Company
Legrand Care Experience Business Ethics Security Quality Environment Legal Notice Privacy Policy
Blog
Legrand Care Events Products Service
Downloads
Product Information Images Documents Software
Contact
Head Office International How to get to us LinkedIn X
Company Blog Downloads CMP Login Contact
Products
Carephones Radio Receivers Alarm management systems Radio Transmitters Configuration Tools Accessories Apps
Digital Telecare solutions
Nurse Call Systems
Telehealth
Dementia Systems
Products
Company
Blog
Downloads
CMP Login
Contact
Ne privacy 1920x1080
Home
Security

Last modified: February 24th, 2025

General Information Security Policy

1 OBJECT

    The Management of Legrand Group España S.L. defines this General Information Security Policy (ISS), which is developed in other more specific Policies that aim to ensure information security in different aspects relevant to the organisation.

    2 OWNER

    Address.

    3 MISSION AND SCOPE

    - Mission of the organisation

    Our mission is to help people lead healthy and fulfilling lives. LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L., aware of the importance and sensitivity of the information handled in its professional services of Installation, Maintenance and Support of Information Systems for the Health and Social Care sector, has decided to implement an System Information Security (ISS), in order to show its involvement and commitment to Information Security.Management

    This policy has been approved by the General Management of LEGRAND GROUP ESPAÑA S.L. in order to create a framework for action that allows:

    · To ensure an optimal level of Information Security managed by LEGRAND GROUP ESPAÑA S.L., in order to achieve the full confidence of the users of health and social services.

    · Preserve the availability, integrity, confidentiality, authenticity and traceability of the information handled, meeting the needs and expectations of the stakeholders included in the scope of the ISS.

    · Ensure compliance with applicable legislation and regulations on information security contained in the scope of the ISS, as well as other contractual requirements.

    · Align this Security Policy with the rest of the organisation'.s policies

    · To protect the information managed by the ISS against misuse, to prevent possible security incidents and to reduce the potential impact of such incidents.

    · Ensure the capacity to respond to emergency situations by establishing Continuity and Availability Plans.

    · Define a management system that allows for the continuous improvement of information security in all processes involved in the scope defined for this system.

    · To this end, a risk management and treatment methodology has been defined and approved:

    · It identifies ISS assets and their value from a security point of view.

    · It identifies potential threats to these assets and assesses their level of risk.

    · Establishes a risk treatment plan and security controls to reduce identified risk levels to an acceptable level.

    · Annually monitors and reviews the status of the system and the adequacy of the risk analysis performed.

    - Outreach

    Service for the provision of the technological platform for the provision of services socio-sanitary including implementation, maintenance and support.

    4 REGULATORY FRAMEWORK

    Royal Decree 311/2022 of 3 May, which regulates the National Security Scheme.

    Regulation (EU) 2016/679 of 27 April the onProtection of Individuals with regard to the Processing of Personal Data (GDPR).

    Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.

    Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI).

    Resolution of 7 October 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction on the Security Status Report.

    Resolution of 13 October 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security Scheme.

    Resolution of 27 March 2018, of the Secretary of State for Public Function, approving the Technical Security Instruction on Auditing the Security of Information Systems.

    Resolution of 13 April 2018, of the Secretary of State for Public Administration, approving the Technical Security Instruction on Security Incident Notification.

    Law 39/2015, of 1 October, on Common Administrative Procedure

    Law 40/2015, of 1 October, on the Legal Regime of the Public Sector.

    Law 10/2021 of 1 July 21 on distance working

    UNE/ISO 27001:2022, Information Security Management System

    5 PERSONAL DATA

      In the area of personal data, LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. has complied with Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights.

      LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. maintains a Register of Processing Activities (RAT), in which all processing of personal data is described.

      6 PRINCIPLES AND GUIDELINES

      The principles basic to be considered when guaranteeing information security are those set out in article 5 of Royal Decree 311/2022, which regulates the National SchemeSecurity, so that existing threats do not materialise or, if they do materialise, do not seriously affect the information handled or the services provided.

      - Prevention

      LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. shall avoid or seek to prevent information or services from being impaired by security incidents. To this end, the departments have implemented the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all staff, are clearly defined and documented.

      To ensure compliance with the policy, LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L.:

      • It authorises systems before they go into operation.
      • Regularly assesses security, including assessments of configuration changes made on a routine basis.
      • Requests periodic review by third parties in order to obtain an independent assessment.

      - Detection

      As services can degrade rapidly due to incidents, ranging from simple slowdowns to stoppage, services must continuously the operation to detect anomalies in service provision levels and act accordingly as set out in Article monitor 10 of RD 311/2022.

