ISMS Security Policy
Last updated February 14, 2025
The purpose of this document is to establish the information security policy for UNIWAY TECHNOLOGIES, thus ensuring the authenticity, confidentiality, integrity, availability and traceability of UNIWAY TECHNOLOGIES' information systems and, of course, guaranteeing compliance with all applicable legal obligations.
Scope of application
The information security policy shall be mandatory for all users of UNIWAY TECHNOLOGIES systems and applicable to the assets used to provide the services offered to clients, affecting the information processed by electronic means.
It shall be mandatory for all personnel who access both the information systems and the information itself that is managed by the organization, regardless of its destination, assignment, or relationship with it.
Approval and communication
This policy was approved on 14/02/2025 by the General Manager of UNIWAY TECHNOLOGIES.
This Information Security Policy is effective and applicable from that date until it is replaced by a new Policy.
This policy must be known and accepted by all interested parties, and the necessary procedures must be established for this purpose through the corporate communication channels.
The information security policy must be reviewed regularly at planned intervals or if significant changes occur, in order to ensure its continued suitability, adequacy, and effectiveness. If modifications are incorporated, all interested parties will be informed of such review and update.
Principles of information security
The following fundamental security guidelines shall be established, which will help to avoid compromising the confidentiality, integrity, and availability of the services, as well as the associated information.
The following principles are established:
1. Commitment of senior management: Information security has the commitment and support of all management levels so that it may be coordinated and integrated with the rest of the Company’s strategic initiatives to form a coherent and effective whole. As evidence of this commitment, the General Management will ensure compliance with this document, keeping it updated and approved within the Company, providing all economic and logistical means for the establishment, implementation, maintenance, and evolution of the ENS.
2. Comprehensive process: Security shall be understood as a comprehensive process consisting of all technical, human, material, and organizational elements related to the system, avoiding, except in cases of urgency or necessity, any isolated actions or temporary treatments. Information security must be considered part of normal operations, being present and applied from the initial design of information systems, ensuring the promotion of knowledge and awareness of Information Security among its employees.
3. Risk-based security management: Studies and evaluations of risks that may endanger information security shall be carried out. Likewise, the necessary measures shall be applied to mitigate these risks based on their criticality, performing periodic assessments that make it possible to determine the status of risk treatment management, especially following security incidents.
4. Prevention, response, and recovery: System security shall address prevention, detection, and correction aspects in order to ensure that threats do not affect the information and services provided. To this end, management cycles shall be carried out based on risk planning and measurement, the implementation of security measures, and their subsequent reassessment.
5. Line of defense: Appropriate mechanisms shall be implemented to ensure the availability of information systems and maintain the continuity of their business processes, in accordance with users’ service level requirements, prioritizing gaining time for an appropriate response to incidents, reducing the likelihood of system compromise and minimizing its final impact.
6. Periodic reassessment: General Management shall carry out a periodic reassessment of security measures to adapt their effectiveness to the constant evolution of risks and protection systems, conducting audits and setting objectives as a commitment to the continuous improvement of the system.
7. Differentiated responsibility: Within information systems, the information owner shall be distinguished, who determines the security requirements of the processed information; the service owner, who determines the security requirements of the services provided; the system owner, who is responsible for the provision of services; and the security manager, who determines the decisions required to meet security requirements.
Legal and regulatory framework
UNIWAY TECHNOLOGIES shall take into account the requirements set forth by the applicable legal and regulatory framework under which its activities are carried out.
Identifying the following regulations and standards:
• GDPR: General Data Protection Regulation – Regulation (EU) 2016/679 – entered into force on 25 May 2016, relating to the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• ENS: Law 11/2007, of 22 June, and subsequently approved by Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme within the scope of Electronic Administration, and its subsequent amendment by Royal Decree 951/2015, of 23 October, which establishes the basic principles and minimum requirements that enable adequate protection of information.
• eIDAS: Regulation (EU) No 910/2014 of the European Parliament and of the Council of July 2014, on electronic identification and trust services for electronic transactions in the internal market, and repealing Directive 1999/93/EC.
• Intellectual Property Law: related to the processing and regulation of any work with intellectual property rights, in order to meet the requirements of Law 1/1996 regarding the unauthorized copying or distribution of licensed software.
