SUPPLIER INFORMATION SECURITY POLICY

We inform our suppliers of the existence of Information Security Guidelines established within our organization to demonstrate PRODEVELOP’s commitment to protecting and ensuring the principles of confidentiality, integrity, authenticity, and availability of the information managed in the Organization.

We operate under an Information Security Management System, the scope of which not only affects the use of assets but also extends to all individuals and third parties in understanding and complying with these Guidelines structured in accordance with the ISO/IEC 27001:2022 standard. Both the Policy and the Information Security Guidelines are in line with Regulation (EU) 2016/679 of the European Parliament and Council, of April 27, 2016, regarding the protection of natural persons concerning the processing of personal data and the free movement of such data, as well as Organic Law 3/2018 of December 5, on Personal Data Protection and Guarantee of Digital Rights.

This regulation regarding security affects the following areas of the Organization:

• Access to facilities: This regulates access rules, with special emphasis on accessing secure areas and regulating access for individuals outside the organization.
• Access to the corporate network: Corporate resources are protected with the necessary technical security measures to ensure information protection, whether from the facilities themselves or externally. The access and use of information are regulated by rules aimed at protection, with particular attention to sensitive or confidential information.
• Use of assets: Individuals at PRODEVELOP are committed to using assets responsibly and ensuring the care of the equipment provided by the Organization for the performance of their functions and tasks. In this sense, action guidelines are described, and configurations aimed at protecting the information contained in these devices are applied.
• Use of the internet: Special attention is paid to regulating the use of the internet, email, and cloud storage for professional purposes to minimize risks that may arise from unregulated use of these tools.
• Incident management: The involvement of PRODEVELOP personnel in security matters helps identify potential problems that may jeopardize the confidentiality, integrity, and availability of the services or assets that support them.
• Business continuity: All measures implemented for the availability and continuity of the business are in line with the requirements of the ISO-certified schemes in the organization.
• Intellectual property: Protected by the commitment of PRODEVELOP personnel in accordance with the organization’s confidentiality standards.

Violations of the Policies and Security Guidelines are subject to penalties according to the mechanisms established in current legislation.

Both the policy (SGSI02-SecurityPolicy) and the guidelines (SGSI04-SecurityManagementGuidelines) are reviewed periodically to align them with the needs of the organization.

The Management Committee understands the importance of these Policies and actively participates in their review.

ENS SECURITY POLICY

1. Introduction

This Information Security Policy is developed in compliance with the requirements of Royal Decree 311/2022, of May 3, which regulates the National Security Scheme (ENS) in the field of Electronic Administration. Article 12 establishes the obligation for Public Administrations and their service providers to have a Security Policy and indicates the minimum requirements that must be met.

This Security Policy also follows the guidelines of the CCN-STIC-805 guide from the National Cryptologic Center (CCN), an entity affiliated with the National Intelligence Center (CNI).

Law 40/2015, on the Legal Regime of the Public Sector, establishes that Public Administrations will interact with each other and with their bodies, public entities, and related or dependent entities through electronic means, ensuring the interoperability and security of the systems and solutions adopted by each of them, guaranteeing the protection of personal data, and preferably facilitating the joint provision of services to interested parties, and includes the National Security Scheme in its Article 156.

Meanwhile, Law 39/2015, on Common Administrative Procedure for Public Administrations, addresses in its Article 13 the rights of individuals in their interactions with Public Administrations concerning the protection of personal data, particularly the security and confidentiality of the data included in the files, systems, and applications of the Public Administrations.

The purpose of the ENS is to create the necessary conditions of trust in the use of electronic means through measures to guarantee the security of systems, data, communications, and electronic services, allowing citizens and public administrations to exercise their rights and fulfill their duties through these means.

Adapting to the ENS means that Prodevelop and its staff must apply the minimum security measures required by the ENS itself, monitor continuously the levels of service provision, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of services provided.

The different management units of Prodevelop must ensure that ICT security is an integral part of every stage of the system lifecycle, from its conception to its retirement from service, including development or procurement decisions and operational activities.

Security requirements and associated costs must be identified and included in planning, in requests for proposals, and in bidding documentation for ICT projects.

2. Mission

Prodevelop’s mission is to provide application development services for public administrations, the development of applications in the area of R&D&I, and to a lesser extent, application development in the private sector.

Prodevelop’s main area of operation regarding public administrations is the port sector. Port solutions are offered for the management and optimization of port activities.

