POLITICA DE SEGURIDAD DE LA INFORMACION

INFORMATION SECURITY POLICY
1 APPROVAL AND ENTRY INTO FORCE
This Policy was approved on February 24, 2025 by the Senior Management of Insyte Instalaciones.
2 INTRODUCTION
Insyte Instalaciones relies on ICT (Information and Communications Technology) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them from accidental or deliberate damage that could affect the availability, integrity, authenticity, traceability, or confidentiality of the information processed or the services provided.
The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, monitoring daily activity, and reacting quickly to incidents.
2.1 Prevention
Departments must avoid, or at least prevent as far as possible, information or services from being compromised by security incidents. To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. To ensure compliance with the policy, departments must:
• Authorize systems before they go into operation.
• Regularly assess security, including evaluations of routine configuration changes.
• Request periodic review by third parties in order to obtain an independent assessment.
2.2 Detection
Given that services can quickly degrade due to incidents, ranging from a simple slowdown to a complete shutdown, services must continuously monitor operations to detect anomalies in service delivery levels and act accordingly.
2.3 Response
Departments must:
• Establish mechanisms to respond effectively to security incidents.
• Designate a point of contact for communications regarding incidents detected in public bodies to which they provide services.
• Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CCN-CERT in the public sector, INCIBE in the private sector).
2.4 Retention
To ensure the retention of data and information in electronic form, departments must develop retention and conservation policies based, first, on legal requirements or liability periods. Secondly, they should be based on justified internal criteria for the finite preservation of data and information.
3 INFORMATION SECURITY OBJECTIVE
• Corporate or strategic objectives: High-level goals aligned with the organization's vision, mission, and overall strategy.
o Ensure high availability of services.
o Strengthen systems against external attacks.
o Reduce data and service restoration times.
o Improve the company's level of commitment to security.
o Be able to provide services to the Public Administration.
• Operational objectives: Specific and tactical goals focused on the practical and daily implementation of security controls and measures.
o Conduct annual restoration tests.
o Reduce the number of security incidents.
o Create a corporate cybersecurity newsletter.
o Implement and certify ENS.
4 SCOPE
The information systems that support the activities of:

A) The installation and maintenance of elements, equipment, and systems for power, transmission, radio, and switching for fixed and mobile telecommunications.
B) The design, execution, and maintenance of infrastructure and civil works for telecommunications stations.
C) The design, production, integration, assembly, connection, and maintenance of telecommunications containers and electrical panels.
The target reference category determined for the information systems described in this General Scope is: MEDIUM LEVEL.
5 REGULATORY FRAMEWORK.
Insyte Instalaciones is subject, by way of example and without limitation, to the following rules and regulations:
•   Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
•   Organic Law 3/2018 of December 5 on the Protection of Personal Data and Guarantee of Digital Rights.
• Law 34/2002 of July 11 on information society services and electronic commerce.
• Royal Decree 311/2022, of May 3, regulating the National Security Scheme.
• Royal Legislative Decree 1/1996, of April 12, approving the revised text of the Intellectual Property Law, regularizing, clarifying, and harmonizing the legal provisions in force on the subject. Organic Law 10/1995, of November 23, on the Criminal Code.
• Law 40/2015, of October 1, on the Legal Regime of the Public Sector.
• Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption.
• Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14, 2022, on measures to ensure a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS Directive 2).
6 COMPLIANCE WITH ARTICLES OF THE ENS
Insyte Instalaciones, in order to comply with the articles of Royal Decree 311/2022, of May 3, regulating the National Security Scheme in the field of electronic administration, which sets out the basic principles and minimum requirements, has implemented various security measures proportional to the nature of the information and services to be protected and taking into account the category of the systems affected.
Security as an integral process (Article 6), security by default and minimum privilege (Article 20)
Security is a process comprising all technical, human, material, and organizational elements related to the system. The application of the National Security Scheme to Insyte Facilities will be governed by this principle, which excludes any specific action or temporary treatment.
The utmost attention will be paid to raising awareness among those involved in the process and their line managers, so that neither ignorance, nor lack of organization and coordination, nor inadequate instructions, are a source of risk to security.
Systems will be designed to ensure security by default, as follows:
a)   The system shall provide the minimum functionality required for the organization to achieve its objectives.
b) The operation, administration, and activity logging functions shall be the minimum necessary, and it shall be ensured that they are only accessible by authorized persons, or from authorized locations or equipment, with restrictions on hours and authorized access points being required where appropriate.
c) In an operating system, functions that are not relevant or unnecessary, and even those that are inappropriate for the intended purpose, shall be removed or deactivated through configuration control.
d) Ordinary use of the system must be simple and secure, so that unsafe use requires a conscious act on the part of the user.
Continuous monitoring and periodic reassessment (Article 10) and system integrity and updating (Article 21)
Insyte Instalaciones has implemented regular security controls and assessments (including routine assessments of configuration changes) to ascertain at all times the security status of the systems in relation to the manufacturers' specifications, vulnerabilities, and updates that affect them, reacting diligently to manage the risk in view of their security status. Before new elements, whether physical or logical, are introduced, they will require formal authorization.
It will also request periodic reviews by third parties in order to obtain an independent assessment.
Finally, continuous monitoring will enable the detection of anomalous activities or behaviors and a timely response, and the ongoing assessment of the security status of assets will enable their evolution to be measured, detecting vulnerabilities and identifying configuration deficiencies.