Standards:
• ISO/IEC-27001 “Information Security Management Systems”
Mission and objectives
UNIWAY TECHNOLOGIES aims to provide datacenter, cloud, and managed services related to telematics systems, which are delivered to entities within public administrations, State Security Forces, companies in the industrial sector, etc.
The management of UNIWAY TECHNOLOGIES, in alignment with the responsibility for the continuous improvement of the ISMS, has established a reference framework for setting information security objectives. This framework and the objectives are detailed in the GlobalSUITE tool and in the document “ISMS and ENS Objectives.docx”.
Uniway’s mission is to offer innovative, high-quality technological solutions that enable our clients to optimize their resources, improve efficiency, and reduce costs through the use of technologies tailored to their needs. Uniway is not just another provider; we have over 20 years of experience focused on delivering Managed Services and Professional Services as part of our client value proposition, always from the perspective of comprehensive coverage that addresses all the needs of a Technology and Communications Management department.
Our vision for the future is to become a benchmark in the information technology, communications, and managed cybersecurity sector, acting as a strategic partner for companies in their digital transformation and contributing to the success of their business processes.
The values on which Uniway is based are:
• Innovation: We are committed to offering advanced technological solutions that add value and keep clients at the forefront of the industry.
• Commitment: Our team is committed to the success and satisfaction of our clients, providing continuous and personalized support.
• Flexibility: We adapt our solutions to each client’s needs, offering modular models and scalable services.
• Quality: We prioritize excellence in all our processes, from customer service to the implementation of technological solutions.
• Trust: We foster long-term relationships based on transparency, respect, and reliability in all our services.
Organization and implementation of the security process
UNIWAY TECHNOLOGIES identifies a series of roles and responsibilities associated with information security.
Responsibility for information security at UNIWAY TECHNOLOGIES rests with General Management.
General Management is responsible for organizing functions and responsibilities, the security policy, and for providing adequate resources to achieve the established objectives.
The General Management of UNIWAY TECHNOLOGIES also establishes a series of roles and responsibilities in terms of security and service management, considering the following positions.
Roles and Responsibilities of the ISMS and ENS
ISMS Committee
The Committee is responsible for organizing functions and responsibilities, the security policy, and for providing the appropriate resources to achieve the established objectives.
The ISMS Committee is responsible for carrying out the following functions within the organization:
• Supporting the ISMS Manager so that their decisions are successfully implemented. Deciding, following system reviews, on the actions necessary for its continuous improvement.
• Establishing, reviewing, and approving the System Management Policy annually or whenever significant changes occur.
• Defining the approach to be taken for risk assessment and management in order to achieve the defined objectives.
• Informing senior management about the performance and opportunities for improvement of the ISMS. Communicating to the organization the importance of achieving information security objectives and complying with the established policy for this purpose, as well as the need for continuous improvement.
• Approving the Risk Analysis and approving the Risk Treatment Plan.
• Ensuring that internal ISMS audits are carried out. In general, approving at least the following documentation:
o Security Objectives
o Established SLAs
It is established that the Risk Owner is the ISMS Committee, which is responsible for deciding the NRA and approving the residual risk level.
This will also be indicated in the document “Risk Analysis Methodology.docx” that the Risk Owner is the ISMS Committee.
The Committee shall meet as often as designated by its members, but at least once a year on an ordinary basis. If the Committee deems it appropriate and due to circumstances that require it, extraordinary meetings may be convened. Individuals deemed appropriate by the Committee according to the topics to be addressed may be exceptionally invited to Committee meetings. The ISMS Manager shall issue a prior call, sent by email to all Committee members, as well as to any other persons deemed appropriate, including the agenda with all items to be addressed at the meeting. The conclusions agreed upon at Committee meetings shall be recorded in minutes, which must be signed by all members and kept as evidence of attendance and of the Committee’s operation.
The ISMS Committee must communicate and disseminate different obligations, procedures, and standards to UNIWAY TECHNOLOGIES employees. This process shall be carried out via email to all those involved, indicating the specific documentation being disseminated, as well as its purpose and content. The communication shall be sent by a Committee member.
At least the following documents shall be disseminated:
• Information Security Policy
• ISMS security requirements and objectives.
• Regulatory compliance. A response from all affected personnel indicating their understanding will be required.
ISMS Manager
The ISMS Manager has the following responsibilities:
• Implementing, coordinating, and maintaining the Information Security Management System (ISMS). Preparing and updating ISMS documentation.
