Security policy

Security policy

Declaration of principles

Deister Consulting SA, Deister Tech Services SLU, Deister SA, Deister S.A. Sucursal Perú, Deister software PERÚ SAC and Deister Cloud SL (hereinafter DEISTER) is a group of companies whose main activity is the design and development of ERP solutions in On Premise and SaaS mode. To do this, it assumes values that it considers essential for the achievement of its objectives such as the preservation of information and personal data, both their own and the rest of the parties interested and the professional and personal development of all components of its team work.
Due to our activity, in DEISTER we are aware that information is an asset with a high value for our organization and therefore requires protection and management appropriate in order to give continuity to our line of business and minimize possible damage caused by failures to the integrity, availability and confidentiality of information. Thus same, both the current legislation on the protection of personal data (RGPD and LOPDGDDD), and the commitment of DEISTER with our customers makes us especially sensitive to the processing of personal data to which we have access in the exercise of our activity.
DEISTER establishes a set of management activities aimed at to preserve the principles of Confidentiality, Integrity, Availability, Authenticity, Traceability, as well as Regulatory Compliance of the information. In turn, these principles are defined as follows:

⦿ Confidentiality: is the property of ensuring that access to information can only be exercised by those authorized to do so.

⦿ Integrity: is the property of safeguarding the accuracy and completeness of the information assets.

⦿ Availability: is the quality that ensures that authorized persons can access and process the information at any time it is needed.

⦿ Authenticity: is the property or characteristic that an entity is who it claims to be or that it guarantees the source from which the data originates.

⦿ Traceability: is the property or characteristic that the actions of an entity can be traced exclusively to that entity.

⦿ Regulatory Compliance: is the property that ensures that information is managed in accordance with the ethical, professional and legal principles established by the regulations that are applicable in each context.

Systems must be protected against rapidly evolving threats.
This implies that the different departments must implement the minimum security measures required by the National Security Scheme and ISO 27001:2022 Information Security Systems , as well as continuously monitor the levels of service provision, follow up and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.
The different departments and companies of the organization must ensure that security is an integral part of every stage of the system’s life cycle, from its conception to its decommissioning, through development or acquisition decisions and operational activities. Security requirements and funding needs should be identified and included in planning, in the request for bids, and in bidding documents for ICT projects.
Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 8 of the ENS and the requirements of ISO 27001:2022 Information Security systems.
Within the scope of the above, privacy protection is embedded. Our systems process sensitive personal data and therefore, privacy protection stands as an essential pillar in the ISMS framework and is constituted as a social necessity that companies must respect and protect, as well as object of legislation and / or specific regulation throughout the world.

General objectives

The Security Policy provides the basis for defining and delimiting the objectives and responsibilities for the various technical, legal and organizational actions required to ensure information security and privacy, complying with the legal framework of application and the global and specific policies of the firm, as well as the defined procedures.
These actions from a security and privacy point of view are selected and implemented based on risk analysis and the balance between acceptable risk and cost of the measures.
The objective of the Security Policy is to establish the necessary framework for action to protect the information and data resources against threats, internal or external, deliberate or accidental.
The information and data may exist in a variety of formats, both electronic and paper or other media, and sometimes includes critical data about the operations, strategies or activities of DEISTER and its customers and even, where appropriate, sensitive data required by the regulations on the protection of personal data. The loss, corruption, or theft of information or the systems that manage it has a high impact on our Firm.
DEISTER is convinced that effective management of Information Security and Privacy is an enabler for the organization to fully understand and act appropriately to the risks to which the information is exposed, as well as to be able to respond and adapt efficiently to the growing requirements of regulatory bodies, laws, and of course its customers.

Commitment of senior management

The purpose of the Information Security Management System is to ensure that the risks of information security and privacy are known, assumed, managed and minimized in a documented, systematic, structured, repeatable, assumable and adaptable to changes in risks, environment and technologies.
To this end, management declares DEISTER’s commitment to:

⦿ Establish as the primary objective the services of the Axional Platform, with absolute respect for quality standards, preserving information, with special attention to the sensitivity of the personal data processed, with all necessary measures within its reach.

⦿ Apply the principle of continuous improvement to all organizational processes, with the additional goal of achieving the highest level of customer satisfaction.

⦿ Ensure compliance with applicable legal and regulatory requirements (particularly regarding the protection of personal data), as well as those voluntarily assumed by the organization in the development of Corporate Social Responsibility and in the Code of Conduct.

⦿ Promote participation, communication, information, and training of the professional team with the aim of making them feel part of the organization’s overall work.

⦿ Promote a sense of responsibility among team members in accordance with quality requirements, as well as those related to information privacy and security agreed upon internally and with clients, through appropriate and regular training and awareness actions.

⦿ Ensure business continuity by developing continuity plans in accordance with recognized methodologies.

