1. Introduction
Information has become one of the main assets of our organisation, and for this reason, its care and protection are an absolute priority.
It is part of our strategy, from now on, to maintain information security as a critical and fundamental element. This challenge becomes more demanding and important when applied to such a specific and critical environment as ours, where the secure processing and management of information are a necessity to compete and improve in the future.
NAVILENS Y NAVILENS PROJECTS CORP. (hereinafter NAVILENS Y NAVILENS PROJECT CORPS.) relies on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed diligently, taking adequate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity, and traceability of the information processed or services provided.
The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, monitoring daily activity, and reacting promptly to incidents.
ICT systems must be protected against rapidly evolving threats that could impact the availability, integrity, confidentiality, authenticity, and traceability, intended use, and value of information and services. To defend against these threats, a strategy is required that adapts to changes in environmental conditions to ensure the continuous provision of services. This implies that departments must implement the minimum security measures required by the National Security Framework (Esquema Nacional de Seguridad - ENS) as well as the international standard ISO/IEC 27001, continuously monitor service levels, track and analyse reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of services provided.
The different departments must ensure that ICT security is an integral part of every stage of the system's lifecycle, from its conception to its withdrawal from service, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, in requests for proposals, and in tender documents for ICT projects.
Departments must be prepared to prevent, detect, react to, and recover from incidents, in accordance with Article 7 of the ENS.
1.1 Prevention
Departments must avoid, or at least prevent as far as possible, information or services from being harmed by security incidents. To do this, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented. To ensure policy compliance, departments must:
- Authorise systems before they become operational.
- Regularly assess security, including evaluations of configuration changes made routinely.
- Request periodic review by third parties to obtain an independent evaluation.
1.2 Detection
Given that services can degrade rapidly due to incidents, ranging from a simple slowdown to a complete stop, services must continuously monitor operations to detect anomalies in service levels and act accordingly as established in Article 9 of the ENS. Monitoring is especially relevant when lines of defence are established in accordance with Article 8 of the ENS. Detection, analysis, and reporting mechanisms will be established to regularly inform responsible parties when a significant deviation from pre-established normal parameters occurs.
1.3 Response
Departments must:
- Establish mechanisms to respond effectively to security incidents.
- Designate a contact point for communications regarding incidents detected in other departments or organisations.
- Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CERTs).
1.4 Recovery
To guarantee the availability of critical services, departments must develop ICT system continuity plans as part of their overall business continuity plan and recovery activities.
2. Purpose and Scope
The purpose of this high-level Policy is to define the objective, direction, principles, and basic rules for information security management.
This Policy applies to the entire Information Security Management System (ISMS) and to all employees of NAVILENS Y NAVILENS PROJECTS CORP. It is also extendable to third parties that process information owned by NAVILENS Y NAVILENS PROJECTS CORP.
The Security Policy applies to the entire company and its information assets:
- To all departments, both their managers and employees.
- To contractors, clients, or any other third party with access to the organisation's information or systems.
- To databases, electronic and paper files, processing operations, equipment, media, programs, and systems.
- To information generated, processed, and stored, regardless of its medium and format, used in operational or administrative tasks.
- To information transferred within an established legal framework, which will be considered as own for the exclusive purpose of its protection.
- To all systems used to administer and manage information, whether owned, rented, or licensed by the company.
3. References and Regulatory Framework
The management of NAVILENS Y NAVILENS PROJECT CORPS. ensures that externally sourced documentation of interest to the company's operations is known to the employees who need it and is kept updated and available at all times.
For this purpose, the means defined in this document and the procedures that develop it are used.
Regarding the standards applied to formalise the various established Security procedures, the criteria of the following international standards have been followed:
- Information technology. Security techniques. Information Security Management Systems (ISMS). Requirements. UNE-ISO/IEC 27001
- Information technology. Security techniques. Code of practice for information security management. UNE-ISO/IEC 27002
- Stakeholder requirements
Additionally, the record «SGSI84_RE07_ Applicable Regulations Register» is created to provide all information, links of interest, and information related to the applied regulations. Below is an extract of the general applicable regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation - GDPR), concerning the protection of personal data and their free movement, which establishes principles such as lawfulness, transparency, minimization, security, and proactive accountability.