Personnel management (Article 15) and professionalism (Article 16)
All Insyte Instalaciones members within the scope of the ENS will attend a security awareness session at least once a year. A continuous awareness program will be established to serve all members, particularly new hires.
Persons with responsibility for the use, operation, or administration of ICT systems will receive training in the secure handling of systems to the extent that they need it to perform their work. Training will be mandatory before assuming responsibility, whether it is their first assignment or a change of job or responsibilities within the same job.
Risk-based security management (Article 7) and risk analysis and management (Article 14)
All systems affected by this Security Policy, as well as all personal data processing, shall be subject to a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated:
• Regularly, at least once a year.
• When the information handled and/or the services provided change significantly.
• When a serious security incident occurs or serious vulnerabilities are detected.
• The ENS Security Officer will be responsible for carrying out the risk analysis, as well as identifying gaps and weaknesses and bringing them to the attention of the Information Security Committee.
Security incidents (Article 25), prevention, detection, response, and preservation (Article 8)
Insyte Instalaciones has implemented a comprehensive process for detecting, reacting to, and recovering from malicious code by developing procedures that cover detection mechanisms, classification criteria, analysis and resolution procedures, as well as channels of communication to interested parties and the recording of actions. This record will be used for the continuous improvement of system security.
To ensure that information and/or services are not compromised by security incidents, Insyte Instalaciones implements the security measures established by the ENS, as well as any other additional controls it has identified as necessary through a threat and risk assessment. These controls, as well as the security roles and responsibilities of all personnel, are clearly defined and documented.
When there is a significant deviation from the parameters that have been pre-established as normal, the necessary detection, analysis, and reporting mechanisms will be established so that they reach those responsible on a regular basis.

