trusted Information Security Assessment Exchange), a security standard defined by the German Association of the Automotive Industry (VDA), which incorporates the fundamental requirements of the ISO 27001 information security standard and adapts them to the automotive industry.
Stakeholder: A person or group that has an interest in the performance or success of the organisation.
Authenticity: The property that a person and/or company that has accessed and used the information is what it claims to be.
Confidentiality: The property of information not being made available or disclosed to unauthorised persons and/or companies.
Integrity: The property or characteristic that the information asset has not been altered in an unauthorised manner.
Traceability: The quality that allows all actions performed on information or an information processing system to be unequivocally associated with a person and/or company.
Availability: The property of information being accessible and usable when required by the authorised person and/or company.
Asset: In relation to information security, this refers to any information or element related to the processing of information (systems, media, buildings, people, etc.) that has value for the organisation.
Risk: The possibility that a specific threat could exploit a vulnerability to cause loss or damage to an information asset. It is usually considered to be a combination of the probability of an event and its consequences.
Threat: Potential cause of an unwanted incident that could cause damage to a system or the organisation.
Risk analysis: Process for understanding the nature of the risk and determining the level of risk.
Risk treatment: Process of modifying the risk by implementing controls.
4 Scope
The scope of this policy covers all personnel belonging to the VASS organisation, as well as subcontracted personnel or suppliers who are located on VASS premises, or who use or connect to any system belonging to VASS.
The scope of this policy covers the set of Services defined in the Service Catalogue and provided by VASS departments or areas, both to internal staff and external customers.
Tisax Scope: ‘The Scope covers all processes and resources involved in projects that are subject to security requirements of automotive industry partners, as well as all processes associated with the successful completion of such projects. The processes and resources involved include information gathering, information storage and information processing.’
5 Policy Objectives
VASS is a digital solutions provider whose mission is to help customers transform opportunities into business.
To fulfil its mission, provide its services and achieve its objectives, VASS relies on ICT systems. These systems must be managed diligently, taking appropriate measures to protect them from accidental or deliberate damage that could affect the confidentiality, availability, integrity, authenticity and traceability of the information processed or the services provided.
With the implementation of an IMS under the UNE ISO/IEC 27001, UNE-ISO/IEC 27701, UNE-ISO/IEC 27018, ISO 22301 and TISAX standards, all integrated with the ENS, the security of the services is strengthened, as well as the information and data included in these services and necessary for their correct and adequate provision, due to the close relationship between the two and the additional elements that significantly improve the security management necessary for VASS, as part of the satisfactory fulfilment of its mission.
The objective of information security, business continuity and privacy is to guarantee the quality of information and the continuous provision of services, acting preventively, supervising daily activity and reacting quickly to incidents.
Within this context, the objectives of this Information Security Management System, Business Continuity and Privacy Policy are:
- To guarantee the confidentiality, availability, integrity, authenticity and traceability of information.
- To manage existing security risk up to the thresholds established by management, based on the provision of service to customers.
- To implement an IMS to manage and protect the information and services provided by the company.
- Implement a set of appropriate security measures or controls, determined by the ENS, the TISAX standard and by UNE ISO/IEC 27001, UNE-ISO/IEC 27701, UNE-ISO/IEC 27018 and ISO 22301 standards, as well as any additional controls identified, as part of the IMS to ensure protection against threats that may affect the authenticity, traceability, confidentiality, integrity, availability, intended use and value of the information and services through threat and risk assessment.
- Appoint an IMS manager responsible for managing the system and ensuring its development, maintenance and improvement.
- Appoint a Security Officer and ensure that they have the necessary resources to carry out the necessary information security controls.
- Establish a methodology for reviewing, auditing and continuously improving the ISMS, following a PDCA cycle that guarantees the continuous maintenance of the desired security levels.
- Periodically establish a set of objectives and indicators for information security management, business continuity and privacy, enabling management to adequately monitor the level of security and compliance with objectives.
- Ensure that the organisation's personnel within the scope have sufficient knowledge of information security policies and controls.
- Ensure that information security incidents are correctly identified, managed and resolved.
- Comply with all applicable legal, regulatory and contractual requirements and obligations.
- Ensure the continuity of business processes included within the scope.
6 Regulatory Framework
VASS strives to comply with all legislation applicable to its activity, whether general or specific. For this reason, VASS may be required by the relevant administrative bodies to provide electronic records or any other information relating to the use of information systems.
The entire Management System and its policies comply with the requirements of ISO 27001, UNE-ISO/IEC 27701, UNE-ISO/IEC 27018 and 22301, as well as those of the TISAX standard.
This policy falls within the legal framework defined by the following laws and Royal Decrees:
- Law 34/2002, of 11 July, on information society services and electronic commerce.
- Law 9/2014, of 9 May, on General Telecommunications.
