Information Security Policy

1. Version 9.1: Approval and entry into Force

Text approved on 4 February 2025 by the Directorate General.
This Information Security Policy is effective from that date until it is replaced by a new Policy.

2. Introduction

This document sets out the Information Security Policy of the entities Ivnosys Soluciones S.L. (Unipersonal) and Signaturit Solutions S.L. (Unipersonal), which belong to the “Signaturit Group” and which assume this Information Security Policy as the set of basic principles and lines of action to which both organisations are committed, within the framework of the
ISO/IEC 27001:2022 Standard and the National Security Scheme (ENS). Hereinafter in this document we will refer to both entities as “the organisation”.

The organisation depends on ICT (Information and Communications Technology) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that could affect the availability, integrity or confidentiality of the information processed or the services provided.
Information is a critical, essential and highly valuable asset for the development of the organisation’s activity. This asset must be adequately protected, regardless of the formats, supports, means of transmission, systems, or persons involved in its knowledge, processing or treatment.

The objective of information security is to guarantee the quality of information and the continuous provision of services by acting preventively, monitoring daily activity and reacting promptly to incidents, in to ensure information quality and business continuity, minimise risk and maximise return on investment and business opportunities.
ICT systems must be protected against rapidly evolving threats that have the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. Defending against these threats requires a strategy that adapts to changing environmental conditions to ensure the continued delivery of services. This implies that
departments must implement the minimum measures of security required by the National Security Scheme and the ISO/IEC 27001:2022 Information Security Systems standard,
as well as continuously monitoring service delivery levels, tracking and analysing reported vulnerabilities and preparing an effective response to incidents to ensure the continuity of the services provided.

The different departments must ensure that ICT security is an integral part of every stage of the system’s lifecycle, from its conception to its decommissioning, through development decisions to its deployment. procurement and operational activities. Security requirements and funding needs should be identified and included in
planning, in soliciting bids from suppliers, and in technical memoranda for ICT projects. Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 8 of the ENS and the Business Continuity system of ISO 22301.

This article provides as follows:

Article 8. Prevention, response and recovery.

  1. The security of the system must include actions relating to prevention, detection and response in order to minimise its vulnerabilities and ensure that threats to it do not materialise or, if they do, do not seriously affect the information it handles or the services it provides.
  2. Preventive measures, which may incorporate components aimed at deterrence or reducing the area of exposure, should eliminate or reduce the likelihood of threats materialising.
  3. Detection measures will be aimed at detecting the presence of a cyber incident.
  4. The response measures, which will be managed in a timely manner, will be aimed at restoring information and services that may have been affected by a security incident.
  5. Without prejudice to the other basic principles and minimum requirements laid down, the information system shall ensure that data and information are kept in electronic form.

Similarly, the system will keep services available throughout the life cycle of digital information, through a design and
procedures that are the basis for the preservation of the digital heritage.

The organisation’s management, aware of the value of information, is deeply committed to the policy described in this
document.

2.1 Prevention

Departments should avoid, or at least prevent as far as possible, information or services from compromised by security incidents. To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. In addition, and with the clear intention of
enhancing such prevention, departments should also implement all requirements necessary to comply with ISO/IEC 27001:2022. These controls, and the security roles and responsibilities of all personnel, should be clearly defined and documented.

To ensure compliance with the policy, departments must:

  • Authorise systems before going into operation.
  • Regularly assess security, including assessments of configuration changes made on a routine basis.
  • Request periodic review by third parties in order to obtain an independent assessment.

2.2 Detection

Since services can degrade rapidly due to incidents, ranging from a simple slowdown to a standstill, services must monitor the operation on a continuous basis to detect anomalies in service provision levels and act accordingly in accordance with the provisions of Article 10. continuous and periodic reassessment. which states the following:

  1. Continuous monitoring will allow for the detection of anomalous activities or behaviour and a timely response.
  2. Ongoing assessment of the security status of assets will allow measuring their evolution, detecting vulnerabilities and identifying configuration deficiencies.
  3. Security measures shall be reassessed and updated periodically and their effectiveness shall be adapted to the evolution of risks and protection systems, and may lead to a security review if necessary.

Monitoring is especially relevant when establishing lines of defence in accordance with Article 9 of the ENS. Detection, analysis and reporting mechanisms shall be established that reach those responsible on a regular basis and when a significant deviation from the parameters that have been pre-established as normal occurs.

Article 9 states:

  1. The information system must have a protection strategy consisting of multiple layers of security, arranged in such a way that, when one of the layers is compromised, it allows:
    • a) Develop an adequate reaction to incidents that could not be prevented, reducing the likelihood of the system as a whole being compromised.
    • b) Minimise the final impact on it.
  2. The lines of defence must consist of measures of an organisational, physical and logical nature.

2.3 Response

Departments should:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate point of contact for communications regarding incidents detected in other departments or other agencies.
  • Establish protocols for the exchange of information related to the incident.

For any type of communication, internal and/or external, the Communications Plan, published in the Signaturit Group (Spain) Management System, drawn up by the organisation, must be followed.

2.4 Recovery

To guarantee the availability of critical services, the organisation has a general Business Continuity Plan (BCP), published in the Management System, assessing possible disaster scenarios and recovery strategy, and establishing emergency plans that are reviewed periodically.

