Prueba

Security Policy

EVICERTIA group is a Trusted Service Provider, and security is the main part of the company purpose and its business.

EVICERTIA is aware of the need of protection of the services it provides and the information it guards, as well as the commitment to offer, by means of risk management, quality, sustainability and continuous improvement principles, an environment of maximum security and legal guarantee.

The MANAGEMENT of EVICERTIA establishes the following objectives:

  • Ensure that risks remain in their acceptable level searching for a balance between security controls, the context of threats, and the nature of each asset, following risk management and proportionality principles.
  • Ensure compliance with legislation, security measures arising out of this Policy, as well as compliance with any other business, sector or contractual requirements that affect security, especially those requirements related to the protection of personal data.
  • Protect all resources against internal or external threats, deliberate, or accidental, following confidentiality, integrity, and availability principles.
  • Continuously improve the degree of effectiveness of the security controls introduced to stand an adaptation to the constant evolution of the risk, and the technological environment, including the update of the Policy.
  • Generate a work environment where these objectives are used to raise awareness, recognize and get people involved through the communication of the Policy and its understanding, encouraging participation, involvement, and the sense of responsibility to comply with this Policy and the regulations as applicable to each workstation.

To guarantee the fulfillment of these objectives, an Information Security Management System (hereinafter referred to as ISMS) is introduced, which must meet the following requirements:

  • Accept the different EVICERTIA application services as assets of the organization, such as electronic signature, certified e-mail and custody services, including information received from interested parties, the evidence generated and the systems, and networks that stand those data.
  • Comply with the needs and expectations of the interested parties involved in the importance of the ISMS, which must consider clients, providers, employees, partners, and regulatory organizations.
  • Define and apply a security risk management process which allows the identification, analysis and evaluation of its processing using acceptance criteria, allowing to reach the necessary security levels that certify profitably the protection of the assets.
  • Introduce controls and security measures aimed at guaranteeing the Availability, Integrity, and Confidentiality of the information, the importance of which must be defined by a Statement of Applicability, and must include at least the following:
    • A communication and awareness plan
    • Security incident management
    • Access controls and user management
    • Network and communications security controls
    • Operations security controls
    • Development security controls
    • Cryptographic security controls
  • Assign resources efficiently and establish the responsibilities that enable to coordinate the activities related to the Information Security of the organization, as well as the elements that are part of the importance of the ISMS, thus allowing to continuously improve the ISMS.
  • Continuously develop and improve the ISMS in order to adapt to the requirements of the interested parties by means of the following:
    • Continuous inspection of the ISMS.
    • Establishing of a security inspection process through a risk analysis process.
    • Establishing of indicators that make it possible to measure and compare the level of security development.
    • Training and awareness of EVICERTIA staff.
    • Conclusion of a security auditing process that allows knowing the level of compliance of the security indicators.

The responsibility of the ISMS shall lie with the Safety Manager, being the ultimate responsibility of the MANAGEMENT as the maximum responsible for the information security.

 

In Madrid, on April 19th, 2018

Jacobo van Leeuwen García

Managing Director