Insyte Instalaciones will establish the following measures to respond to security incidents:
• Mechanisms to respond effectively to security incidents.
• Designate a point of contact for communications regarding incidents detected in other departments or other agencies.
• Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CCN-CERT in the public sector, INCIBE in the private sector).
• To ensure the availability of services, Insyte Instalaciones has the necessary means and techniques to guarantee the recovery of the most critical services.
Lines of defense (Article 9) and prevention for other interconnected systems (Article 23)
Insyte Instalaciones has implemented a multi-layered protection strategy consisting of organizational, physical, and logical measures, so that when one of the layers fails, the system implemented allows:
• Gaining time for an adequate response to incidents that could not be avoided.
• Reducing the probability of the system being compromised as a whole.
• Minimize the final impact on the system.
This protection strategy must protect the perimeter, particularly if it is connected to public networks. In any case, the risks arising from the interconnection of the system with other systems through networks will be analyzed, and their point of connection will be monitored.
Differentiated function (Article 11) and organization and implementation of the security process (Article 13)
Insyte Instalaciones has organized its security by involving all members of the corporation through the designation of different security roles with clearly differentiated responsibilities, as set out in the “SECURITY ORGANIZATION” section of this document.
Authorization and control of access (Article 17)
Insyte Instalaciones has implemented mechanisms to control access to the information system, limiting it to those who are strictly necessary and duly authorized.
Protection of facilities (Article 18)
Insyte Instalaciones has implemented physical access control mechanisms to prevent unauthorized physical access and damage to information and resources through security perimeters, physical controls, and general protections in areas.
Protection of stored and in-transit information (Article 22) and business continuity (Article 26)
Insyte Instalaciones has implemented mechanisms to protect stored or in-transit information, especially when it is in insecure environments (laptops, smartphones, tablets, information media, open networks, etc.).
The systems will have backup copies and will establish the necessary mechanisms to ensure the continuity of operations in the event of loss of the usual means of work.
Procedures have been developed to ensure the recovery and long-term preservation of electronic files produced within the scope of Insyte Instalaciones's responsibilities. Similarly, security mechanisms have been implemented based on the nature of the medium on which the documents are stored, to ensure that all information stored on non-electronic media is protected with the same degree of security as electronic media.

Activity logs (Article 24)
Insyte Instalaciones has enabled user activity logs, retaining the information necessary to monitor, analyze, investigate, and document improper or unauthorized activities, allowing the person acting to be identified at all times. All of this is done with the sole purpose of achieving compliance with the object of this royal decree, with full guarantees of the right to honor, personal and family privacy, and the image of those affected, and in accordance with regulations on personal data protection, civil service or labor, and other applicable provisions.
Continuous improvement of the security process (Article 27)
The comprehensive security process implemented must be continuously updated and improved. To this end, the criteria and methods recognized in national and international practice relating to information technology security management shall be applied.
7 SECURITY ORGANIZATION
7.1 Information Security Committee:
Composed of the CEO, the IT manager, the systems manager, the HR manager, the integrated management systems manager, and the software development manager. It has the following functions:

• Responding to requests regarding information security from Insyte Instalaciones and the different security roles and/or areas, reporting regularly on the status of information security.
• Advising on information security matters.
• Resolve any conflicts of responsibility that may arise between the different areas or departments.
• Promote the continuous improvement of the information security management system. To this end, they will be responsible for:
o Coordinating the efforts of the different areas in relation to information security, to ensure that these are consistent, aligned with the strategy decided upon in this area, and to avoid duplication.
o Proposing plans to improve information security, with the corresponding budget allocation, prioritizing security actions when resources are limited.
o Ensuring that information security is taken into account in all projects from their initial specification to their implementation. In particular, they must ensure the creation and use of horizontal services that reduce duplication and support the uniform operation of all ICT systems.
o Monitoring the main residual risks assumed by Insyte Instalaciones and recommending possible actions to address them.
o Monitor the management of security incidents and recommend possible actions to address them.
o Develop and regularly review the Information Security Policy for approval by the CEO.
o Develop Information Security regulations for approval in coordination with the General Management.
o Verify information security procedures and other documentation for approval.
o Develop training programs to educate and raise awareness among staff on information security and, in particular, on the protection of personal data.
o Develop and approve training and qualification requirements for administrators, operators, and users from an information security perspective.
o Promote the performance of periodic ENS and data protection audits to verify compliance with Insyte Instalaciones' obligations in the area of information security.
7.2 Roles: Functions and responsibilities
Information Manager:
o Determine the (security) requirements of the information processed.
o Assess the consequences of a negative impact on information security, taking into account its impact on the organization's ability to achieve its objectives, protect its assets, fulfill its service obligations, and respect the law and the rights of citizens.