Furthermore, the company is highly committed to research, development, and innovation, serving as a source of enrichment for the knowledge of our work team.

The solutions offered by Prodevelop primarily belong to the maritime, agricultural, public administration, transportation, and environmental sectors.

3. Scope

Prodevelop will apply this Security Policy to those systems related to the development of applications used by public administrations and to the exercise of rights through electronic means, compliance with duties through electronic means, or access to information or administrative procedures.

Specifically, given Prodevelop’s mission defined in point 2, this Security Policy is applicable to the Information Systems that support software development, deployment, and assistance activities.

The organization excludes the application of this Security Policy to information systems not reflected in this section.

4. Complementary Regulatory Framework

In the development and implementation of this policy, Prodevelop’s Statutes and its related development regulations will be taken into account concerning its objectives.

The applicable regulatory framework for Prodevelop is found in section 6 Applicable Norms of document SGSI05 Security Manual.

5. Security Organization

Three (3) levels can be distinguished in the Prodevelop organizational chart:

Level 1 – General Management:

Secretary General, who understands the mission of the organization, determines the objectives to be achieved, and ensures their achievement.

Level 2 – Executive Management:

Services that understand what each management unit does and how the different units coordinate to achieve the objectives set by Management.

Level 3 – Operational:

Focuses on a specific activity and controls how things are done.

Following this structure and according to the ENS, a Prodevelop security organizational chart is formed into 3 levels:

Level 1:

Corporate Security Committee (CSO)
Information Security Committee (CISO)
Information Officer
Service Officer

Level 2:

Information Security Officer

Level 3:

Information Systems Officers

The specification of security requirements (Level 1) corresponds to the information and service officers, along with the file officer if personal data is involved. The operations (Level 3) correspond to the information systems officers, while supervision corresponds to the security officer (Level 2).

Above all, there is a Security Coordination and Management Committee (Level 1). This Security Committee may also assume responsibility for Information and Services.

The specific description of responsibilities can be consulted in the document: SGS01-Roles and Responsibilities.docx.

Procedures for Appointment

The performance of the responsibilities defined in this Security Policy will be determined by access to the different positions linked to them. In the event that any of these positions cease to exist or change names, it will be the responsibility of Prodevelop’s Management to assign the new position that will be linked to that role.

Conflict Resolution

The security committee will be responsible for resolving conflicts and/or differences of opinion that may arise among security roles.

Compliance with Articles

To achieve compliance with the articles of Royal Decree 311/2022, of May 3, which regulates the National Security Scheme (ENS), Prodevelop has implemented various security measures proportionate to the nature of the information and the services to be protected, considering the category of the affected system.

Security as an Integrated Process (Article 6) and Least Privilege (Article 20)

Security is understood as an integrated process consisting of all human, material, technical, legal, and organizational elements related to the information system. The application of the ENS at Prodevelop will be governed by this principle, excluding any isolated actions or temporary measures.

Information systems must be designed and configured to grant only the minimum privileges necessary for their proper functioning, which involves incorporating the following aspects:

• The system will provide the essential functionality for the organization to achieve its competencies or contractual objectives.
• The operational, administrative, and activity logging functions will be the bare minimum necessary, ensuring that they are performed only by authorized individuals, from authorized locations or devices; if necessary, restrictions on hours and authorized access points may be imposed.
• Unnecessary or inappropriate functions for the intended purpose will be removed or deactivated through configuration control. The regular use of the system must be simple and secure, requiring a conscious act by the user for any insecure usage.
• Security configuration guidelines will be applied for different technologies, adapted to the categorization of the system, to eliminate or deactivate unnecessary or inappropriate functions.

Continuous Monitoring and Periodic Reevaluation (Article 10) and System Integrity and Updates (Article 21)

Prodevelop has implemented controls and regular security assessments (including routine configuration change assessments) to always know the security status of the systems concerning manufacturer specifications, vulnerabilities, and relevant updates, responding diligently to manage risks in view of the security status of the systems. Before introducing new elements, whether physical or logical, formal authorization will be required.

Likewise, periodic reviews by third parties will be requested to obtain an independent evaluation.

Continuous monitoring will enable the detection of anomalous activities or behaviors and timely responses.

Security measures will be reevaluated and updated periodically, adjusting their effectiveness to the evolution of risks and protection systems, which may lead to a reassessment of security if necessary.