      Monitoring is especially relevant when establishing lines of defence in accordance with Article 9 of RD 311/2022. Detection, analysis and reporting mechanisms shall be established to reach those responsible on a regular basis and when a significant deviation from the parameters that have been pre-established as normal occurs.

      - Response

      LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. has mechanisms in place to respond effectively to security incidents. This includes two-way communications with the Emergency Response Teams (CERT) or with security officers or incident contact points of other involved entities.

      The email address for incident communications is .soporte@neat-group.com

      The protocol for the exchange of information related to the incident is established by Procedure "SI-PR-03".

      - Recovery

      To ensure the availability of critical services, LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. has an ICT systems continuity plan as part of its general business continuity and recovery activities plan. It is set out in procedure "SI-PR-13".

      - Minimum security requirements

      1. Those responsible for ensuring compliance with the security policy are properly identified and known to all members of the organisation.
      2. Risk analysis and risk management is an essential part of the security process and is continuously updated.
      3. Information Security is everyone's responsibility. Everyone who has access to the organisation's information must protect it, so they are adequately trained and aware.
      4. Training is vital to maintain adequate levels of professionalism and to maintain qualified and educated staff.
      5. The information is protected against unauthorised access and alteration, keeping it confidential and intact. In addition, information is available and authorised access to it is permitted whenever necessary.
      6. All assets (infrastructure, media, systems, communications, etc.) where information resides, is transported or processed are adequately protected.
      7. Security in the procurement of products and services should be commensurate with the criticality of the information they protect and the damage or loss that may occur to it.
      8. All systems are designed and configured to ensure security by default, providing the minimum functionality required to achieve the organisation's objectives.
      9. Any physical or logical element is authorised prior to its installation in the system.
      10. Information stored in or in transit through insecure environments is adequately protected.
      11. Information systems are adequately protected at their perimeter, in particular in their connection to public networks.
      12. The monitoring and analysis of improper or unauthorised activities is carried out on the basis of an activity log that respects the user's right to honour, personal and family privacy and self-image, and in accordance with the applicable data protection regulations.
      13. Systems for detecting and reacting to malicious code are adequately implemented and continuously reviewed.
      14. Business continuity is ensured by protecting and securing information against loss of availability and integrity through the backup policy.
      15. Information Security is not static, it is constantly monitored and periodically reviewed within the organisation's PDCA continuous improvement cycle.
      16. The processing of personal data must always be in accordance with the laws applicable at all times, being particularly important the Regulation (EU) 2016/679, of 27 April, on the Protection of Individuals with regard to the Processing of Personal Data (RGPD) and the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.

      7 SECURITY ORGANISATION

      - Roles and responsibilities

      • Governance: ISS Committee. A figure integrating the following functions:
        • Data Controller.
        • Responsible for the information.
        • Head of Service.
      • Supervision. One figure, reporting to management, and carrying out the function of:
        • Responsible for security.
      • Operation. One figure, reporting to the Directorate, and integrating the following functions:
        • System Manager.
        • Security Administrator.

      Responsible for Information

      Head of Service

      • It has the power to establish safety requirements for the services provided.
      • Determines the security levels of the service.

      Head of Security

      It is responsible for defining, coordinating and verifying compliance with the information security requirements defined in accordance with the strategic objectives.

      The functions of the Information Security are as follows:Officer

      • Coordinate and control the organisation's information security and data protection measures.
      • Supervise the implementation, maintain, control and verify compliance with the rules and procedures contained in the Organisation's Information Security Policy and development regulations.
      • Monitoring security incidents within the organisation.
      • Disseminate within the organisation the rules and procedures contained in the Information Security Policy and implementing regulations, as well as the functions and obligations in the area of information security.
      • Supervise and collaborate in the internal or external audits necessary to verify the degree of compliance with the Security Policy, development regulations and applicable laws on personal data protection and information security.
      • Advise on information security matters to the different operational areas of the organisation.

      System Manager

      He/she is responsible for ensuring the execution of measures to secure the assets and services of the information systems that support the organisation's activity, in accordance with the organisation's objectives.

      The functions of the System Manager are as follows:

      • Develop, operate and maintain the Information System throughout its life cycle, from its specifications, installation and verification of its correct functioning.
      • Define the topology and management system of the Information System, establishing the criteria for its use and the services available in it.
      • Ensure that specific security measures are properly integrated into the overall security framework.
      • Select and establish the functions and duties of the IT Technical Officers responsible for implementing the security management of the organisation's assets, in accordance with the defined security strategy.
      • Ensure that the implementation of new systems and changes to existing systems complies with the security requirements established in the organisation.
      • Establish security status monitoring processes and controls to detect incidents and coordinate their investigation and resolution.
      • The System may agree to suspend the handling of certain information or the provision of a certain service if he/she is informed of serious security deficiencies that could affect the satisfaction of the established requirements. This decision must be agreed with those responsible for the affected information, the affected service and the Administrator Security , before being implemented.Officer

      Data Protection Delegate (DPD)

      The role of Data Protection Delegate is outsourced through the company GRUPO ADAPTALIA LEGAL FORMATIVO S.L.