⦿ Conduct and periodically review a risk analysis based on recognized methods that allow us to establish the level of both personal data privacy and overall information security, as well as that of ongoing projects and services, and minimize risks through the development of specific policies, technical solutions, and contractual agreements with specialized organizations.

⦿ Commitment to inform interested parties.

⦿ Selection of suppliers and subcontractors based on criteria related to information privacy and security.

⦿ Establish the consequences of violations of the security policy, which will be reflected in the contracts signed with interested parties, suppliers, and subcontractors.

⦿ Promote a culture of continuous improvement in information security management and implement improvements based on incident analysis, audits, and periodic reviews.

⦿ Ensure that access to and use of information systems is carried out securely and in accordance with established policies and procedures.

⦿ Properly manage the information lifecycle to avoid misuse during any of its phases.

⦿ Ensure the protection of intellectual property rights.

⦿ Periodically establish a set of objectives and indicators that allow management to adequately monitor the levels of service offered and management activities.

Specifically regarding the protection of personal data, DEISTER is committed to complying with the principles stated in the relevant legislation. These are:

⦿ Principle of “lawfulness, transparency, and fairness.” Data must be processed lawfully, fairly, and transparently for the data subject.

⦿ Principle of “purpose limitation.” Data must be processed for specific, explicit, and legitimate purposes, and it is prohibited for data collected for specific, explicit, and legitimate purposes to be subsequently processed in a manner incompatible with those purposes.

⦿ Principle of “data minimization.” Apply technical and organizational measures to ensure that only the data strictly necessary for each of the specific purposes of the processing are processed, reducing the extent of processing, limiting the retention period and accessibility to what is necessary.

⦿ Principle of “accuracy.” Implement reasonable measures to ensure that data is kept up to date, and that it is deleted or modified without delay when it is inaccurate in relation to the purposes for which it is processed.

⦿ Principle of “storage limitation.” Data retention must be limited over time to achieving the purposes pursued by the processing.

⦿ Principle of “security.” Conduct a risk analysis aimed at determining the necessary technical and organizational measures to ensure the integrity, availability, and confidentiality of the personal data being processed.

⦿ Principle of “accountability” or “demonstrated responsibility.” Maintain ongoing due diligence to protect and guarantee the rights and freedoms of natural persons whose data is processed, based on an analysis of the risks that the processing poses to those rights and freedoms, so that we can ensure and demonstrate that the processing complies with the provisions of the GDPR and LOPDGD.

⦿ Direct, support, and oversee the information security management system, as established in RD 311.2022 and subsequent amendments, as well as in ISO 27001, and strive to achieve its objectives.

DEISTER’s management commits to support and promote the principles established in this Policy and asks DEISTER’s staff to adopt and adhere to the provisions of the documented management system for the ENS.

Development of security policy

This Security Policy complements DEISTER’s security policies in different matters and will be developed by means of security regulations that address specific aspects. The security policy will be available to all members of the organization that need to know it, in particular for those who use, operate or manage the information and communications systems.
The documentation related to Information Security shall be classified in three levels, so that each document of one level is based on those of a higher level:

⦿ First level: Security Policy.

⦿ Second level: Security regulations and procedures.

⦿ Third level: Reports, records and electronic evidence.

Policy

– Prevention
Departments should avoid, or at least prevent as far as possible, the information or services from being compromised by security incidents. To this end, the departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat assessment and risks. These controls, and the security roles and responsibilities of all personnel, should be clearly defined and documented.
To ensure compliance with the policy, departments must:

⦿ Authorize systems prior to going into operation.

⦿ Regularly assess security, including evaluations of configuration changes routinely performed.

⦿ Request periodic review by third parties for the purpose of obtaining an independent assessment.
– Detection
Since services can degrade rapidly due to incidents, ranging from a simple slowdown to shutdown, the services must monitor the operation on a continuous basis to detect anomalies in service delivery levels and act accordingly as set out in Article 9 of the ENS.
Monitoring is especially relevant when establishing lines of defense in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms shall be established that reach to those responsible regularly and when there is a significant deviation from the parameters that have been pre-established as normal.
– Answer
Departments should:

⦿ Establish mechanisms to effectively respond to security incidents.

⦿ Designate point of contact for communications regarding incidents detected in other departments or in other agencies.

⦿ Establish protocols for the exchange of incident-related information. This includes two-way communications with Emergency Response Teams (CERTs)..
– Recovery
To ensure the availability of critical services, departments should develop systems continuity plans as part of their overall business continuity plan and recovery activities.

