Information Security Management Policy
Mission and Objectives of SATEC in the field of Information Security
The Management of SATEC and Ms. Teresa Taubmann Urquijo, General Manager of SATEC, on its behalf, are fully aware of the importance of an appropriate handling of information to achieve an optimal level of quality, security, availability, and continuity in the services provided to its clients. SATEC bases, to a large extent, its market positioning towards its clients on the deployment and development of infrastructures and services for information systems and telecommunications.
For SATEC, a security incident entails clear tangible damages, such as loss of information, loss of service availability, or legal implications, as well as significant reputational damage to the company. This makes security an essential factor for the proper performance of the organization.
Objectives of the Information Security Policy
SATEC has established the following objectives in the field of information security:
- Ensure the confidentiality of the information handled by SATEC.
- Protect the integrity of information in all areas of its processing within the framework of the services provided.
- Ensure the availability of the information systems supporting the services provided to its clients.
- Verify and ensure the authenticity of information senders and receivers.
- Guarantee traceability and monitoring of activities and information within the framework of service delivery.
- Manage information security throughout the entire service lifecycle.
- Ensure the performance of risk analyses to assess existing risks and select the necessary security measures, maintaining an adequate balance between cost and benefit.
- Apply security measures focused on the prevention of possible incidents, errors, or deliberate attacks.
- Establish an effective management of security events and incidents to minimize their impact or any resulting consequences, and to respond in a timely and compliant manner with contractual and legal requirements, ensuring the availability and continuity of the service provided. Procedures shall be established for the adequate prevention, detection, response, and recovery from any security incident.
- Protect information from unauthorized access and implement the necessary technical measures to ensure the required lines of defense.
- Promote awareness and training of employees in the field of information security.
- Ensure continuous improvement through the established periodic reviews, including monitoring, auditing, and follow-up of improvement plans.
Regulatory Framework
- · Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE). (Spanish Official Gazette No. 166 of 12-07-2002), last updated 12/11/2020.
- · Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (Spanish Official Gazette No. 44 of 09/05/2023).
- · Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
- · Royal Decree 311/2022, of 3 May, regulating the National Security Framework.
- · Royal Legislative Decree 1/1996, of 12 April, approving the Consolidated Text of the Intellectual Property Law (LPI), including amendments introduced by Law 5/1998, of 6 March.
- · Royal Decree 28/2003, of 7 March, approving the Regulations of the Central Registry of Intellectual Property (Spanish Official Gazette No. 75 of 28-03-2003).
- · Organic Law 10/1995, of 23 November, of the Criminal Code, as updated on 05/06/2021.
- · Law 1/2019, of 20 February, on Trade Secrets.
- · Law 23/2006, of 7 July, amending the Consolidated Text of the Intellectual Property Law approved by Royal Legislative Decree 1/1996, of 12 April.
- · Law 25/2013, of 27 December, on the Promotion of Electronic Invoicing and the Creation of the Accounting Record of Invoices in the Public Sector. Applicable to services provided to Public Administrations.
- · Law 17/2001, of 7 December, on Trademarks. Applicable to the protection of distinctive signs, trademarks, and trade names of SATEC.
- · Law 24/2015, of 24 July, on Patents. Applicable to the protection of industrial inventions.
- · Royal Decree-Law 12/2018, of 7 September, on the Security of Networks and Information Systems.
- · Law 10/2021, of 9 July, on Remote Work.
- · Regulation (EU) 2024/1689 of the European Parliament and of the Council, of 13 June 2024, establishing harmonized rules on Artificial Intelligence.
Information Security Organisation
Coordination of information security.
Information Owner
The Information Owner is responsible, within their scope of action, for:
- Determining the security needs and requirements of the information processed.
- Ensuring the proper use and protection of information.
- This role may not delegate the approval of information security levels.
They shall be appointed by the General Management depending on the nature of the information.
Service Manager
The Service Manager is responsible, within their scope of action, for:
- Determining the security requirements of the provided service.
- Including security specifications in the service and systems lifecycle, along with the corresponding control mechanisms
- Ensuring that defined processes and policies are applied.
- This role may not delegate the approval of service security levels.
They shall be appointed by the Production Management depending on the nature of the services.
Information Security Management System (ISMS) Manager
At SATEC, we have an ISMS Manager responsible for control and coordination in terms of security, monitoring compliance and adequacy of existing security measures, as well as proposing and establishing improvements regarding alignment with the security policy, standards and procedures established within the general Management System.
This role is supported by:
- A Technical Security Manager in each branch, who identifies, analyses and resolves any technical issues related to Security..
- A Physical Security Manager reporting to General Services.
- Service Managers.
- Information Owners.
- System Managers.
- A Security Management Committee, which shall have sufficient authority to make organisational decisions ensuring security. This Committee is integrated within the IT Service Management System (SGSIT) Committee. The Committee shall be composed of, at least and not exclusively:
- Security Manager
- Technical Security Manager
- Service Manager (also representing the Information Owners)
The main functions of the Security Manager include:
- Recommending preventive and/or corrective improvement actions to solve detected problems and informing the Management System Manager for their management.
- Ensuring the implementation of agreed actions regarding improvements, objectives, corrective and preventive actions, detected vulnerabilities and monitoring their completion.
- Establishing security incident management.
- Maintaining contact with external resources or sources related to security.
