ISMS Security Policy

Updated information as of 12/10/2021

 

OBJECTIVE

The global objective of Information Security of UNIWAY TECHNOLOGIES, S.L., is to guarantee the criteria of Confidentiality, Integrity and Availability of the information, as well as the continuity of the services offered to our clients in the event of service disruptive events, articulating for this a set of internal processes to respond in an orderly manner to an event, minimizing the impact on business, information and customers.

Our Security Policy is based on two fundamental pillars, on the one hand, we use the Information Security Management System Policy (ISMS) and on the other hand, our Security Policy is based on the requirements established in the National Scheme of Security (ENS), whose action base is to ensure the authenticity, confidentiality, integrity, availability and traceability of the information systems of UNIWAY TECHNOLOGIES, S.L., and, of course, guarantee compliance with all applicable law obligations.

 

SCOPE

The services provided by UNIWAY TECHNOLOGIES, S.L., included in the scope of the ISMS and the ENS are:

  • Cloud Hosting.

  • e-commerce platform.

  • Backup services.

  • S3 storage services.

  • OneVision.

  • Cloud Computing platform located in the Datacenter through which we offer our services to customers and distributors.

 

RESPONSIBILITIES

The main figure responsible for the Policy is the Information Security Management System Committee (ISMS) and the System Manager, as they are in charge of reviewing and approving the different information security strategies and processes, ensuring their quality and effectiveness.

The functions and obligations to coordinate and execute the Information Security principles are developed in the ISMS documents.

 

INFORMATION SECURITY PRINCIPLES

Our Security Policy is established based on the requirements set forth in the information security standard UNE-ISO/IEC 27001:2013 and in accordance with the National Security Scheme. Thus ensuring the confidentiality, integrity and availability of the information systems of UNIWAY TECHNOLOGIES, S.L., guaranteeing, in turn, compliance with all applicable legal obligations.

Therefore, as a fundamental point of the Information Security of UNIWAY TECHNOLOGIES, S.L., we may list the following basic aspects in accordance with the ISMS based on ISO 27001 and ENS:

  • Commitment of superior bodies: Information security has the commitment and support of all management levels so that it can be coordinated and integrated with the rest of the strategic initiatives of UNIWAY TECHNOLOGIES, S.L., in order to form a "whole" that is coherent and effective. As a sign of this commitment, the General Management will ensure compliance with this document, keeping it updated and approved. Likewise, it will provide all the economic and logistical means for the constitution, implementation, maintenance and evolution of the ISMS and the ENS.

  • Integral process: Security shall be understood as an integral process comprising all the technical, human, material and organizational elements related to the system, avoiding, except in cases of urgency or necessity, any one-off action or temporary treatment. Information security should be considered as part of business as usual, being present and applied from the initial design of information systems. Making sure to promote knowledge and awareness of Information Security among its employees.

  • Risk-based security management: The study and evaluation of the risks that could jeopardize information security is developed. Likewise, the necessary measures will be applied to mitigate these risks based on their criticality. Carrying out periodic evaluations that allow obtaining the status of risk treatment management and mainly after security incidents.

  • Prevention, reaction and recovery: The security of the system will contemplate aspects of prevention, detection and correction, to ensure that threats do not affect the information and services it provides, for which management cycles will be carried out based on risk planning and its measurement, the implementation of security measures and in their subsequent re-evaluation.

  • Defense line: Appropriate mechanisms will be implemented to ensure the availability of information systems and to maintain the continuity of its business processes, in accordance with the service level needs of its users, with priority being given to gaining time for an adequate reaction to incidents, reducing the probability that the system is compromised and minimizing the final impact on it.

  • Periodic reassessment: The General Management will carry out a periodic reassessment of the security measures to adapt their effectiveness to the constant evolution of the risks and protection systems, carrying out an audit and setting objectives as a commitment to continuous improvement of the system.

  • Responsabilidad diferenciada: In information systems, the person responsible for the information will be differentiated, who determines the security requirements of the information processed; the person in charge of the service, who determines the security requirements of the services provided; the system manager, who has responsibility for the provision of services and the security manager, who determines the decisions to satisfy the security requirements.

INFORMATION SECURITY MANAGEMENT SYSTEM POLICY

  • Guarantee that the services agreed with the different clients are provided in the event of a disaster at UNIWAY TECHNOLOGIES, S.L., and the business processes that support it.

  • Protect the security of the resources at UNIWAY TECHNOLOGIES, S.L., either in daily management or in case of a company emergency.

  • Periodically establish improvement objectives in line with this policy.

  • The Management of UNIWAY TECHNOLOGIES, S.L., will be responsible for the management of the key risks for the security of the information and the operational continuity of the processes considered critical for the organization.

  • Prepare a Continuity Plan that allows to recover from a disaster, in the shortest possible time.

  • Train and educate all employees on information security.

  • UNIWAY TECHNOLOGIES, S.L., will ensure that all internal resources are fully informed about their responsibilities within the framework of Information Security.

  • UNIWAY TECHNOLOGIES, S.L., must minimize information security risks, ensuring effective response plans to incidents.

  • UNIWAY TECHNOLOGIES, S.L., will guarantee the preparation of appropriate communication plans, both internal and external, which will be reviewed and updated periodically.

  • Make clear the commitment of the Management board in regards to Information Security in line with the business strategy, by supporting the ISMS Committee, providing it with the necessary means and powers to carry out its functions.

  • Define, develop, and implement the technical and organizational controls that are necessary to guarantee the Confidentiality, Integrity and Availability of the information managed in the organization.

  • Guarantee compliance with current legislation on the protection of personal data, intellectual property and the information society, as well as all applicable legal, regulatory and contractual requirements.

  • Create a “safety culture” both internally, regarding all personnel, and externally, regarding customers and suppliers.

  • Consider the Information Security Management System as a process of continuous improvement, conducting periodic reviews with the aim of achieving increasingly advanced levels of information security.

 

Additionally, UNIWAY TECHNOLOGIES, S.L., makes support procedures available, which include the specific way in which general guidelines indicated in the current Security Policy must be undertaken by the designated managers.

Compliance with the current information security policy and any procedure or documentation included within the ISMS and ENS is mandatory and concerns all the organization's personnel.

Likewise, visitors and external personnel who access our facilities are not exempt from complying with the obligations indicated in the ISMS and ENS documentation. This compliance will be supervised by the organization's internal staff.

In case of doubt, need for clarification or for more information on the use and application of this Security Policy, please do not hesitate to contact the person in charge of the ISMS and ENS formally designated in the corporate organization chart by phone or e-mail.