- Royal Legislative Decree 1/1996, of 12 April, approving the Consolidated Text of the Intellectual Property Law.
- Royal Decree 13/2012, of 30 March, amending the text corresponding to the second paragraph of Article 22 of the Law on Information Society Services and Electronic Commerce (or LSSI).
VASS processes personal data contained in the corresponding files, together with the corresponding data controllers, in the personal data processing security document, to which only authorised persons shall have access. All VASS information systems shall comply with the security levels required by the relevant regulations:
- European Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, ‘GDPR’).
- Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), which adapts Spanish law to the GDPR.
Finally, as VASS is committed to establishing an IMS based on the ENS, the following regulation also applies:
- Royal Decree 311/2022, of 3 May, regulating the National Security Scheme.
The implementation of these laws and decrees is completed in the system documents.
In addition, there is a regulatory procedure for disciplinary actions that all VASS employees are familiar with.
7 ISS
VASS management is committed to allocating the necessary resources and means to establish, implement, maintain and improve the IMS and the necessary security controls, maintaining an appropriate balance between cost and benefit, as well as demonstrating leadership and commitment in this regard.
7.1 Information Security, Business Continuity and Privacy Objectives and Planning
The objectives of information security, business continuity and privacy will be established at the relevant functions and levels, focused on improvement and using as a reference framework:
- Changes in the needs of stakeholders that lead to an improvement in the scope of the system.
- Applicable information security, business continuity and privacy requirements and the results of risk assessment and treatment to ensure the confidentiality, integrity, availability, traceability and authenticity of information.
- Internal and external factors.
- Improving the effectiveness of training and awareness of staff working in the organisation and affecting their performance in information security, business continuity and privacy.
Likewise, planning to achieve the established information security, business continuity and privacy objectives will be carried out considering the actions to be taken and who is responsible for them, the necessary resources and deadlines, and the indicators to evaluate the result/compliance.
7.2 Establishment, deployment and improvement of the MIS
The establishment and deployment of the VASS ISMS will begin with a Risk Analysis, which will determine the level of risk to information security, business continuity and privacy at VASS and identify the security controls necessary to manage the risk and bring it to an acceptable level, as well as opportunities for improvement, considering internal and external issues and stakeholder requirements.
Security controls must be implemented, maintained and continuously improved, and made available as documented information through procedures, regulations, technical instructions and any other documentation deemed necessary, reviewed and approved by the IT Information Management Committee.
The documented information on security controls must be communicated to the personnel working at VASS (employees and suppliers), who will be obliged to apply it in the performance of their work activities, thereby committing themselves to compliance with the requirements of the ISMS.
7.3 Evaluation
Periodic audits shall be carried out to review and verify the compliance of the ISMS with the requirements of ISO/IEC 27001, UNE-ISO/IEC 27701, UNE-ISO/IEC 27018 and ISO 22301, the TISAX standard and within the regulatory framework of the ENS. Therefore, if necessary, the personnel affected by the scope must collaborate in these audits, as well as in the application of any corrective actions that may arise for continuous improvement. Qualification criteria will be defined for the persons conducting these audits.
8 Security Organisation
8.1 Committees: Functions and Responsibilities
In order to guarantee compliance with the interests of the Management and ensure the proper management of information security, business continuity and privacy, an IT Management Committee has been set up, which reports to the General Management and is coordinated by a member of the Management Committee.
The IT Management Committee is the body with the greatest responsibility within the Information Security, Business Continuity and Privacy management system, so that all the most important decisions related to security are agreed upon by this committee. It is an autonomous, executive body with autonomy for decision-making and does not have to subordinate its activity to any other element of VASS.
The powers of the IT Management Committee and its members are detailed in the Committee's constitution.
8.2 Roles: Functions and Responsibilities
The different roles will be appointed by the Management Committee, taking into account the representation criteria indicated, the suitability of the personnel to be appointed, and the willingness of the candidates to perform their duties. The appointment will be reviewed every two years or when the position becomes vacant.
The roles established in the organisation related to Information Security, Business Continuity and Privacy are described in the corresponding SIG documents.
8.3 Conflict Resolution.
In the event of a conflict between the different VASS managers, it shall be resolved by their hierarchical superior. Failing this, the decision of the IT Management Committee shall prevail, referring those cases in which it does not have sufficient authority to decide.
9 Security Risk Management
All systems subject to this Policy must perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:
- regularly, at least once a year
- when the information handled or the services provided change
- when a serious security incident occurs
- when serious vulnerabilities are reported
To harmonise risk analyses, the IT Management Committee shall establish a benchmark assessment for the different types of information handled and the different services provided. The detailed risk assessment criteria shall be specified in the risk assessment methodology to be developed by VASS, based on recognised standards and best practices.