- Organic Law 3/2018, on Personal Data Protection and guarantee of digital rights (LOPDGDD), which complements the GDPR and incorporates rights such as digital disconnection and protection against the use of biometric data.
- Law 34/2002, on services of the information society and e-commerce (LSSI-CE), which regulates digital services, the use of cookies, and electronic commercial communications.
- Law 31/1995, on Occupational Risk Prevention, which establishes the legal framework for the health and safety of workers.
- Royal Decree 39/1997, approving the Regulation on Prevention Services, which regulates the organisation and operation of prevention services.
- Order TIN/2504/2010, which develops the Regulation on Prevention Services in relation to the accreditation of specialized entities and audit activity.
- Law 10/2010, on the prevention of money laundering and terrorist financing, which establishes obligations of due diligence, training, reporting of operations, and internal control.
- Royal Decree 304/2014, approving the Regulation developing Law 10/2010, detailing the procedures, controls, and measures required.
- Royal Legislative Decree 2/2015, approving the revised text of the Workers' Statute, which regulates labour rights and duties.
- Royal Decree-Law 28/2020, on remote work, which regulates teleworking and its conditions.
- Royal Legislative Decree 8/2015, approving the revised text of the General Social Security Law, which includes benefits and rights regarding contributions and coverage.
- Order ESS/86/2015, which develops the rules for Social Security contributions, protection for cessation of activity, the Wage Guarantee Fund, and vocational training.
- Labour Reform of 2021, which introduces changes in temporary contracts, subcontracting, collective bargaining, and job stability.
- Right to digital disconnection, legally recognised as the worker's right not to attend to devices outside working hours.
- Royal Legislative Decree 1/1996, approving the revised text of the Intellectual Property Law, which regulates copyright and the protection of original works.
- Law 17/2001, on Trademarks, which regulates the registration and protection of distinctive signs in the market.
- Organic Law 10/1995, of the Penal Code, especially applicable to computer crimes, disclosure of secrets, damage to systems, and criminal liability of legal persons.
- Commercial Code, which regulates commercial acts, accounting obligations, and commercial relations.
- Law 1/2010, on Capital Companies, which regulates the incorporation, operation, and dissolution of commercial companies.
- Law 3/2004, on measures to combat late payments in commercial transactions, which establishes payment terms and measures to prevent late payments.
- Spanish Constitution of 1978, especially Article 18, which protects honour, personal and family privacy, and one's own image, as well as the protection of personal data.
- Law 14/2011, on Science, Technology, and Innovation, which promotes research, technological development, and innovation.
- Law 38/2003, General Subsidies Law, and its Regulation approved by Royal Decree 887/2006, which regulate the legal regime of public aid and subsidies, justification, and control obligations.
- Royal Decree-Law 12/2018, on the security of networks and information systems, not applicable to the company according to its current scope.
Technical Security Instructions (ITS) ENS:
- ITS for Information System Security Audit by Resolution of March 27, 2018, of the Secretary of State for Public Function (BOE No. 81, of April 3, 2018).
- ITS for ENS Compliance by Resolution of October 13, 2016, of the Secretary of State for Public Administrations (BOE-A-2016-10109).
- ITS for Security Status Report by Resolution of October 7, 2016, of the Secretary of State for Public Administrations (BOE-A-2016-10108).
- ITS for Notification of Security Incidents by Resolution of April 13, 2018, of the Secretary of State for Public Function (BOE No. 95, of April 19, 2018).
In accordance with Royal Decree 311/2022, of May 3, which regulates the National Security Framework (Esquema Nacional de Seguridad - ENS), the information security management system to which the organisation is committed through this policy is articulated, guaranteeing that all and without exception the following security requirements have been met:
- Organisation and implementation of the security process.
- Analysis and management of risks.
- Personnel management.
- Professionalism.
- Authorisation and access control.
- Facility protection.
- Acquisition of security products and contracting of security services.
- Minimum privilege.
- System integrity and update.
- Protection of stored and in-transit information.