- Evaluating changes to assets and base structures, analysing their implications for security with assistance from the Technical Security Manager.
- Creating the ISMS documentation structure for SATEC's Service Area.
- Ensuring the implementation and ongoing maintenance of the ISMS at SATEC, in collaboration with the Management System Manager.
Having information on ISMS performance within SATEC’s Service Area and proposing improvements based on:
- Non-conformities
- Corrective Actions
- Risk Analysis Results
- Internal Audits
- Security Incidents
- Suggestions
- Indicators
- Recording ISMS improvement needs, assigning responsible parties and monitoring progress.
- Closing Corrective and Preventive Actions of the ISMS in coordination with the Management System Manager.
- Recording the status of ISMS Corrective and Preventive Actions.
- Reviewing and controlling risk analysis and its management.
- Ensuring proper resource management in coordination with Management, regarding the ISMS of SATEC’s Service Area.
- Ensuring the security of the infrastructure required for the operation of IT services within SATEC’s Service Area and physical access.
- Having information about the management of communications and operations of equipment and systems necessary for the operation of IT services
- Being informed about all matters related to system access management within SATEC’s Service Area.
- Participating in procurement, development and maintenance of systems.
- Establishing mechanisms for managing security incidents in the Service Area.
- Defining procedures and plans to ensure business continuity
- Ensuring technical and legal compliance of the ISMS.
- Calling meetings of the Security Operations Committee whenever their analysis and expertise are required
System Manager.
The System Manager is responsible for the operation of the information system, adhering to the security measures determined by the Security Manager and the Technical Security Manager.
Their main functions include:
- Developing, operating and maintaining the information system throughout its life cycle; from definition of specifications to deployment and verification of proper functioning.
- Defining system topology and management, including usage criteria and services within the information system.
- Ensuring, together with the Security Manager and Technical Security Manager, that security measures are properly integrated within the corporate security framework.
Security Management Committee
Its main functions are:
- Reporting to the Management Committee, Management, and the Steering Committee when appropriate.
- Drafting SATEC’s Security Policy and Security Standards.
- Preparing Security Procedures.
- Informing Management on information security management.
- Establishing risk acceptance criteria and pre-approving risk mitigation strategies, which must finally be approved by the Services Management.
- Coordinating risk analyses, contingency and disaster prevention plans.
- Developing medium- and long-term security objectives and strategies.
- Preparing an annual security management plan, submitting the corresponding resources for Management approval.
- Following up on agreements from the latest Management Review of the ISMS.
- Analysing Internal Audit results.
- Analysing the status of Preventive and Corrective Actions, verifying that they are taken within an appropriate timeframe.
- Analysing the progress and achievement of security objectives.
- Ensuring communication to all personnel of the importance of knowing security objectives in compliance with security standards and responsibilities.
- Analysing compliance with ISMS security standards and procedures and their validity, identifying the need for modifications or improvements.
- Reviewing ISMS conclusions and necessary corrective and/or preventive actions, defining responsible parties and deadlines.
Procedure for Assignment of Responsibilities
It shall be the responsibility of the Services Management to assign security responsibilities within the Services Area and to establish the list of information owners, as well as those authorised to assign resources and permissions.
Training and Awareness
SATEC Management undertakes to provide the necessary resources for appropriate training and awareness in matters of security for all SATEC employees, depending on their roles and responsibilities related to this field.
It will also ensure that the knowledge required by those responsible for security, information and information systems is kept up to date.
Risk Management
All information systems and elements necessary for the provision of services subject to this Policy shall undergo a risk analysis, assessing the threats and risks to which they are exposed.
The frequency for conducting this risk analysis shall be:
- At least once a year.
- When the information being handled changes.
- When the services provided or the scope within the Information Security System change.
- When a serious security incident occurs.
- When severe vulnerabilities are reported.
For risk analysis traceability, the Security Committee shall establish a reference assessment for the different types of information handled and the services provided. The Services Management shall ensure the availability of resources to address the security needs of the different systems, based on the cost/benefit ratio.
Personal Data
SATEC Management is aware of the importance of appropriate information handling in order to achieve an optimal level of client service today. In particular, there are data necessary for the development of SATEC’s business that fall within the legal definition of personal data, and therefore special care must be taken in the collection, processing, updating and destruction of such data.
The record of processing activities, accessible only to authorised persons, includes the affected files and corresponding responsible parties. All SATEC information systems shall comply with the security levels according to the classification of information and as required by applicable regulations for the nature and purpose of the personal data collected in the mentioned record.
Third Parties
When SATEC provides services to other entities or processes data and information belonging to other organisations, they shall be informed of and involved in this Security Policy, establishing the necessary communication channels and defining processes for disaster or security incident response.
Likewise, when SATEC requires third-party services or transfers information, they shall be informed of the applicable requirements set out in this Policy and in the related procedures and policies. Third parties shall be subject to the obligations established therein. In all cases, knowledge and awareness of the staff involved in the provision of the service must be ensured.
Staff Obligations
SATEC Management expressly declares its knowledge and approval of this Policy and all related matters, so that staff must be aware of and assume it as part of their professional duties.
Development and Review of the Policy
This Policy is developed within the ISMS Policy Manual, as well as in the various security procedures established by SATEC
Its adequacy shall be reviewed at least once a year as part of the Management Review.
Madrid, 25 June 2025
Teresa Taubmann Urquijo
General Manager of SATEC