Security Policy

1. Approval and Entry into Force

This Information Security Policy has been effective since June 28, 2024 (v 1.3), in accordance with the Act signed by the Security Committee of NUBENS ORBITEUM SLU, hereinafter nubens, and will remain in effect until replaced by a new Policy.

2. Mission of the Organization

At nubens, our mission is to provide consulting and support services in cybersecurity, information security, business continuity, privacy, and Artificial Intelligence. Through audits, expert reports, training, and regulatory compliance, we promote solutions that prioritize data protection and risk management, ensuring a secure digital environment aligned with legal standards.

3. Scope

Information systems for consulting and support services in cybersecurity, information security, and privacy. This includes auditing, expert reporting, training, business continuity, Artificial Intelligence, compliance with regulations such as the National Security Scheme (ENS), the NIS2 Directive, and the LSSICE. It also covers the protection of personal data, services as Data Protection Officer and Information Security Officer (RSI/CISO), risk management, and regulatory and legal compliance.

4. Objectives

Based on the above, Management establishes the following information security objectives:

• Provide a framework to increase resilience capacity for effective response.
• Ensure rapid and efficient recovery of services in the event of any physical disaster or contingency that could jeopardize business continuity.
• Prevent information security incidents as far as technically and economically feasible, and mitigate the information security risks generated by our activities.
• Ensure the confidentiality, integrity, availability, authenticity, and traceability of information.

5. Regulatory Framework

One of the objectives must be to comply with applicable legal requirements and any other requirements we subscribe to, as well as the commitments acquired with clients, together with their continuous updating.

6. Development

To achieve these objectives, it is necessary to:

• Continuously improve our information security system.
• Identify potential threats and their possible impact on business operations if materialized.
• Preserve the interests of stakeholders (clients, shareholders, employees, and suppliers), reputation, brand, and value-creation activities.
• Work jointly with suppliers and subcontractors to improve IT service delivery, service continuity, and information security, which will enhance our efficiency.
• Assess and ensure the technical competence of staff, as well as guarantee their motivation to participate in continuous process improvement, providing adequate training and internal communication for them to develop best practices defined in the system.
• Ensure the proper condition of facilities and appropriate equipment in line with the company’s activities, objectives, and goals.
• Ensure ongoing analysis of all relevant processes, introducing necessary improvements based on results and established objectives.
• Structure our management system in a way that is easy to understand.

The management of our system is entrusted to the system manager and will be available in our information system repository, accessible according to access profiles granted under our current access management procedure.

7. Security Organization

The essential responsibility lies with the General Management, which is responsible for organizing functions and responsibilities and providing the necessary resources to achieve ENS objectives. Executives are also responsible for leading by example, following the established security rules.

These principles are assumed by Management, which provides the necessary means and equips employees with sufficient resources for compliance, making them publicly known through these Security Policies.

The defined security roles or functions are:

• Information Owner => Responsible for making decisions regarding the information processed.
• Service Owner => Responsible for coordinating system implementation and ensuring its continuous improvement.
• Security Officer => Responsible for determining the suitability of technical measures and providing the best technology for the service.
• Data Protection Officer => The point of contact for all stakeholders (employees, suppliers, clients, the Spanish Data Protection Agency, etc.) on privacy and data protection matters.
• Top Management => Provides resources for the proper performance of the system and leads it.

This definition of duties and responsibilities is complemented in job profiles and the system document Register of responsibilities, roles, and duties.

Conflict Resolution

Differences in criteria that may result in conflict will be addressed within the Security Committee, with the criterion of the General Management prevailing in all cases.

8. Security Committee

The committee for managing and coordinating security is the highest authority within the information security management system, ensuring that all major security-related decisions are agreed upon within the committee.

The members of the information security committee are:

• Information Owner
• Service Owner
• Security Officer
• System Owner
• Data Protection Officer
• Company Management

These members are appointed by the committee, which is the only body authorized to appoint, renew, and remove them.