- Prevention against other interconnected information systems.
- Activity logging and detection of malicious code.
- Security incidents.
- Business continuity.
- Continuous improvement of the security process.
4. Security Organisation
4.1 Committees: Functions and Responsibilities
A security committee is formed, whose members and emails are reserved from this publication for security reasons. However, it will be communicated on the intranet and can be shared with interested parties upon request.
There is an email distribution list called comiteseguridad@navilens.com to respond to any internal/external needs in information security.
Each area manager may modify and adapt documents or procedures within their competence without the express approval of the rest of the committee, provided that these modifications do not significantly alter the operation of the ISMS. In any case, the committee must be informed of these modifications.
Below are the functions and responsibilities of the Security Committee:
- The coordination of Information Security (IS), ensuring compliance with the Information Security Policy, approving methodologies, procedures, and technical instructions on information security protection, and establishing a culture of awareness in Information Security throughout the organisation.
- It will adopt or propose the adoption of necessary measures to ensure that personnel are aware of the security regulations affecting the performance of their duties and the consequences they may incur in case of non-compliance.
- It will update the ISMS documentation and adapt it to current regulations.
- It will be the advisory body for establishing new measures related to information security and data protection.
- To adopt or propose to the Management, corrective measures resulting from deficiencies detected in an audit process, as well as those approved by the Management.
- Supervise compliance with the established procedures for authorising the use of mobile devices and teleworking.
- Supervise that, according to the procedures to be established, a list of personnel with access to personal data, a list of personnel authorised to grant, revoke or alter access rights, in accordance with the established criteria, and a list of personnel with authorised access to the places where media and documents are stored, is maintained.
- Promote information and advise the organisation and employees involved in data processing on their obligations regarding data protection and IS.
- Monitor compliance with the applicable regulations, including the allocation of responsibilities, awareness and training of personnel involved in processing operations, and corresponding audits.
- Oversee the correct maintenance and updating of Processing Activity Records and other documentary support for compliance with GDPR legislation.
4.2 Roles: Functions and Responsibilities
Executive Management. Participates in the development of objectives and metrics. Approves policies. Approves ISMS management reviews. Validates the conclusions of system audits. Executive management establishes the organisational chart, which contains more functions and roles than those specified here. In this policy, we detail those responsible for information security.
Security Officer.
- Promote the security of managed information and electronic services provided by information systems, with the responsibility and authority to ensure that the Information Security Management System complies with the requirements of the National Security Framework (ENS).
- Supervise compliance with this Policy, its rules, derived procedures, and the security configuration of the systems.
- Establish adequate and effective security measures to meet the security requirements set by the Service and Information Managers, always adhering to the provisions of Annex II of the ENS, declaring the applicability of such measures.
- Promote awareness and training activities on security within its scope of responsibility.
- Coordinate and monitor the implementation of ENS compliance projects, in collaboration with the System Manager.
- Perform, in collaboration with the System Manager, the mandatory risk analyses, select the safeguards to implement, and review the risk management process. Likewise, together with the System Manager, accept the residual risks calculated in the risk analysis.
- Promote periodic audits to verify compliance with information security obligations and analyze the audit reports, drawing conclusions to be presented to the System Manager for appropriate corrective actions.
- Coordinate the Security Management process, in collaboration with the System Manager.
- Determine the system category according to the procedure described in Annex I of the ENS and the security measures that must be applied in accordance with Annex II of the ENS.
- Verify that security measures are adequate for the protection of information and services.
System Manager.
- Develop, operate, and maintain the Information System throughout its lifecycle, including its specifications, installation, and verification of its correct operation.
- Ensure that specific security measures are properly integrated into the overall security framework.
- Conduct exercises and tests on existing security operational procedures and continuity plans.
- Implement necessary measures to guarantee system security throughout its lifecycle, in accordance with the Security Officer.
- Perform, in collaboration with the Security Officer, the mandatory risk analyses, select the safeguards to implement, and review the risk management process. Likewise, together with the Security Officer, accept the residual risks calculated in the risk analysis.
- Prepare, in collaboration with the Security Officer, third-level security documentation (STIC Operational Procedures and STIC Technical Instructions).
