Last modified: April 15th, 2024

General Information Security Policy

1 OBJECT

The Management of Legrand Group España S.L. defines this General Information Security Policy (ISS), which is developed in other more specific Policies that aim to ensure information security in different aspects relevant to the organisation.

2 OWNER

Address.

3 MISSION AND SCOPE

- Mision of the organisation

Our mission is to help people lead healthy and fulfilling lives. LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L., aware of the importance and sensitivity of the information handled in its professional services of Installation, Maintenance and Support of Information Systems for the Health and Social Care sector, has decided to implement an Information Security Management System (ISS), in order to demonstrate its involvement and commitment with regard to Information Security.

• To ensure an optimal level of Information Security managed by LEGRAND GROUP ESPAÑA S.L., in order to achieve the full confidence of the users of healthcare services.
• To preserve the availability, integrity, confidentiality, authenticity and traceability of the information handled, meeting the needs and expectations of the interested parties included in the scope of the ISS.
• To ensure compliance with current legislation and applicable regulations regarding the security of the information contained in the scope of the ISS, as well as other contractual requirements.
• Align this Security Policy with the rest of the organisation's policies.
• Protect the information managed by the ISS against any misuse, prevent possible security incidents and reduce their potential impact.
• Ensure the capacity to respond to emergency situations by establishing Continuity and Availability Plans.
• Define a management system that allows for the continuous improvement of information security in all the processes involved in the scope defined for this system.
• To this end, a risk management and treatment methodology has been defined and approved which:
• Identifies the ISS assets and their value from a security point of view.
• Identifies potential threats to these assets and assesses their level of risk.
• Establishes a risk treatment plan and security controls to reduce the determined risk levels to an acceptable level.
• Annually monitors and reviews the status of the system and the adequacy of the risk analysis performed.

- Scope

• Service for the provision of the technological platform for the provision of socio-aniotary services, including implementation, maintenance and support.

4 REGULATORY FRAMEWORK

• Royal Decree 311/2022, of 3 May, which regulates the National Security Scheme.
• Regulation (EU) 2016/679, of 27 April, on the Protection of Individuals with regard to the Processing of Personal Data (GDPR).
• Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.
• Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI).

PERSONAL CHARACTER DATA

In the field of personal data, LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. has complied with Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights.
LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. maintains a Register of Processing Activities (RAT), which describes all processing of personal data.

PRINCIPLES AND GUIDELINES

The basic principles to be considered when guaranteeing information security are those set out in article 5 of Royal Decree 311/2022, which regulates the National Security Scheme, so that existing threats do not materialise or, if they do materialise, do not seriously affect the information handled or the services provided.

-Prevention.

LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. shall avoid or seek to prevent information or services from being impaired by security incidents. To this end, the departments have implemented the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all staff, are clearly defined and documented.

- Detection

Since services can degrade rapidly due to incidents, ranging from a simple slowdown to a halt, services must continuously monitor the operation in order to detect anomalies in service provision levels and act accordingly as set out in Article 10 of RD 311/2022.
Monitoring is particularly relevant when establishing lines of defence in accordance with Article 9 of RD 311/2022. Detection, analysis and reporting mechanisms shall be established that reach the responsible parties on a regular basis and when a significant deviation from the parameters that have been pre-established as normal occurs.

- Reply

LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. has mechanisms in place to respond effectively to security incidents. This includes two-way communications with the Emergency Response Teams (CERTs) or with security officers or incident contact points of other involved entities.
The email address for incident communications is soporte@neat-group.com.
The protocol for the exchange of incident-related information is established by Procedure ‘SI-PR-03’.

- Recovery

To guarantee the availability of critical services, LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. has an ICT systems continuity plan as part of its general business continuity and recovery activities plan. It is set out in procedure ‘SI-PR-13’.

- Minimum security requirements

1. Those responsible for ensuring compliance with the security policy are adequately identified and known to all members of the organisation.
2. Risk analysis and risk management is an essential part of the security process and is kept constantly up to date.
3. Information security is everyone's responsibility. All persons who have access to the organisation's information must protect it, and are therefore adequately trained and aware of it.
4. Training is vital to maintain appropriate levels of professionalism and to maintain qualified and trained personnel.
5. Information is protected against unauthorised access and alteration, keeping it confidential and intact. Information is available and authorised access is permitted whenever necessary.
6. All assets (infrastructure, media, systems, communications, etc.) where information resides, is transported or processed are adequately protected.
7. Security in the acquisition of products and contracting of services must be in proportion to the criticality of the information they protect and the damage or loss that may be caused to it.
8. All systems are designed and configured to ensure security by default, providing the minimum functionality required to achieve the organisation's objectives.
9. Any physical or logical element is authorised prior to its installation in the system.
10. Information stored in or in transit through insecure environments is adequately protected.
11. Information systems are adequately protected at their perimeter, in particular in their connection to public networks.
12. Monitoring and analysis of improper or unauthorised activities is carried out on the basis of an activity log that respects the right to honour, personal and family privacy and the self-image of users, and in accordance with applicable data protection regulations.
13. The systems for detecting and reacting to harmful code are adequately implemented and are constantly reviewed.
14. Business continuity is guaranteed by protecting and securing information against loss of availability and integrity through the backup policy.
15. Information security is not static, it is constantly monitored and periodically reviewed within the organisation's PDCA continuous improvement cycle.
16. The processing of personal data must always be in accordance with the laws applicable at all times, being especially important the Regulation (EU) 2016/679, of 27 April, on the Protection of Individuals with regard to the Processing of Personal Data (RGPD) and the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.

5 SECURITY ORGANISATION

- Roles and responsibilities

• Governance: ISS Committee. A figure integrating the following functions:

o Data Controller.
o Data Controller.
o Service Manager.