Personnel Management (Article 15) and Professionalism (Article 16)

Prodevelop will establish a continuous awareness program to address all members, especially new hires.

Individuals responsible for using, operating, or managing ICT systems will receive training for the safe handling of these systems as needed to perform their jobs. Training will be mandatory before assuming any responsibility, regardless of whether it is their first assignment or a change of position or responsibilities within the same role.

Risk-Based Security Management (Article 7) and Risk Analysis and Management (Article 14)

All systems affected by this Security Policy, as well as all personal data treatments, shall undergo a risk analysis, assessing the threats and risks they are exposed to. This analysis will be repeated:

• Regularly, at least once a year.
• When the information handled and/or the services provided change significantly.
• When a serious security incident occurs or severe vulnerabilities are detected.

The ENS Security Officer will be responsible for ensuring that the risk analysis is conducted, as well as for identifying shortcomings and weaknesses and informing the Information Security Committee.

Security Incidents (Article 25), Prevention, Detection, Response, and Preservation (Article 8)

Prodevelop has implemented a comprehensive process for detecting, reacting to, and recovering from harmful code through the development of procedures covering detection mechanisms, classification criteria, analysis and resolution procedures, as well as communication channels for stakeholders and activity logging. This log will be used for the continuous improvement of system security.

To ensure that information and/or services are not adversely affected by security incidents, Prodevelop implements the security measures established by the ENS, as well as any additional controls identified as necessary through a threat and risk assessment. These controls, along with security roles and responsibilities for all staff, are clearly defined and documented.

Whenever a significant deviation is detected from the pre-established normal parameters, the necessary detection, analysis, and reporting mechanisms will be established to ensure that responsible parties receive the information regularly.

To guarantee service availability, Prodevelop has the necessary means and techniques to ensure the recovery of critical services.

Existence of Defense Lines (Article 9) and Prevention Against Other Interconnected Systems (Article 23)

Prodevelop has implemented a multilayered protection strategy, consisting of organizational, physical, and logical measures, so that if one layer fails, the implemented system allows:

• Time for an appropriate reaction to incidents that could not be avoided.
• Reduction of the likelihood that the system will be entirely compromised.
• Minimization of the final impact on it.

This protection strategy must safeguard the perimeter, particularly if connected to public networks. In all cases, the risks arising from the interconnection of the system, through networks, with other systems will be analyzed, and control will be exercised at the point of junction.

Differentiation of Responsibilities (Article 11) and Organization and Implementation of the Security Process (Article 13)

Prodevelop has organized its security by engaging all members of the corporation through the designation of different security roles with clearly differentiated responsibilities, as outlined in section 5 “SECURITY ORGANIZATION” of this document.

Access Authorization and Control (Article 17)

Prodevelop has implemented access control mechanisms to the information system, limiting them to those strictly necessary and duly authorized.

Protection of Facilities (Article 18)

Prodevelop has implemented physical access control mechanisms to prevent unauthorized physical access, as well as damage to information and resources, through security perimeters, physical controls, and general protections in areas.

Acquisition of Security Products and Contracting of Security Services (Article 19)

For the acquisition of products, Prodevelop will consider that these products are certified for the security functionality related to their acquisition, except in cases where the proportionality requirements relating to the assumed risks do not justify this, in the judgment of the Security Officer.

For the contracting of security services, the provisions outlined in the previous sections will apply, along with those established in Access Authorization and Control (Article 17).

Protection of Stored and In-Transit Information (Article 22) and Continuity of Activity (Article 26)

Prodevelop has implemented mechanisms to protect stored or in-transit information, especially when it is in insecure environments (laptops, tablets, information storage devices, open networks, etc.).

The systems will have backups and establish the necessary mechanisms to ensure continuity of operations in case of loss of regular work means.

Activity Logging and Malicious Code Detection (Article 24)

Prodevelop has enabled user activity logs retaining the necessary information to monitor, analyze, investigate, and document unauthorized or improper activities, allowing identification at all times of the individual taking action. All this is aimed exclusively at achieving compliance with the objective of this royal decree, with full guarantees of the right to honor, personal and family privacy, and the image of those affected, and in accordance with personal data protection regulations.

Personal Data

Prodevelop conducts treatments that use personal data in accordance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016.

The security policies applicable to these treatments are governed by Prodevelop’s Personal Data Processing Register, which lists the data treatments affected by the Regulation.