Security organization

This policy applies to all DEISTER systems and to all members of the organization, without exception.
DEISTER undertakes to provide its services in a managed manner and in compliance with the requirements established in its Integrated Management System so as to ensure an uninterrupted service in accordance with the requirements of availability, security and quality to customers.
Due to our activity, in DEISTER we know that information is an asset with a high value for our organization and especially that of our customers and requires, therefore, a adequate protection and management in order to give continuity to our line of business and minimize possible damage caused by failures in Information Security.
To this end, the organization:

⦿ Will adequately protect the confidentiality, availability, integrity, authenticity, and traceability of its information assets through the introduction of a series of controls to manage relevant security risks.

⦿ Will prioritize the protection and safeguarding of its clients and client data as a business priority.

⦿ Will establish, implement, monitor, maintain, and continually improve its information security management as part of its broader business management approach, and will maintain Accredited Certification to the appropriate standards.

⦿ Will manage any information security breach in a timely and responsible manner, and will invest in appropriate detection, response, and remediation strategies.

⦿ At planned intervals, will test its information security controls and its responses to scenarios that may pose a threat to its operations.

⦿ Will provide adequate resources to the organization to establish, maintain, and improve the security environment as appropriate for the changing risk landscape.

⦿ Will invest in the competencies of its personnel to carry out their tasks and will provide staff with appropriate training and awareness relevant to their role and the information they have access to.

⦿ Will ensure that our suppliers and partner organizations do the same, and that they establish and enforce security standards on those to whom we transfer any information.
– Safety Committee
The members of the Security Committee shall be designated in a founding act, where shall indicate the person designated and the position he/she shall hold.
The Secretary of the Security Committee shall be the SECURITY OFFICER and will have the following functions:

⦿ Calls the meetings of the Security Committee.

⦿ Prepares the topics to be discussed in the Committee meetings, providing timely information for decision-making.

⦿ Drafts the minutes of the meetings.

⦿ Is responsible for the direct or delegated execution of the Committee’s decisions.

⦿ The Security Committee will report to the General Director.



The Security Committee will have the following functions:

⦿ Address the concerns of Senior Management and the different departments.

⦿ Regularly inform Senior Management about the state of information security.

⦿ Promote the continuous improvement of the information security management system.

⦿ Develop the evolution strategy of the Organization regarding information security.

⦿ Coordinate the efforts of the different areas in matters of information security, to ensure that the efforts are consistent, aligned with the decided strategy in this matter, and avoid duplication.

⦿ Develop (and regularly review) the Security Policy to be approved by Management.

⦿ Approve the information security regulations.

⦿ Coordinate all the organization’s security functions.

⦿ Ensure compliance with applicable legal and sectoral regulations.

⦿ Ensure that security activities are aligned with the organization’s objectives.

⦿ Coordinate the Continuity Plans of the different areas, to ensure seamless action in case they need to be activated.

⦿ Coordinate and approve, when applicable, project proposals received from different security areas, managing control and regular presentation of project progress and announcement of possible deviations.

⦿ Receive security-related concerns from the entity’s Management and transmit them to the relevant departmental heads, gathering from them the corresponding responses and solutions which, once coordinated, must be communicated to Management.

⦿ Gather regular reports from departmental security heads about the state of the organization’s security and possible incidents. These reports are consolidated and summarized for communication to the entity’s Management.

⦿ Coordinate and respond to the concerns transmitted through departmental security heads.

⦿ Define, within the Corporate Security Policy, the assignment of roles and the criteria to achieve the necessary guarantees regarding segregation of duties.

⦿ Develop and approve the training and qualification requirements of administrators, operators, and users from the information security perspective.

⦿ Monitor the main residual risks assumed by the Organization and recommend possible actions regarding them.

⦿ Monitor the performance of information security incident management processes and recommend possible actions regarding them. In particular, ensure coordination among the different security areas in managing information security incidents.

⦿ Promote the performance of periodic audits to verify the organization’s compliance with its security obligations.

⦿ Approve information security improvement plans of the Organization. In particular, ensure coordination of different plans that may be carried out in different areas.

⦿ Prioritize security actions when resources are limited.

⦿ Ensure that information security is considered in all projects from their initial specification to their implementation. In particular, ensure the creation and use of horizontal services that reduce duplications and support a consistent operation of all ICT systems.

⦿ Resolve responsibility conflicts that may arise between different managers and/or between different areas of the Organization.
– Roles: Functions and responsibilities
The functions of those responsible for the organization are detailed below:
Information Officer
⦿ Ultimately responsible for the use made of certain information and, therefore, for its protection.

⦿ Ultimately responsible for any error or negligence leading to an incident of confidentiality or integrity (in terms of data protection) and availability (in terms of information security).

⦿ Establish information security requirements.

⦿ Determine and approve information security levels.

⦿ Approve the categorization of the system with respect to information.

⦿ Those to be indicated in the documents within the scope of the ENS.
Security Manager
⦿ Maintain the security of the information handled and the services provided by the information systems within its scope of responsibility, in accordance with the provisions of the organization’s Information Security Policy.