• Supervision. One figure, reporting to Management, and carrying out the function of:

o Responsible for security.

• Operation. One figure, reporting to the Directorate, and integrating the following functions:

o System Manager
o Security Administrator.

Responsible for the Information

• It has the power to establish the security requirements for the information managed. If this information includes personal data, the requirements derived from the corresponding legislation on data protection must also be taken into account.
• It determines the levels of information security.

Head of Service

• It has the power to establish the security requirements for the services provided.
• It determines the security levels of the service.

Security Manager

This person is responsible for defining, coordinating and verifying compliance with the information security requirements defined in accordance with the strategic objectives.
The functions of the Head of Information Security are as follows:
• Coordinate and control the organisation's information security and data protection measures.
• Supervise the implementation, maintain, control and verify compliance with the rules and procedures contained in the Organisation's Information Security Policy and development regulations.
• Supervise the security incidents that occur in the Organisation.
• Disseminate within the organisation the rules and procedures contained in the Information Security Policy and development regulations, as well as the functions and obligations in the area of information security.
• Supervise and collaborate in the internal or external audits necessary to verify the degree of compliance with the Security Policy, development regulations and applicable laws on personal data protection and information security.
• Advise on information security matters to the different operational areas of the Organisation.

System Manager

The System Manager is responsible for ensuring the execution of measures to secure the assets and services of the information systems that support the organisation's activity, in accordance with the organisation's objectives.
The functions of the System Manager are as follows:

• Develop, operate and maintain the Information System throughout its life cycle, from its specifications, installation and verification of its correct functioning.
• Defining the topology and management system of the Information System, establishing the criteria for its use and the services available in it.
• Ensure that specific security measures are properly integrated within the general security framework.
• Selecting and establishing the functions and duties of the IT Technical Officers responsible for implementing the security management of the organisation's assets, in accordance with the defined security strategy.
• Ensure that the implementation of new systems and changes to existing systems complies with the security requirements established in the organisation.
• Establish the processes and controls for monitoring the state of security to detect incidents and coordinate their investigation and resolution.
• The System Manager may agree to suspend the handling of certain information or the provision of a certain service if he/she is informed of serious security deficiencies that could affect the satisfaction of the established requirements. This decision must be agreed with those responsible for the affected information, the affected service and the Security Officer, before being implemented.

Data Protection Delegate (DPD)

The role of Data Protection Delegate is outsourced through the company GRUPO ADAPTALIA LEGAL FORMATIVO S.L.
• Informing and advising the controller or processor and the employees involved in the processing of the obligations incumbent on them by virtue of the Data Protection Regulation and other data protection provisions of the Union or of the Member States.
• Monitor compliance with the provisions of the Data Protection Regulation, other Union or Member State data protection provisions and the controller's or processor's policies on the protection of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits.
• Provide advice as requested on the data protection impact assessment and monitor its implementation in accordance with Article 35 of Regulation (EU) 2016/679.
• Cooperate with the supervisory authority
• Acting as a contact point for the supervisory authority for matters relating to processing, including prior consultation as referred to in Article 36 of Regulation (EU) 2016/679.

- Coordination, appointment and dispute resolution

Coordination is carried out within the Management Committee, which may delegate to the ISS Committee.
Appointments are made by the organisation's management and are reviewed every 2 years or when a position becomes vacant.
Differences in criteria that could lead to conflict shall be dealt with by the ISS Committee and in all cases the criteria of the executive management shall prevail.

6 TRAINING AND AWARENESS-RAISING

Specific awareness and training actions related to the ENS are managed through the ISS by the HR department.

7 RISK ANALYSIS AND MANAGEMENT

Proper analysis, identification and management of the risks to which the information assets that support the services of LEGRAND GROUP SPAIN S.L. GROUP SPAIN S.L. are subject is essential for the correct decision making of LEGRAND GROUP SPAIN S.L. GROUP SPAIN S.L. management.

The risk analysis must be carried out:

• At least once a year.
• During the specification of a new system, to determine the security requirements to be incorporated into the solution.
• During the development of a new system, to analyse options.
• During system operation, to adjust to new assets, new threats, new vulnerabilities and new safeguards.
• If there are changes in the information processed.
• If there are changes in the services provided.
• If a serious security incident occurs.
• If serious vulnerabilities are reported.

8 SECURITY DOCUMENTATION

The documentation related to the Security of the Information will be classified in three levels, so that each document of a level is based on those of superior level:

• First level: Security policy.
• Second level: Security regulations and procedures.
• Third level: Reports, records and electronic evidence.

- First level: Security policy
Guidelines of obligatory compliance by all personnel, internal and external to the organization, included in this document.
- Second level: Security regulations and procedures
Mandatory in accordance with the corresponding organizational, technical or legal scope.
- Third level: Reports, records and electronic evidence
Technical documents that collect evidence generated during all phases of the information system life cycle, as well as threats and vulnerabilities of information systems.
- Other documentation
The STIC procedures, standards and technical instructions, as well as the CCN-STIC guides published by the National Cryptologic Center (CCN) may be followed at all times.

9 DOCUMENTATION

Documented information associated with the ENS is organized, codified and approved in accordance with the general requirements of the ISS.

10 APPROVAL AND REVIEW PROCESS

This Security Policy is approved by the General Management and reviewed at least once a year, or when technical or organizational circumstances so require.

The Management undertakes to ensure that its Information Security Policy is communicated, implemented and updated at all levels of the organization affected by its scope, as well as to make it accessible to all interested parties. Likewise, it acquires the firm commitment to specify and update the objectives of Information Security through annual reviews of the ISS carried out by the Management of the company.