All information systems of Prodevelop will comply with the security required by the nature and purpose of the personal data collected in the aforementioned Data Processing Register.

Prodevelop has conducted a risk analysis of personal data treatments in accordance with current legislation in this area. Additionally, the risk assessment conducted annually analyzes the threats to which the data handled by the entity are exposed.

Guidelines for Structuring Documentation, Its Management, and Access

All documents that comprise the management system will have a record indicating who has reviewed the document and who has approved it. Preferably, the document should be reviewed by the Security Officer and approved by Management.

All documentation of the management system will be located in a shared unit of Prodevelop’s collaborative system. This unit will be editable for members of the Security Committee. Other staff will have read access to the documents located in this unit that they need to know, as determined appropriate by the Security Committee.

The collaborative system housing all security documentation must allow management of document versions, as well as review of the activity conducted in said documentation.

Development of the Security Policy

This Policy is developed through Security Regulations addressing specific aspects. The Security Regulations will be available to all members of the organization who need to know them, specifically for those who use, operate, or manage information and communication systems.

Other documents complementing this Security Policy include:

• Security regulations and policy of Prodevelop’s ISMS.

The security regulations will be available in the documentation management application used by Prodevelop.

Obligations of Staff

All members of Prodevelop are obliged to know and comply with this Information Security Policy and the Security Regulations developed from it, with the responsibility of the Security Committee to ensure that the necessary means are in place so that information reaches those affected, always considering Prodevelop’s budgetary constraints.

All Prodevelop employees within the scope of the ENS will participate in a security awareness initiative at least once every two years. A continuous awareness program will be established to address all Prodevelop members involved in application development related to public administration, especially for new hires, while always considering Prodevelop’s budgetary constraints. An awareness initiative will be conducted during the two years following the approval of this Security Policy and continuously for new staff.

If specific training for the safe handling of systems is required, individuals responsible for the operation or management of ICT systems will receive this training to the extent necessary for them to perform their jobs.

Third Parties

When Prodevelop provides services to other agencies or handles information from other agencies, they will be informed of this Information Security Policy. Channels will be established for communication and coordination with the respective Security Committees of the ENS, and procedures for responding to security incidents will be established.

When Prodevelop uses third-party services or shares information with third parties, they will be made aware of this Security Policy and the Security Regulations relating to said services or information. Such third parties will be subject to the obligations established in the aforementioned regulations. Consequently, the provider must ensure that its personnel are adequately trained in security according to Prodevelop’s requirements.

Entry into Force

This Information Security Policy is effective from the day following its approval by the Management of Prodevelop and until it is replaced by a new Policy.

Annex A. Glossary of Terms

• Risk Analysis: Systematic use of available information to identify hazards and estimate risks.
• Personal Data: Any information concerning identified or identifiable individuals as defined in the General Data Protection Regulation.
• Incident Management: Action plan for addressing incidents that may occur. In addition to resolving them, it must incorporate performance measures that allow for understanding the quality of the protection system and detecting trends before they escalate into major issues. ENS.
• Risk Management: Coordinated activities to direct and control an organization concerning risks. ENS.
• Security Incident: Unexpected or undesirable event with consequences detrimental to the security of the information system. ENS.
• Information: Individual instance of a certain type of information.
• Security Policy: Set of guidelines documented in writing that govern how an organization manages and protects the information and services it deems critical. ENS.
• Basic Security Principles: Foundations that should govern all actions aimed at securing information and services. ENS.
• Information Officer: Individual responsible for establishing the security requirements for information.
• Security Officer: The security officer will determine decisions to satisfy the security requirements of information and services.
• Service Officer: Individual responsible for establishing security requirements for services.
• System Officer: Individual responsible for the operation of the information system.
• Service: Function or provision performed by an official body intended to safeguard interests or meet the needs of citizens.
• Information System: Organized set of resources that allows information to be collected, stored, processed or dealt with, maintained, used, shared, distributed, made available, presented, or transmitted.

Annex B. Abbreviations

• CCN: National Cryptologic Center
• CERT: Computer Emergency Response Team
• ENS: National Security Scheme
• STIC: ICT Security
• ICT: Information and Communication Technologies

Annex C. References

• CCN-STIC-402 Organization and Management for the Security of ICT Systems. December 2006.

• CCN-STIC-801 ENS – Responsibilities and Functions. March 2019.

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

• RD 311/2022 Royal Decree 311/2022, of May 3, regulating the National Security Scheme.