- Apply operational security procedures.
- Ensure that established security controls are strictly complied with, and that approved procedures for managing the information system are applied.
- Monitor hardware and software installations, their modifications, and improvements to ensure that security is not compromised and that they comply with relevant authorisations at all times.
- Monitor the system's security status provided by security event management tools and technical audit mechanisms implemented in the system.
- Inform respective Managers of any anomalies, compromises, or vulnerabilities related to security.
- Collaborate in the investigation and resolution of security incidents, from their detection to their resolution.
Data Protection Officer.
- Inform and advise the data controller and its employees of their obligations under the GDPR and other data protection provisions.
- Monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
- Provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 (of the GDPR).
- Cooperate with the supervisory authority.
- Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and conduct consultations, where appropriate, on any other matter.
Service Manager.
- Establish the service's security requirements, including interoperability, accessibility, and availability requirements.
- Determine the service's security levels, in agreement with the Security Officer and the System Manager.
- Maintain the security of the information managed and the services provided by information systems within their scope of responsibility.
Information Manager.
- Ensure the proper use of information and, therefore, its protection.
- Establish information security requirements.
- Determine the security levels of the processed information, assessing the consequences of a negative impact.
Users and Employees.
- Comply with the information security policy and complementary rules, procedures, and instructions.
- Protect and safeguard company information, preventing unauthorised or accidental disclosure, external dissemination, modification, deletion, or destruction, or misuse, regardless of the medium or means by which it was accessed or known.
- Know and apply the Information Security Policy, the Rules for Use of Information Systems, and all other applicable policies, rules, procedures, and security measures.
4.3 Appointment Procedures
The Information Security Officer will be appointed by the Management upon proposal by the Security Committee. The appointment will be reviewed every 2 years or when the position becomes vacant. The Department responsible for a service provided electronically in accordance with Law 39/2015 (Law of Common Administrative Procedure) and Law 40/2015 (Legal Regime of the Public Sector) will designate the System Manager, specifying their functions and responsibilities within the framework established by this Policy.
4.4 Information Security Policy
The Information Security Committee is responsible for constructing and maintaining the Information Security Policy, although the Management of NAVILENS Y NAVILENS PROJECTS CORP. is responsible for approving and publishing said Policy, as well as distributing it to all affected employees and third parties.
Any change or evolution that affects or could affect the content of the Information Security Policy will be recorded in a new signature of the approval document. This concretises and confirms the commitment of these entities to information security.
Periodically, and in any case no later than one year, the validity and reasonableness of this policy will be reviewed, and the necessary improvements, adaptations, or modifications will be carried out based on applicable organisational, technical, or regulatory changes.
4.5 Distribution of the Security Policy
The distribution of the security policy will be carried out in the following ways depending on the target interest group:
NaviLens personnel and managers. The security policy will be distributed via email. To ensure receipt, an acknowledgment of receipt of the corresponding document will be signed.
Clients, partners, suppliers, and other interest groups: The security policy will be included as a section on the company's website (www.navilens.com), where it can be consulted at any time.
4.6 Information Security Level
The Organisation has a policy «SGSI05_PO02- Policy on Information Classification, Labelling and Handling», which defines the classification system, allocation criteria based on nature, sensitivity, impact, and legal requirements, as well as the controls associated with each level.
The organisation has a formally defined system categorisation procedure based on CCN-STIC Guide 803: System Assessment, through which it is concluded that SGSI192_PR029-System Categorisation Procedure: «In accordance with Royal Decree 311/2022, of May 3, and the guidelines of CCN-STIC Guide 803, the category of a system is determined by the highest level of the evaluated dimensions (Confidentiality, Integrity, Availability, Traceability, and Authenticity) across all services and associated information.
In this case:
- Dimensions at a high level are identified, being the maximum to follow. Therefore, an adaptation to ENS high level is performed.
- Thus, according to the ENS, the system category is High, which implies that the security measures corresponding to that category, as set out in Annex II of the ENS, must be implemented.»