      • Inform and advise the controller or processor and employees involved in the processing of their obligations under the Data Protection Regulation and other Union or Member State data protection provisions.
      • Monitor compliance with the provisions of the Data Protection Regulation, other Union or Member State data protection provisions and the controller's or processor's policies on the protection of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits.
      • Provide advice as requested on the data protection impact assessment and monitor its implementation in accordance with Article 35 of Regulation (EU) 2016/679.
      • Cooperate with the supervisory authority.
      • Act as a contact point for the supervisory authority for matters relating to processing, including prior consultation as referred to in Article 36 of Regulation (EU) 2016/679.

      Coordination, appointment and conflict resolution

      Coordination takes place within the Steering Committee, which may delegate to the CommitteeISS.

      Appointments are made by the management of the organisation and are reviewed every 2 years or when a post becomes vacant.

      Differences of opinion that may lead to conflict shall be dealt with within the Committee ISSand the opinion of the Executive Management shall always prevail.

      8 TRAINING AND AWARENESS-RAISING

      Specific awareness and training actions related to the ENS are managed through the ISS by the HR department.

      9 RISK ANALYSIS AND RISK MANAGEMENT

      A correct analysis, identification and management of the risks to which the information assets that support the services of are subject LEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. is essential for the correct decision making of the managementLEGRAND GROUP ESPAÑA S.L. GROUP ESPAÑA S.L. .

      Risk analysis should be carried out:

      • At least once a year.
      • During the specification of a new system, to determine the security requirements to be incorporated into the solution.
      • During the development of a new system, to analyse options.
      • During system operation, to adjust to new assets, new threats, new vulnerabilities and new safeguards.
      • If there are changes in the information processed.
      • If there are changes in the services provided.
      • If a serious security incident occurs.
      • If serious vulnerabilities are reported.

      10 SECURITY DOCUMENTATION

      Information Security documentation shall be classified into three levels, whereby each document at one level builds on the documents at a higher level:

      • First level: Security policy.
      • Second level: Security regulations and procedures.
      • Third level: Reports, records and electronic evidence.

      First level: Security policy

      Guidelines of obligatory compliance by all personnel, both internal and external to the organisation, which are included in this document.

      Second level: Security regulations and procedures

      Mandatory in accordance with the relevant organisational, technical or legal scope.

      Third level: Reports, records and electronic evidence

      Technical documents that collect evidence generated during all phases of the information system lifecycle, as well as threats and vulnerabilities of information systems.

      Other documentation

      STIC procedures, standards and technical instructions, as well as CCN-STIC guides published by the National Cryptologic Centre (CCN) may be followed at all times.

      11 DOCUMENTATION

      The documented information associated with the ENS is organised, codified and approved to accordingthe general requirements of the ISS.

      12 APPROVAL AND REVIEW PROCESS

      This Security Policy is approved by the General Management and reviewed at least annually, or when technical or organisational circumstances so require.

      Management undertakes to ensure that its Information Security Policy is communicated, implemented and updated at all levels of the organisation affected by its scope, as well as to make it accessible to all interested parties. Likewise, it is firmly committed to specifying and updating the Information Security objectives through annual reviews of the ISS carried out by the company's Management.


      Certificaciones ENS y SGS

      Our certifications

      Since our founding, we have been regularly tested. At the Legrand Group, the following certifications are standard:

      Legrand Group

      Legrand AB

      • ISO 9001:2015
      • ISO 14001:2015
      • ISO 45001:2018

      Request detailed information now

      Would you like to learn more about our products and solutions? Our trained service team at the Legrand Care headquarters and our regional contact persons will be happy to assist you. Together with you, we analyze your requirements and develop a solution that fits your needs exactly. Please call us today and make an appointment!

      • This field is required!
      • This field is required!
      • This field is required!
      Phone
      +34 91 990 11 11

      Address
      Legrand Care
      Calle Norias 92 planta 1 Modulo B C
      28221 Majadahonda
      Email
      infospain.legrandcare@legrand.com
      Products Solutions Legrand Care Group Busines Ethics Know-How Environment Quality Legal Notice Privacy Policy Cookie Declaration
      Legrand Caare Logo
      The Legrand Care is an international company of the Legrand Group. It was founded in 1988 with the objective of offering its customers high-quality, professional products and services in the various business areas. Legrand Care is specialized in technological solutions for social institutions and health services. We offer products and services in the field of telecare, telemedicine and call and monitoring systems for retirement and nursing homes.
      Legrand Group España - © 2024
      Site by Pacepac