Information Security Policy

1. INTRODUCTION

Information has become one of the main assets of our organization, and that is why taking care of it and protecting it becomes an absolute priority objective.

From now on, information security is part of our strategy as a critical and fundamental element. This challenge is multiplied in demand and importance if we apply it to an environment as specific and critical as ours, where the treatment and secure management of information are imposed as a necessity to compete and improve in the future.

Likewise, current legislation is clear regarding information security, having a very specific legal framework that requires strict compliance by all, but that helps to adopt the appropriate security measures in the systems of the information.

The principles underlying the Security Policy of NUEVOS SISTEMAS TECNOLÓGICOS, SL (hereinafter NEOSISTEC AND NAVILENS PROJECTS CORP. ) are described below . This set of fundamental principles has been formulated based on valid business needs, recognition of the added value of the systems to be protected and an understanding of the risks associated with these systems.

2. PURPOSE AND SCOPE

The purpose of this High Level Policy is to define the objective, direction, principles and basic rules for the management of information security.

This Policy applies to the entire Information Security Management System (ISMS) and to all employees of NEOSISTEC AND NAVILENS PROJECTS CORP. and extensible to third parties that process information owned by NEOSISTEC Y NAVILENS PROJECTS CORP.

2.1. Employees

Information Security is a joint effort, therefore requires the involvement and participation of all members of the organization working with the Information Systems organization . Therefore, each employee must comply with the requirements of the Security Policy and its associated documentation.

Employees who knowingly or negligently violate the Security Policy will be subject to disciplinary action as contemplated in this document.

2.2. Information Systems

This Policy affects all information assets of the company, both personal computers or servers, networks, applications, company processes that belong and / or are managed by NEOSISTEC AND NAVILENS PROJECTS CORP.  This policy covers the aspects most directly related to the responsibility and good use of personnel.

2.3. Third parties

This Security Policy is widely known and complied with by any external person belonging to third parties that performs any type of treatment on the information owned by NEOSISTEC Y NAVILENS PROJECTS CORP. 

Likewise, this Policy and its associated procedures will be mandatory for third-party providers. The paper copies of this document will be solely and exclusively INFORMATIVE. For the purposes of compliance with the procedures, the only valid reference will be the document in electronic format available on the corporate intranet contracted for the execution of professional services in the areas considered appropriate, in the event that they carry out any activity that implies access or treatment of any system or information owned by NEOSISTEC Y NAVILENS PROJECTS CORP. and so it will be defined contractually.

3. REFERENCES

4. MAINTENANCE, APPROVAL AND REVIEW OF THE POLICY

The Information Security Committee is in charge of building and maintaining the Information Security Policy, although it is the Directorate of NEOSISTEC AND NAVILENS PROJECTS CORP. responsible for the approval and publication of said Policy, as well as for distributing it to all employees and affected third parties.

Any change or evolution that affects or could affect the content of the Information Security Policy will be recorded in a new signature of the approval document. In this way, the commitment of these entities to information security is specified and confirmed.

Periodically, and in any case not exceeding a period of one year, the validity and reasonableness of this policy will be reviewed and the improvements, adaptations or modifications required based on the applicable organizational, technical or regulatory changes will be carried out.

5. POLICY DISTRIBUTION

The distribution of the security policy will be distributed in the following ways depending on the stakeholder it is addressed to:

6. SANCTIONS

Any premeditated or negligent violation of the security policies and regulations and that involves potential damage, consummated or not, to NEOSISTEC AND NAVILENS PROJECTS CORP. , will be sanctioned in accordance with the mechanisms enabled in the Company agreement and in the current legal, contractual and corporate regulations.

All actions in which the security of NEOSISTEC Y NAVILENS PROJECTS CORP. and that are not provided for in this policy, must be reviewed by the Executive Management and by the person responsible for Information Security to issue a resolution subject to the criteria of the company and the foreseen legislation.

Disciplinary actions in response to breaches of the Information Security Policy are the responsibility of the Executive Directorate of NEOSISTEC AND NAVILENS PROJECTS CORP. and of the governing bodies according to the applicable legislation.

There is a complaints channel and an incident management protocol made available to workers through which any member of the company can report a possible incident or non-compliance to the safety committee or the safety manager.

This infraction and the corresponding sanction will be communicated to the offender by a member of the management by email with a request for confirmation of receipt.

7. SECURITY POLICY

In response to a new technological environment where the convergence between computing and communications is facilitating a new productivity paradigm for companies, NEOSISTEC AND NAVILENS PROJECTS CORP. , is highly committed to maintaining the Promotion of research, technological development and innovation projects, in a quality environment , where the development of good practices in Information Security is essential to achieve the objectives of confidentiality, integrity, availability and legality of all the information managed. Consequently, to the foregoing, NEOSISTEC AND NAVILENS PROJECTS CORP. , defines the following application principles to be taken into account within the framework of the Information Security Management System (ISMS):

The Management of NEOSISTEC Y NAVILENS PROJECTS CORP. , understands its duty to guarantee information security as an essential element for the correct performance of the organization's services , and, therefore, supports the following objectives and principles:

  1. Implement the value of Information Security throughout the Organization.
  2. Contribute, each and every one of the people of NEOSISTEC Y NAVILENS PROJECTS CORP. , to the protection of Information Security.
  3. Preserve the confidentiality, integrity, availability and resilience of the information, in order to guarantee that the legal, regulatory, and our clients' requirements regarding information security are met; and specifically with regard to personal data:
    1. The data will be treated in a lawful, loyal and transparent manner in relation to the interested party (Lawfulness, loyalty and transparency).
    2. They will be collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with said purposes (Limitation of the purpose)
    3. The data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data minimization).
    4. The data must be exact and, if necessary, updated; All reasonable measures will be taken so that personal data that are inaccurate with respect to the purposes for which they are processed are deleted or rectified without delay (Accuracy).
    5. Maintained in a way that allows the identification of the interested parties for no longer than necessary for the purposes of processing personal data; Personal data may be kept for longer periods as long as they are processed exclusively for archival purposes in the public interest, scientific or historical research purposes or statistical purposes (Limitation of the conservation period)
    6. Treated in a way that guarantees adequate security of personal data, including protection against unauthorized or illegal treatment and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures (Integrity and confidentiality).
  4. Protect the information assets of NEOSISTEC AND NAVILENS PROJECTS CORP. threats, whether internal or external, deliberate or accidental, in order to guarantee the continuity of the service offered to our clients and the security of the information.
  5. Establish an information security plan that integrates the activities of prevention and minimization of the risk of security incidents based on the risk management criteria established by NEOSISTEC AND NAVILENS PROJECTS CORP.
  6. Provide the necessary means to be able to carry out the pertinent actions regarding the management of the identified risks.
  7. Assume responsibility for information security awareness and training as a means of ensuring compliance with this policy.
  8. Extend our commitment to information security to our hard-working staff and suppliers.
  9. Continuously improve security through the establishment and periodic monitoring of information security objectives.

This Policy will be maintained, updated and adequate for the purposes of the Organization, aligning with its risk management context. To this end, it will be reviewed at planned intervals or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness are maintained.

Similarly, to manage the risks faced by NEOSISTEC AND NAVILENS PROJECTS CORP. a formally defined risk assessment procedure is established. For its part, all the policies and procedures included in the ISMS will be reviewed, approved and promoted by the Executive Direction of NEOSISTEC AND NAVILENS PROJECTS CORP. .

This policy has been approved and reviewed by management on September 23, 2021