Information Security Policy
Information Security Policy
To protect the handling, safeguard and transmission of confidential information regarding clients, in a manner wich is consistent with professional, ethical, legal, regulatory and contractual requirements, is one of i2S’ key priorities, and is recognised as fundamental to the organisation’s success. The loss or theft of confidential information may have serious consequences from a legal, financial and/or reputational point of view, and i2S is committed to safeguard the confidentiality, integrity and availability of clients’ confidential information, be it physical, digital or intellectual.
Therefore, the principles of the information security policy are to ensure that:
- the information is protected against non-authorised access;
- the information’s confidentiality is guaranteed;
- the information’s integrity is maintained;
- all the applicable laws and regulations are observed;
- the appropriate business continuity plans are maintained and tested on a regular basis; and
- every information security breach detected or under suspicion is investigated by the areas that are competent to perform those actions.
Information Security Management System
i2S maintains an Information Security Management System (ISMS), which includes policies and procedures, and that has been designed to maintain, to revise and to continuously improve the security of the information in i2S, on the basis of risk assessment. The ISMS has the following objectives.
- To guarantee that all employees know and comply with the existing security policies and procedures.
- To define and to communicate responsibilities regarding information security within the organisation.
- To raise awareness on information security, ensuring that all employees understand how information security is part of their functions and their responsibility regarding the protection of information’s confidentiality, integrity and availability.
- To include information security as an essential part of business planning and operations.
- To continuously analyse threats to the information security, guaranteeing that these are identified and managed on the basis of risk assessment procedures and applying appropriate control measures.
- To promote the appropriate protection of the organisation’s infrastructure of information systems and communications against the loss, misuse or undue access.
- To promote the detection, registration, report and investigation of security incidents in an effective and efficient manner, to ensure minimum impacts of this type of incidents on the organisation.
- To guarantee the implementation and testing of business continuity plans, so as to ensure the continuity of operations and to minimise the impact of a security incident or of an emergency situation.
- To ensure the existence of the necessary resources for an effective maintenance and continuous improvement of the ISMS.
- To promote the continuous revision of security mechanisms and processes to ensure their effectiveness and adequacy to the organisation’s needs.
Information Security Management System’ responsibilities
Under the ISMS, i2S’ highest body is the Executive Committee, whose mains responsibilities are as follows.
- To ensure that the ISMS belongs to and is integrated with the organisation’s processes and its global management structure.
- To approve the functions and responsibilities associated with information security.
- To formally maintain a nominated CISO (Chief Information Security Officer) and Information Security Manager (ISM), who will be the main interlocutors with the remaining structures within the organisation as far as the activities on the management of the ISMS are concerned.
The people responsible from the different business and support areas must be aware of the need to have business and support processes that comply with the organisation’s information security policies, as well as of their obligation to implement, within their areas, the initiatives which may be necessary.
All employees, as well as third parties who may in any way have access to confidential information from i2S’ clients, are obliged to observe and to enforce all the organisation’s policies on information security, and shall promptly report to the CISO or the ISM any security incident, that is, any event which has led or may lead to an information security breach.