Service Manager:
o Determine the (security) requirements of the services provided.
o Include security specifications in the life cycle of services and systems, accompanied by the corresponding control procedures.
o Assess the consequences of a negative impact on the security of services, taking into account its repercussions on the organization's ability to achieve its objectives, protect its assets, fulfill its service obligations, and respect the law and citizens' rights.
Security Officer:
o Maintain and verify the appropriate level of security of the information handled and the electronic services provided by the information systems.
o Promote training and awareness in the field of information security.
o Appoint those responsible for carrying out risk analysis, the statement of applicability, identifying security measures, determining necessary configurations, and preparing system documentation.
o Verify, validate, and update the regulations in force applicable to the ENS and proceed to file them in the corresponding repository as well as in the system's Information Security Policy.
o Provide advice for determining the category of the system, in collaboration with the System Manager and/or Information Security Committee.
o Verify, validate, and update the current regulations applicable to the ENS and proceed to file them in the corresponding repository, as well as this Information Security Policy.
o Participate in the development and implementation of security improvement plans and, where appropriate, continuity plans, proceeding to their validation.
o Manage external or internal reviews of the system.
o Manage certification processes.
o Submit changes and other system requirements to the Security Committee for approval.
System Manager:
o Paralyze or suspend access to information or service provision if aware of serious security deficiencies.
o Develop, operate, and maintain the information system throughout its life cycle.
o Develop the necessary operating procedures.
o Define the topology and management of the Information System, establishing the criteria for use and the services available therein.
o Ensure that specific security measures are properly integrated into the overall security framework.
o Provide advice to the Information Security Officer and/or the Security Committee for determining the System Category.
o Collaborate, if required, in the development and implementation of security improvement plans and, where appropriate, continuity plans.
o Carry out the functions of the system security administrator:
 The management, configuration, and updating, where appropriate, of the hardware and software on which the security mechanisms and services are based.
 Managing the authorizations granted to system users, in particular the privileges granted, including monitoring the activity carried out on the system and its correspondence with what has been authorized.
 Approving changes to the current configuration of the Information System.
 Ensuring that the established security controls are strictly complied with.
 Ensuring that approved procedures for handling the Information System are applied.
 Supervising hardware and software installations, modifications, and upgrades to ensure that security is not compromised and that they comply with the relevant authorizations at all times.
 Monitoring the security status provided by security event management tools and technical audit mechanisms.
o When justified by the complexity of the system, the System Manager may designate the deputy system managers he or she deems necessary, who will report directly to the System Manager and will be responsible within their scope for all actions delegated to them by the System Manager. Similarly, the System Manager may also delegate specific functions of the responsibilities assigned to him or her to others.

Security Administrator:
o The implementation, management, and maintenance of security measures applicable to the information system.
o The management, configuration, and updating, where appropriate, of the hardware and software on which the security mechanisms and services of the information system are based.
o Management of authorizations and privileges granted to system users, including monitoring that activity carried out on the system complies with what has been authorized.
o Application of Security Operating Procedures.
o Ensuring that established security controls are properly observed.
o Ensuring that approved procedures for handling the information system are applied.
o Supervising hardware and software installations, modifications, and upgrades to ensure that security is not compromised and that they comply with the relevant authorizations at all times.
o Monitoring the security status of the system provided by the security event management tools and technical audit mechanisms implemented in the system.
o Report any security-related anomalies, compromises, or vulnerabilities to the Security Officer or System Manager.
o Collaborate in the investigation and resolution of security incidents, from detection to resolution.
7.3 Information security policy
The ICT Security Committee shall be responsible for the annual review of this Information Security Policy and for proposing its revision or maintenance.
8 RISK MANAGEMENT
All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated:
• regularly, at least once a year,
• when the information handled changes,
• when the services provided change,
• when a serious security incident occurs,
• when serious vulnerabilities are reported.
9 INCIDENT NOTIFICATION
In accordance with the provisions of Article 25 of RD 311/2022, Insyte Instalaciones shall notify the competent bodies of any incidents that have a significant impact on the security of the information handled and the services provided in relation to the categorization of the systems covered.
10 DEVELOPMENT OF THE INFORMATION SECURITY POLICY
This Information Security Policy complements Insyte Instalaciones' security policies in different areas:
• Internal IT security procedures.
• Internal personal data protection procedures.
• Internal operating procedures with an impact on information security.
The security regulations will be available electronically on the Insyte Instalaciones intranet.
11 STAFF OBLIGATIONS
All members of Insyte Instalaciones are required to be familiar with and comply with this Information Security Policy and the Security Regulations. The ICT Security Committee is responsible for providing the necessary means to ensure that the information reaches those affected.