⦿ Promote information security training and awareness within his/her area of responsibility.

⦿ Approve the statement of applicability.

⦿ Channel and oversee, both compliance with the security requirements of the service provided or solution it provides, as well as communications relating to the security of information and incident management for the scope of that service (POC).

⦿ Those that may be indicated in the documents within the scope of the ENS.

The Security Officer shall be the secretary of the Security Committee with the functions indicated in section 6.1 of this policy.

In accordance with the principle of “segregation of functions and tasks” set forth in art. 10 of the ENS, the Security Officer shall be a separate figure from the System Manager.
System Manager
⦿ Develop, operate, and maintain the information system throughout its entire life cycle, including its specifications, installation, and verification of its proper functioning.

⦿ Define the topology and management of the information system, establishing the usage criteria and the services available in it.

⦿ Ensure that security measures are properly integrated within the overall security framework.

⦿ Authority to propose the suspension of the processing of certain information or the provision of a specific service if serious security deficiencies are detected that could affect compliance with established requirements.

⦿ Those indicated in the documents within the scope of the ENS.
Privacy Officer
⦿ Coordinate all aspects related to the alignment of DEISTER’s actions regarding the protection of personal data.

⦿ Coordinate, together with the Security Officer, compliance with the ENS regarding the protection of personal data.
Designation procedures
The Safety Officer shall be appointed by the Safety Committee. The appointment will be reviewed every 2 years or when the position becomes vacant.

Likewise, the rest of the positions indicated in the previous section shall be appointed by the Safety Committee by means of meeting minutes.

Security policy review

The Safety Committee shall be responsible for the annual review of this Safety Policy and the proposal for its revision or maintenance. The Policy will be approved by Senior Management and will be disseminated so that all affected parties are aware of it.

Personal data

DEISTER, in the provision of its services, processes especially sensitive personal data.

The related documentation, to which only authorized persons will have access, collects the records of data processing activity concerned and the corresponding responsible persons. All DEISTER information systems shall comply with the security levels required by law for the nature and purpose of personal data.

Risk management

All systems subject to this Policy must carry out a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be repeated:

⦿ Establish mechanisms to respond effectively to security incidents.

⦿ Regularly, at least once a year.

⦿ When the information handled changes.

⦿ When the services provided change.

⦿ When a serious security incident occurs.

⦿ When serious vulnerabilities are reported.

For the harmonization of risk analyses, the Security Committee will establish a reference assessment for the different types of information handled and the different services provided. The Security Committee will facilitate the availability of resources to address the security needs of the different systems, promoting horizontal investments.
Personnel obligations
All members of DEISTER have the obligation to know and comply with this Security Policy and the Security Regulations, being the responsibility of the Security Committee to arrange the necessary means for the information to reach those affected.
All DEISTER members shall attend an awareness session on information security at least once a year. An ongoing awareness program will be established to serve all DEISTER members, particularly new members.
Persons with responsibility for the use, operation or administration of systems shall receive training in the safe operation of systems to the extent needed to perform their job. Training shall be mandatory prior to assuming a responsibility, whether it is their first assignment or a change of job or job responsibilities.

Third parties

When DEISTER provides services to other public or private organizations or handles information from other public or private organizations, they will be made aware of this Security Policy, will establish channels for reporting and coordination of the respective Security Committees and will establish procedures for reacting to security incidents.
When DEISTER uses third party services or transfers information to third parties, they will be made aware of this Security Policy and the Security Regulations pertaining to such services or information. Such third party shall be subject to the obligations set forth in such regulations, and may develop its own operating procedures to satisfy them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that the personnel of third parties are adequately security-aware, at least to the same level as that established in this Policy. Translated with DeepL.com (free version)
Where any aspect of the Policy cannot be satisfied by a third party as required by above, a report from the Security Officer will be required which specifies the risks involved and how to address them. Approval of this report by those responsible for the information and services affected will be required before proceeding further.

Legislación aplicable

Law / Regulation Responsibility
Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations Security Officer
Law 40/2015, of October 1, establishes and regulates the bases of the legal regime of Public Administrations, the principles of the responsibility system of Public Administrations and sanctioning power, as well as the organization and operation of the General State Administration and its institutional public sector for the development of its activities Security Officer
Royal Decree 311/2022, of May 3, which regulates the National Security Scheme. Security Officer
Organic Law 1/2015, of March 30, which modifies Organic Law 10/1995, of November 23, of the Criminal Code Security Officer
Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with respect to the processing of personal data and the free movement of such data Security Officer
Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights Security Officer
Law 34/2002 on Information Society Services (LSSI) Security Officer
Law 22/11, of November 11, 1987, on Intellectual Property Security Officer