5. Sanctions
Any premeditated or negligent violation of security policies and rules that entails a potential harm, whether materialised or not, to NAVILENS Y NAVILENS PROJECTS CORP., will be sanctioned in accordance with the mechanisms enabled in the Company's agreement and current legal, contractual, and corporate regulations.
All actions that compromise the security of NAVILENS Y NAVILENS PROJECTS CORP. and are not foreseen in this policy must be reviewed by the Executive Management and the Information Security Officer to issue a resolution adhering to the company's criteria and foreseen legislation.
Disciplinary actions in response to non-compliance with the Information Security Policy are the responsibility of the Executive Management of NAVILENS Y NAVILENS PROJECTS CORP. and the governing bodies according to applicable legislation.
There is a whistleblowing channel and an incident management protocol available to employees through which any member of the company can report a possible incident or non-compliance to the security committee or the security officer.
Said infraction and the corresponding sanction will be communicated to the infringer by a management member via email with a request for confirmation of receipt.
6. Mission
In response to a new technological environment where the convergence between computing and communications is facilitating a new productivity paradigm for companies, NAVILENS Y NAVILENS PROJECTS CORP. is highly committed to maintaining the Promotion of research, technological development, and innovation projects in a quality environment, where the development of good practices in Information Security is fundamental to achieve the objectives of availability, integrity, confidentiality, authenticity, traceability, and legality of all managed information. Consequently, NAVILENS Y NAVILENS PROJECTS CORP. defines the following application principles to be taken into account within the framework of the Information Security Management System (ISMS):
The Management of NAVILENS Y NAVILENS PROJECTS CORP. understands its duty to guarantee information security as an essential element for the proper performance of the organisation's services, and therefore supports the following objectives and principles:
- Implement the value of Information Security throughout the Organisation.
- Contribute, each and every person at NAVILENS Y NAVILENS PROJECTS CORP., to the protection of Information Security.
- Preserve the availability, integrity, confidentiality, authenticity, traceability, and resilience of information, with the aim of ensuring compliance with legal, regulatory, and customer requirements related to information security; and specifically concerning personal data:
- Data will be processed lawfully, fairly, and transparently in relation to the data subject (Lawfulness, fairness, and transparency).
- They will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Purpose limitation).
- Data will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Data minimisation).
- Data will be accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (Accuracy).
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Storage limitation).
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Integrity and confidentiality).
This Policy will be maintained, updated, and adapted to the Organisation's purposes, aligning with its risk management context. For this purpose, it will be reviewed at planned intervals or whenever significant changes occur, to ensure its continued suitability, adequacy, and effectiveness.
Similarly, to manage the risks faced by NAVILENS Y NAVILENS PROJECTS CORP., a formally defined risk assessment procedure is established. Furthermore, all policies and procedures included in the ISMS will be reviewed, approved, and promoted by the Executive Management of NAVILENS Y NAVILENS PROJECTS CORP.
- Protect NAVILENS Y NAVILENS PROJECTS CORP.'s information assets from threats, whether internal or external, deliberate or accidental, with the aim of guaranteeing the continuity of the service offered to our clients and the security of information.
- Establish an Information Security Plan that integrates activities for preventing and minimizing the risk of security incidents based on the risk management criteria established by NAVILENS Y NAVILENS PROJECTS CORP.
- Provide the necessary means to carry out relevant actions for managing identified risks.
- Assume responsibility for awareness and training in information security as a means to ensure compliance with this policy.
- Extend our commitment to information security to our employees and suppliers.
- Continuously improve security by establishing and periodically monitoring information security objectives.
7. Risk Management
All systems subject to this Policy must undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:
- regularly, at least once a year;
- when the managed information changes;
- when the services provided change;
- when a serious security incident occurs;
- when serious vulnerabilities are reported.
To harmonise risk analyses, the ICT Security Committee will establish a reference valuation for the different types of information managed and the different services provided. The ICT Security Committee will promote the availability of resources to meet the security needs of the different systems, promoting horizontal investments.
8. Development of the Information Security Policy
This Policy will be developed through security regulations addressing specific aspects, as well as other complementary policies. The security regulations will be available to all members of the organisation who need to know them, particularly for those who use, operate, or administer information and communication systems.