The security committee is an autonomous, executive body with independent decision-making authority that does not subordinate its activity to any other element of the company.

The organization of information security is further developed in the document complementary to this Policy on Security Organization.

This policy is complemented by the rest of the policies, procedures, and documents in force to develop our management system.

9. Risk Management

All systems subject to this Policy must conduct a risk analysis, assessing threats and risks they may be exposed to. This analysis will be reviewed regularly:

• at least once a year
• when the information handled changes
• when services provided change
• when a major security incident occurs
• when serious vulnerabilities are reported

To harmonize risk analyses, the ICT Security Committee will establish a reference assessment for the different types of information handled and services provided. The ICT Security Committee will promote the availability of resources to meet the security needs of the different systems, fostering horizontal investments.

The risk analysis will follow the methodology developed in the Risk Analysis procedure.

10. Personnel Management

All members of nubens are obliged to know and comply with this Information Security Policy and Security Regulations, with the ICT Security Committee responsible for ensuring this information reaches those affected.

All members of nubens will attend at least one ICT security awareness session per year. A continuous awareness program will be established, particularly targeting new staff members.

Those responsible for the use, operation, or administration of ICT systems will receive training for the safe handling of systems to the extent necessary for their job. Training is mandatory before assuming any responsibility, whether it is their first assignment or a change in role.

11. Professionalism and Security of Human Resources

This Policy applies to all nubens staff and external personnel performing tasks within the company.

HR will include information security functions in job descriptions, inform all new staff of their obligations regarding compliance with this Policy, manage Confidentiality Agreements with staff, and coordinate user training related to this Policy.

• The Security Management Officer (RGS) is responsible for monitoring, documenting, and analyzing reported security incidents, as well as communicating with the Information Security Committee and information owners.
• The Information Security Committee is responsible for implementing the necessary means and channels for the Security Management Officer (RGS) to manage reports of incidents and system anomalies. The Committee will also supervise investigations, monitor the evolution of information, and promote resolution of information security incidents.
• The Security Management Officer (RGS) will participate in preparing the Confidentiality Agreement signed by employees and third parties working for NUBENS ORBITEUM SLU, advising on penalties for violations of this Policy, and handling information security incidents.
• All nubens staff are responsible for timely reporting of detected information security weaknesses and incidents.
• Professionalism of human resources:
  – Determine the competence necessary for staff to perform work affecting Information Security.
  – Ensure people are competent based on adequate education, training, or experience.
  – Demonstrate, through documented information, the necessary competence of staff regarding Information Security.

Objectives of controlling staff security are:

• Reduce risks of human error, irregularities, misuse of facilities and resources, and unauthorized handling of information.
• Explain security responsibilities during staff recruitment, include them in agreements, and monitor compliance during task performance.
• Ensure users are aware of information security threats and concerns and are trained to support the organization’s Information Security Policy in their daily tasks.
• Establish confidentiality commitments with all staff and external users working with information processing facilities.
• Set up tools and mechanisms to promote reporting of existing security weaknesses and incidents, minimizing effects and preventing recurrence.

12. Authorization and Access Control to Information Systems

Access control to information systems aims to:

• Prevent unauthorized access to information systems, databases, and information services.
• Implement user access security through authentication and authorization techniques.
• Control security in connections between nubens’ network and other public or private networks.
• Review critical events and user activities in systems.
• Raise awareness about password and equipment responsibility.
• Ensure information security when using laptops and personal computers for remote work.

13. Facility Protection

The objectives of this policy in terms of facility protection are:

• Prevent unauthorized access, damage, and interference to nubens headquarters, facilities, and information.
• Protect nubens’ critical information processing equipment by placing it in protected areas and secured by a defined security perimeter with adequate security measures and access controls. Also, ensure its protection during transfers or when temporarily outside protected areas for maintenance or other reasons.
• Control environmental factors that could affect the proper functioning of computing equipment hosting nubens information.
• Implement measures to protect information handled by staff in offices during their normal daily tasks.
• Provide protection proportional to identified risks.