12 THIRD PARTIES
When Insyte Instalaciones provides services to public bodies or handles information from public bodies, they will be made aware of this Information Security Policy, channels will be established for reporting and coordination with the respective ICT Security Committees, and procedures will be established for responding to security incidents.
When Insyte Instalaciones subcontracts services to third parties or transfers information to third parties, within the framework of providing services to public bodies, they will be made aware of this Security Policy and the Security Regulations pertaining to such services or information. Such third parties will be subject to the obligations established in said regulations and may develop their own operating procedures to comply with them. Specific procedures for reporting and resolving incidents will be established. It will be ensured that third-party personnel are adequately aware of security issues, at least to the same level as that established in this Policy.
13 CONTINUOUS IMPROVEMENT
Information security management is a process that is subject to constant updating. Changes in the organization, threats, technologies, and/or legislation are examples of situations in which continuous improvement of systems is necessary. Therefore, it is necessary to implement a permanent process that will involve, among other actions:
• Review of the Information Security Policy.
• Review of services and information and their categorization.
• Annual risk analysis.
• Internal audits or, where appropriate, external audits.
• Review of security measures.
• Review and update of rules and procedures.
14 CONFLICT RESOLUTION
In the event of a conflict between the different information or service managers who make up the organizational structure of the Information Security Policy, it will be resolved by their hierarchical superior, with the Information Security Manager being able to participate in the resolution and mediation. If no agreement is reached, it will be referred to the Information Security Committee for final resolution.

content:

A cookie is a small information file that is stored in your browser each time you visit our website. Cookies are useful for storing your activity history on our website so that when you visit it again, it can identify you and configure its content based on your browsing habits, identity and preferences. They also serve to ensure the proper functioning of the website.

Cookies can be accepted, rejected, deleted and configured as you wish. You can do this using the options available in the ‘Cookie Policy’ or through your browser settings, as appropriate.

If you accept cookies without editing your preferences, only technical cookies or those necessary for the functioning of the website will be used. To use only the cookies necessary for the functioning of the website, click on accept. To choose other types of cookies, click on preferences ‘Cookie Policy’.

Name	Provider	Purpose	Procedure
GUEST_LANGUAGE_ID	https://www.insyteinstalaciones.es	This cookie is used to store the language that the web is displayed.	Session
JSESSIONID	https://www.insyteinstalaciones.es	Preserve user states across all page requests.	Session
COOKIE_SUPPORT	https://www.insyteinstalaciones.es	This cookie is used to distinguish between humans and bots. This is beneficial for the website to create valid reports about the use of its website.	cookiePersistentProcedure

About us

Services

SECTORS

Edificio Charmex Greenbuilding 2-C/ Miguel Faraday, 20 – Parque Empresarial La Carpetania 28906, GETAFE.

91 492 06 60

info@insyteinstalaciones.es

Insyte instalaciones linkedin

COOKIES POLICY

What are cookies?

What types of Cookies does this website use?

How can I configure my cookies? How can I remove them?

Consent

About us

Services

SECTORS

...