Information Security Policy

Change history

Date	Version	Created by	Change Description
2019-01-16	1.0	ISMS Manager	Initial version
2021-09-16	2.0	ISMS Manager	Periodic review
2023-12-13	3.0	ISMS Manager	Revision and updating of the document

Objective

The purpose of this document is to establish the necessary guidelines to ensure the information systems necessary for the provision of services through compliance with all applicable legal obligations within the Information Security Management System (ISMS) of PROFILE SOFTWARE SERVICES, S.L., hereinafter PROFILE, determining whether the system complies with the provisions planned for the management of information security based on the international standard ISO/IEC 27001 “Information Security Management Systems” (ISMS). Likewise, it will ensure that all service components are under control, in order to continue providing services with the quality expected by customers, avoiding problems that may affect the security of systems and services.

Responsibilities

It shall be the responsibility of the Security Committee, the person responsible for the ISMS, the internal auditor, if any, and the management of the organization.

Management system objectives

Ensure confidentiality, integrity and availability of information.
Comply with all legal requirements applicable to the organization.
Manage Information Security Risks.
Periodically establish improvement objectives aligned with this policy.
Meet the expectations and requirements of interested parties.
Develop a continuity plan to recover from a disaster in the shortest possible time.
Train and raise awareness of information security among all employees.
Properly record and manage all security incidents that occur.
Inform all employees of their security roles and obligations and their responsibility to comply with them.
Conduct periodic reviews with the objective of continuously improving the organization’s information security.
Continuously improve the ISMS and, therefore, the organization’s information security.

Planning

The actions to be carried out by PROFILE to comply with the security objectives include the implementation, operation and maintenance of the information security management system, which is aligned with this policy at all times.
In order to ensure proper security management, PROFILE conducts a study of the organization’s security through a risk analysis and the establishment of a risk treatment plan for those risks not accepted by the organization’s Management Committee.
The procedure for carrying out the risk analysis is documented in ISMS Risk Analysis Methodology, where the requirements for evaluating the different threats to which they are exposed are established.

Deployment

Once the security risk assessment has been carried out and based on the results obtained in the planning phase, it is the task of the Security Manager with the support of the Committee, to implement certain security controls for those threats that have a level of risk not assumed by the organization, in addition to operating the procedures of the management system to comply with the requirements of the process.

Revision

The information security policy and risk assessment are reviewed regularly at planned intervals or if significant changes occur to ensure its continuing suitability, efficiency and effectiveness. Generally
are reviewed annually by conducting an internal ISMS audit or management review of the system, which plays an important role in performing an in-depth analysis of the system and detecting possible improvements and deficiencies.

Improvement

Improvements to the information security policy and the ISMS are established either during the review phases or on the basis of contributions considered interesting both from the organization’s personnel and from external personnel.
The results obtained from the internal audit are reviewed by the Security Manager and submitted to the ISMS Committee, where opportunities for improvement of the system are established.
The entire ISMS is framed within the Deming cycle (PDCA cycle), based on the planning of activities, their implementation and operation, their review and subsequent improvement. All this applied to information security.

User responsibilities

The users of the information systems shall make every effort to promote their efficient use in order to avoid unnecessary network traffic.
The users themselves shall be responsible for the proper custody of the assets they have in their possession for the performance of their contractual duties.
Not to disclose or directly use the information to which they have access during their working relationship with PROFILE. All commitments must be maintained, even after termination of the employment relationship with the company.
Ensure that all employees and third parties understand their responsibilities and are suitable to carry out their duties to reduce the risk of theft, fraud or misuse of the resources made available to them.
Any unauthorized physical access will be prevented and security measures will be taken to avoid loss, damage, theft or circumstances that jeopardize assets or that could lead to disruption of PROFILE’s operations.
Internet and e-mail users shall make efficient use of the networks, as well as preserve the confidentiality and integrity of information transmitted through these media.
Internet and e-mail users must make efficient use of the networks, as well as preserve the confidentiality and integrity of the information transmitted through these media.
Access to the organization’s information systems shall be controlled so that only authorized personnel and under the security conditions that the organization has decided to operate.
All security incidents shall be recorded.
Any breach of laws or legal, regulatory or contractual obligations and security requirements affecting PROFILE’s information systems shall be avoided.