This Policy applies to all physical resources related to nubens’ information systems: facilities, equipment, cabling, records, storage media, etc.

It should be highlighted that in nubens, all development, quality, etc. environments are hosted externally in secure hosting, so only laptops and peripherals need local protection.

The Security Management Officer (RGS), along with the Information Owners where appropriate, will define physical and environmental security measures for protecting critical assets, based on risk analysis, and oversee their implementation. They will also verify compliance with physical and environmental security provisions.

Department heads will define physical access levels of nubens staff to restricted areas under their responsibility. Information Owners will formally authorize off-site work with business information when deemed appropriate.

All nubens staff are responsible for compliance with the clean desk and clear screen policy to protect information related to daily office work.

14. Product Acquisition

Departments must ensure that ICT security is an integral part of each stage of the system lifecycle, from design to retirement, covering development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and ICT project tender documents.

Additionally, information security must be considered in the acquisition and maintenance of information systems, limiting and managing changes.

15. Security by Default

nubens considers it strategic that processes integrate information security as part of their lifecycle. Information systems and services must include security by default from creation to retirement, including security in development and/or acquisition decisions and in all operational activities, establishing security as an integral and transversal process.

16. System Integrity and Updates

nubens is committed to ensuring system integrity through a change management process that controls updates of physical or logical elements via prior authorization before installation in the system. This evaluation will mainly be carried out by technical management, which will assess the security impact before making changes and document those changes evaluated as important or security-relevant.

Through periodic security reviews, the security status of systems will be assessed regarding manufacturer specifications, vulnerabilities, and updates affecting them, reacting diligently to manage risks accordingly.

17. Protection of Stored and Transmitted Information

nubens establishes protection measures for Information Security regarding information stored or transmitted through insecure environments. Insecure environments include laptops, peripheral devices, information media, and communications over open or weakly encrypted networks.

18. Interconnected Information Systems

nubens will ensure that all information exchanges and service provision with other systems are subject to prior authorization. Any information flow without express authorization is prohibited.

For each interconnection, the following must be explicitly documented:

1. Interface Characteristics: Specifications of the interface used, including communication protocols, authentication methods, and encryption mechanisms.
2. Security and Data Protection Requirements: Identification and documentation of necessary security requirements to protect exchanged data, including access controls, security event auditing, malware protection measures, and incident response procedures.
3. Nature of Exchanged Information: Description of the type of information exchanged, its classification by sensitivity level, and any specific protection requirements in line with privacy and data protection regulations.

These measures will ensure that all information flows are carried out securely, in compliance with the standards set by the National Security Scheme (ENS), and that the integrity, confidentiality, and availability of exchanged data are preserved.

19. Activity Logs

nubens will log user activities, retaining necessary information to monitor, analyze, investigate, and document unauthorized or improper activities, enabling identification of the actor at all times.

The main objectives of Incident Management are:

• Establish a system for detection and response to malicious code.
• Provide procedures for managing security incidents and system weaknesses.
• Cover detection mechanisms, classification criteria, analysis and resolution procedures, communication channels with stakeholders, and record-keeping of actions.
• Use these records for continuous system security improvement.
• Ensure IT services return to optimal performance.
• Reduce potential risks and impacts caused by incidents.
• Safeguard system integrity in the event of a security incident.
• Communicate incident impact as soon as detected to activate alarms and implement an appropriate business communication plan.
• Promote business efficiency.

20. Business Continuity

nubens, to ensure business continuity, establishes measures for system backups and sets up mechanisms to guarantee continuity of operations in case of loss of regular work resources.

21. Continuous Improvement of Security Process

nubens establishes a process of continuous improvement of information security by applying the criteria and methodology set by the National Security Scheme (Royal Decree 311/2022) and ISO 27001:2022.