The risk analysis will be the basis for determining the security measures to be adopted in addition to those required as a minimum by the UNE ISO/IEC 27001, UNE-ISO/IEC 27701, UNE-ISO/IEC 27018 and ISO 22301 standards, the TISAX standard and the ENS. Controls that are not mandatory for legal, regulatory or business reasons will be applied based on the organisation's risk management and the thresholds defined and approved by the IT Management Committee.
The Security Officer will carry out the risk analysis and the risk treatment plan in order to generate the document on the applicability of the security controls and measures. The IT Management Committee will approve the risk analysis and treatment, as well as the statement of applicability. At a minimum, all risks that could seriously impede the provision of services or the fulfilment of the organisation's mission must be addressed.
The expected residual risks to each piece of information or service after the implementation of the planned security measures will be determined by the Security Officer and presented to the IT Management Committee, so that it can, where appropriate, evaluate, approve or rectify the proposed treatment options. These residual risks must be accepted in advance by the relevant managers.
10 Security incidents
10.1 Detection
VASS departments must avoid, or at least prevent as far as possible, information or services from being compromised by security incidents.
10.2 Prevention
Given that services can quickly deteriorate due to incidents, ranging from a decrease to a cessation in the level of service provision, services must continuously monitor operations to detect anomalies in service provision levels and act accordingly.
10.3 Response
Detection, analysis and reporting mechanisms shall be established so that those responsible can be informed both regularly and when there is a significant deviation from the parameters that have been pre-established as normal.
10.4 Recovery
To ensure the availability of critical services, system continuity plans shall be developed as part of your overall business continuity plan and recovery activities.
11 Awareness and Training
A Training and Awareness Plan will be established on Information Security, Business Continuity and Privacy, which will be general for the entire organisation and specific, when necessary, to the requirements of the TISAX standard for personnel involved in projects in the automotive sector, so that it helps all personnel involved to understand and comply with the defined management activities and to actively participate in ensuring the security of the organisation.
12 Policy Development
This Information Security, Business Continuity and Privacy Policy complements other VASS policies, such as those relating to Quality and the Environment.
The Policy will be developed through detailed policies, regulations or procedures that address specific aspects of information security, business continuity and privacy in general, and with automated files and processing containing personal data. This detailed documentation will be available to all members of the organisation who need to know it, in particular those who use, operate or administer information and communications systems.
The Security Policy will be developed by applying the following minimum principles:
- Organisation and implementation of the information security, privacy and business continuity process.
- Risk analysis and management.
- Personnel management.
- Professionalism.
- Access authorisation and control.
- Protection of facilities.
- Acquisition of security products and contracting of security services.
- Least privilege.
- System integrity and updating.
- Protection of stored and in-transit information.
- Prevention in relation to other interconnected information systems.
- Activity log.
- Security incidents.
- Business continuity.
- Continuous improvement of the security process.
Security documentation will be available on the VASS Intranet.
13 Staff Obligations
The managers of the VASS departments included within the scope of this policy will be responsible for ensuring compliance with these policies within their departments.
All VASS employees are required to be familiar with this Information Security, Business Continuity and Privacy Policy and the Security Regulations that implement it, which are mandatory within the identified scope. The IT Management Committee is responsible for providing the necessary means to ensure that the information reaches those affected.
All hired personnel must receive and sign a commitment to comply with the policy and security regulations, and must receive training or awareness regarding information security, business continuity and privacy depending on their job position.
14 Third Parties
When VASS provides services to other organisations or handles information from other organisations, they will be made aware of this Information Security, Business Continuity and Privacy Policy, channels will be established for reporting and coordination with the respective ICT Security Committees, and procedures will be established for responding to security incidents.
When VASS uses third-party services or transfers information to third parties, they will be made aware of this Security Policy and the Security Regulations pertaining to such services or information. Such third parties shall be subject to the obligations set out in these regulations and may develop their own operating procedures to comply with them. Specific procedures for reporting and resolving incidents shall be established. It shall be ensured that third-party personnel are adequately aware of information security, privacy and business continuity issues, at least to the same level as that established in this Policy.
When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report shall be required from the Security Officer specifying the risks involved and how to address them. This report shall require the approval of those responsible for the information and services affected before proceeding.
15 Publication
This Information Security, Business Continuity and Privacy Management Policy, approved by the IT Management Committee, is known and endorsed by all staff within the organisation, as well as suppliers or third parties who interact with the organisation, in accordance with management requirements. After each review, the policy will be republished and communicated to staff within its scope.
The security policy will be available on the VASS Intranet.
16 Review
This Information Security, Business Continuity and Privacy Policy will be reviewed at least annually, or whenever there are significant organisational or infrastructure changes.
It will be the mission of the IT Management Committee to review this Policy and propose its revision or maintenance. The Policy will be approved by the Management Committee and disseminated to all affected parties.