• Reviewing and keeping the Information Security documentation and Policy up to date, as well as the risk assessment, regularly reviewing the risk analysis at planned intervals or when significant changes occur to ensure its continued suitability, adequacy, and effectiveness, as well as that of the implemented controls.
• Ensuring that the system operates properly, responding to any event and evolving toward continuous improvement, while keeping senior management informed about identified opportunities.
• Analyzing audit reports and submitting the conclusions of this analysis to the Committee. Monitoring and managing security risks of the Integrated Management System. Ensuring the Confidentiality, Integrity, and Availability of information systems. Ensuring compliance with plans and objectives of the Information Security Management System.
• Establishing criteria for defining user or user-profile access rights. Updating the Security Document and ensuring its compliance with current regulations.
• Maintaining an up-to-date list of users or user profiles of the system, indicating their access rights.
• Adopting the necessary measures to ensure that personnel are aware of the security rules affecting the performance of their duties and of the consequences of non-compliance.
• Establishing mechanisms to prevent users from accessing data or resources with rights other than those authorized.
• Verifying the definition and correct application of data backup and recovery procedures.
• Granting, revoking, or modifying access rights in accordance with established criteria. Coordinating and monitoring the measures defined in the Information Security Policy.
• Analyzing audit reports and submitting the conclusions of the audit report analysis to the data controller.
• Verifying that the implemented physical and logical security measures protect personal data.
Obligations
• Maintaining the confidentiality of personal data accessed in the performance of duties, even after leaving the organization.
• Ensuring that authorizations to access the data for which they are responsible are granted and revoked in a timely manner.
• Being familiar with internal security regulations, especially those relating to personal data protection, which may include policies, procedures, rules, standards, and guidelines.
• Being aware of the consequences and responsibilities that may arise from non-compliance with regulations, which could result in sanctions.
• Not attempting to bypass security mechanisms or devices, avoiding any attempt at unauthorized access to data or resources, reporting possible weaknesses in controls, and not endangering data availability or confidentiality or integrity.
• Not sharing or disclosing passwords, which are personal, not stored in plain text, and transmitted through secure channels; users shall be responsible to the entity for all accesses and activities carried out using their user ID and password.
• Ensuring compliance with applicable legal regulations, especially regarding personal data protection and intellectual property.
• Protecting any data backups in their possession and carrying out periodic ISMS reviews.
Information Owner
This role has ultimate responsibility for the use made of specific information and, therefore, for its protection. This role is ultimately responsible for any error or negligence that leads to a confidentiality or integrity incident.
The Information Owner is granted the authority to establish information security requirements or to determine information security levels.
Service Owner
The Service Owner is granted the authority to establish service security requirements or to determine service security levels.
Service provision must always meet the security requirements of the information it handles (sometimes referred to as “inherited requirements”) and usually adds availability requirements, as well as others such as accessibility, interoperability, etc.
Security Officer
Their responsibilities are as follows:
• Maintaining the security of the information handled and the services provided by the information systems within their scope of responsibility, in accordance with the Company’s Security Policy.
• Promoting information security training and awareness within their area of responsibility.
And their tasks:
• Determining the system category.
• Risk analysis.
• Statement of applicability.
• Additional security measures.
• System security documentation.
• Drafting security regulations.
• Approving operational security procedures.
• Reporting the status of system security to the Committee.
• Preparing security improvement plans together with the Systems Manager.
• Preparing awareness and training plans.
• Validating continuity plans.
• Approving the lifecycle: specification, architecture, development, operation, changes.
System Owner and Security Administrator
This role is responsible for and administers all systems and access to Uniway files and resources according to the guidelines set by the Security Officer.
Their functions and obligations are:
• Administering and monitoring the proper functioning of the system, including version changes, access administration, and backups.
• Being familiar with internal security regulations, especially those relating to personal data protection, which may include policies, standards, procedures, rules, and guidelines.
• Being aware of the consequences and responsibilities that may arise from non-compliance with regulations, which could result in sanctions.
• Using the controls and means established to protect both personal data and the information systems themselves and their components: automated files, programs, media, and equipment used for the storage and processing of personal data.
• Not attempting to bypass security mechanisms or devices, avoiding any attempt at unauthorized access to data or resources, reporting possible weaknesses in controls, and not endangering data availability or confidentiality or integrity.