9. Staff Obligations
All members of NAVILENS Y NAVILENS PROJECT CORPS. and NAVILENS PROJECTS CORP. are obliged to know and comply with this Information Security Policy and Security Regulations. It is the responsibility of the ICT Security Committee to provide the necessary means for the information to reach those affected. All members of NAVILENS Y NAVILENS PROJECT CORPS. and NAVILENS PROJECTS CORP. will attend an awareness session on ICT security at least once a year. A continuous awareness program will be established to include all members of the organisation, especially new hires. Individuals with responsibility in the use, operation, or administration of ICT systems will receive training for the secure handling of systems to the extent necessary for their work. Training will be mandatory before assuming a responsibility, regardless of whether it is their first assignment or a change of job position or responsibilities within the same role.
Information Security is a joint effort, therefore it requires the involvement and participation of all members of the organization who work with the organization's Information Systems. For this reason, each employee must comply with the requirements of the Security Policy and its associated documentation.
Employees who deliberately or negligently fail to comply with the Security Policy will be subject to disciplinary action as outlined in this document.
9.1 Definition of Information Custodians
Customer Information. Responsible: Commercial Department. Functions: ensure the accuracy, proper use, and updating of customer information. Security: the Information Security Officer (ISO) ensures its protection according to the established classification. Access: access allowed only to authorised personnel, under confidentiality agreements and following the need-to-know principle.
Financial Information. Responsible: Financial Department. Functions: ensure the integrity, availability, and veracity of accounting, tax, and budget information. Access: limited to authorised personnel, applying the principle of least privilege. Security: the ISO verifies the application of adequate controls (encryption, segregation of duties, access traceability).
Human Resources (HR) Information. Responsible: HR Department. Functions: manage and safeguard personal data of employees in accordance with GDPR and LOPDGDD. Access: restricted to the HR team and specifically authorised managers. Security: the ISO monitors that reinforced controls are in place given the sensitive nature of this data.
Development / R&D / Source Code Information. Responsible: Technical Director (CTO) or the person responsible for the Development area. Functions: protect source code, algorithms, designs, and technical documentation. Access: restricted to authorised technical personnel; authentication controls and secure repository management apply. Security: the ISO ensures protection measures, separation of environments, and prevention of information leakage.
Operational and Project Information. Responsible: Operations Area or the person responsible for the project. Functions: keep operational, project, and deliverable documentation updated. Access: authorised only to personnel involved in each project. Security: the ISO ensures controls to prevent unauthorised access.
Marketing and Communication Information. Responsible: Marketing Area. Functions: manage internal and external corporate content. Access: marketing personnel and management, as appropriate. Security: the ISO verifies that sensitive information is not accidentally disseminated.
Security and Systems Information. Responsible: Information Security Area / Systems Area. Functions: manage and safeguard logs, configurations, policies, and sensitive records. Access: limited to specifically authorised personnel. Security: reinforced controls, periodic audits, and safeguards against undue access.
10. Third Parties
This Security Policy is of extended knowledge and compliance for any external person belonging to third parties who performs any type of processing on information owned by NAVILENS Y NAVILENS PROJECTS CORP.
When NAVILENS Y NAVILENS PROJECT CORPS. and NAVILENS PROJECTS CORP. provide services to other organisations or handle information from other organisations, they will be made aware of this Information Security Policy, channels for reporting and coordinating their respective ICT Security Committees will be established, and action procedures for responding to security incidents will be defined. When NAVILENS Y NAVILENS PROJECT CORPS. and NAVILENS PROJECTS CORP. use third-party services or transfer information to third parties, they will be made aware of this Security Policy and the Security Regulations pertaining to said services or information. Said third party will be subject to the obligations established in said regulations, being able to develop their own operational procedures to satisfy them. Specific reporting and incident resolution procedures will be established. It will be guaranteed that third-party personnel are adequately aware of security matters, at least at the same level as established in this Policy. When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer will be required detailing the risks incurred and how to address them. Approval of this report by the managers of the affected information and services will be required before proceeding.
11. Approval and Validity
This document has been approved by the Management, effective from December 19, 2025.