• Properly using identification and authentication mechanisms for information systems, whether passwords or more advanced systems, in accordance with regulations.
• Not sharing or disclosing passwords, which are personal and transmitted through secure channels and not stored in plain text.
• Performing data backups as established in regulations and protecting the copies obtained.
Other ISMS roles
The remaining roles related to the ISMS are defined in more detail in the document General functions and obligations for all personnel.docx.
Unified responsibilities, segregation, and conflict resolution
At UNIWAY TECHNOLOGIES, responsibilities are unified so that the same person or body acts as both the Information Owner and the Service Owner.
Article 10 of the National Security Scheme establishes the principle of “Security as a differentiated function.” This principle requires that the Security Officer be independent from the System Owner; however, in the event of a conflict, it must be resolved by the hierarchical superior. This should be specified for each organization in accordance with applicable regulations.
Intermediate structure
At UNIWAY TECHNOLOGIES, the roles and responsibilities identified in this policy are aligned with the following intermediate structure based on three roles:
Governance: a role that integrates the following functions:
• Information Owner
• Service Owner
The person holding the Governance role is: Hassan Kalantari Bornak.
Supervision: a role that reports to Senior Management and performs the function of Security Officer.
The person holding the Supervision role is: María José Martínez Fernández.
Operations: a role that integrates the following functions:
• System Owner
• Security Administrator
The person holding the Operations role is: Sergio Ruiz.
The Security Officer ensures that these roles are communicated and accepted by the interested parties and that they have understood their functions and obligations toward the organization in matters of security and service management.
The organization has a hierarchy and an approval process that establishes the requirements for changes and conflict resolution within the organization.
Appointment procedure
All appointments to the roles identified by the National Security Scheme will be made by the General Manager of UNIWAY TECHNOLOGIES. These appointments will be reviewed at least every two years or whenever necessary.
Professionalism
All activities related to systems security are handled, reviewed, and audited by qualified personnel who are dedicated and trained in all phases of their life cycle: installation, maintenance, incident management, and decommissioning.
Acquisition of security products
UNIWAY TECHNOLOGIES values the acquisition of IT and communications security products whose functionality is certified. This certification must comply with internationally recognized standards in the field of functional security.
This procedure establishes the need to address security requirements based on the intended use of the product, the evaluation level, and any additional security certifications.
Default security
UNIWAY TECHNOLOGIES systems are configured so that:
• They provide only the minimum functionality required for the organization to achieve its objectives, with no additional functions.
• Operational, administrative, and activity logging functions are kept to the minimum necessary, ensuring that they are accessible only by authorized personnel, from authorized locations or devices, with restrictions on access times and points applied if necessary.
• In an operational system, unnecessary or non-relevant functionalities are removed or disabled through configuration control.
• Ordinary use of the system must be simple and secure, so that any unsafe use requires a conscious action by the user.
System Integrity and Updates
All physical or logical components of UNIWAY TECHNOLOGIES require formal prior authorization before being installed in the system.
The security status of the systems must be known at all times, in relation to manufacturer specifications, vulnerabilities, and applicable updates, responding diligently to manage risks based on the current security status.
Protection of information stored and in transit
UNIWAY TECHNOLOGIES pays special attention to information stored or transmitted through insecure environments. Laptops, personal digital assistants (PDAs), peripheral devices, information media, and communications over open networks or networks with weak encryption are considered insecure environments.
UNIWAY TECHNOLOGIES considers procedures that ensure the long-term recovery and preservation of electronic documents produced as part of security.
Prevention in the face of other interconnected information systems
The perimeter will be protected, especially when the connection occurs to or from public networks. In any case, the risks arising from the interconnection of the system with other systems through networks will be analyzed, and the connection points will be controlled.
Activity Logs
UNIWAY TECHNOLOGIES will log user activities, always complying with applicable legislation in each case, retaining the necessary information to monitor, analyze, investigate, and document improper or unauthorized activities, allowing the identification of the acting individual at any time.
Continuity of activity
The systems have backup copies and will implement the necessary mechanisms to ensure continuity of operations in the event of loss of the usual working resources.
Document Management
UNIWAY TECHNOLOGIES, in alignment with the requirements of the ENS, participates in a documented management process for the creation, updating, and control of security documentation. This procedure is detailed in the file “Uniway gestión documental”.