3. Outreach

This Security Policy applies to the information systems that support the installation and operation processes of the following trusted cloud services:

  1. Automatic receipt of electronic notifications.
  2. Electronic communications between organisations with electronic evidence of the different transactions.
  3. Centralised management of cryptographic keys (digital certificates) and web services for electronic communications and evidence, time stamp issuance and management.
  4. Certificate lifecycle management.
  5. Authentication and identity verification using biometric data and video identification
  6. “EXTERNAL CPD’s in Paterna (Valencia), in Murcia and AWS Services”.

The Information Security Policy is approved by the organisation’s Management and its content and that of the rules and
procedures that develop it are mandatory:

  • All users with access to information processed, managed or owned by the organisation have an obligation and duty to safeguard and protect it.
  • The Information Security Policy and Rules shall be adapted to evolving systems and technology and organisational changes and shall be aligned with ISO/IEC 27001:2022 and the National Security Scheme.
  • The security measures and controls put in place shall be proportionate to the criticality of the information to be protected and its classification.
  • Necessary disciplinary action shall be taken against persons who seriously violate the content of the Information Security Policy or complementary rules and procedures.

4. Purpose

As already mentioned, the purpose of this Information Security Policy is to protect the Signaturit Group’s (Spain) information assets, ensuring their availability, integrity and confidentiality,
authenticity and traceability of the information and of the facilities, systems and resources that process, manage, transmit and store them, always in accordance with business requirements and current legislation.

5. Mission and Objectives

Information must be protected throughout its life cycle, from its creation to its eventual deletion or destruction. To this end, the following minimum principles are established:

  • Information systems shall be accessible only to those users, bodies and entities or processes expressly authorised to do
    so.
  • A commitment to continuous improvement of the ISMS shall be established.
  • A level of availability of information systems shall be guaranteed and the necessary plans and measures shall be put in place to ensure continuity of services and recovery from serious contingencies.
  • A continuous process of risk analysis and treatment will be articulated as the mechanism on which information systems security management should based.
  • Lines of work will be developed aimed at the prevention of incidents related to ICT security.
  • Services will be monitored on an ongoing basis to detect anomalies in service delivery levels and act accordingly.
  • The degree of compliance with the security improvements planned on an annual basis and the degree of effectiveness of the ICT security controls in place will be analysed, with a view to proactively proposing new improvement actions.
  • All the organisation’s staff will be made aware of their duties and obligations with regard to the secure handling of information and all those who manage and administer information and telecommunications systems will be trained in specific ICT security matters.

6. Regulatory Framework

  • Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations. Law 40/2015, of 1 October, on the Legal Regime of the Public Sector.
  • RD 1671/2009 of 6 November 2009 [partially implementing Law 11/2007].
  • Royal Decree 311/2022 of 3 May, which regulates the National Security Scheme.
  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.
  • The different CCN-STIC-400/800 series, which establish policies, procedures and appropriate recommendations for the implementation of the measures envisaged in the National Security Scheme (RD 3/2010).
  • ISO/IEC 27001:2022.
  • Royal Legislative Decree 1/1996, of 12 April 1996, approving the revised text of the Intellectual Property Law, regularising, clarifying and harmonising the legal provisions in force on the matter.
  • Law 2/2019 of 1 March 2019, which amends the revised text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996 of 12 April 1996, and which incorporates into the Spanish legal system the Directive 2014/26/EU of the European Parliament and of the Council of 26 February 2014 and Directive (EU) 2017/1564 of the European Parliament and of the Council of 13 September 2017.
  • Royal Decree-Law 14/2019 of 31 October, adopting urgent measures for reasons of public security in the areas of digital administration, public sector procurement and telecommunications.
  • Law 6/2020, of 11 November, regulating certain aspects of electronic trust services.
  • Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and providing for repeals Directive 1999/93/EC.
  • Order ETD/465/2021, of 6 May, regulating remote video identification methods for issuing qualified electronic certificates.
  • Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (SRI Directive 2).

7. Security Organisation

7.1 Committees

The Signaturit Group (Spain) has a procedure for the management and organisation of both internal and external responsibilities in the field of information security, which determines the Management System Committee, whose main mission is the approval, supervision of compliance, management and dissemination of the rules and policies of the organisation, as well as the monitoring and management of the incidents and risks present, in the field of information security.
information security.

The functions of the SG Committee are set out in the organisation’s Management System.

The SG Committee meets at least every six months and its mandatory members are the General Management, CTO, CISO,

IT Manager and the person responsible for the Management System.

Although there is no obligation to have a Data Protection Officer (DPO) on staff, in accordance with the regulations dictated by the GDPR, of our own free will and due to the services provided by the organization, we do have a DPO/Privacy Officer on staff.

In addition, any other managers/roles whose intervention is necessary because they are affected by the National Security Scheme, by the RGPD or any other regulation related to the information security, as, inter alia, the service manager and the security administrator.

7.2 Roles: Functions and Responsibilities

Because security should involve all members of the organisation, as reflected in Article 11 of the ENS and Annex II of the ENS, section 3.1, the Security Policy should identify clear responsibilities for ensuring compliance and be made known to all members of the organisation.

In the Signaturit Group (Spain) Management System, there is a section to identify the people who hold the roles that make up the SG Committee and their specific functions. The roles defined and their responsibilities are detailed below:

7.2.1 Directorate General

Approve measures and budgets.

Ensuring compliance with the system.

Demonstrate leadership and commitment to the Information Security Management System.

Ensure that information security policy and objectives are established and are compatible with the strategic direction of the organisation.

Meet at least biannually, and whenever any extraordinary event or request demands it, with the Security and System

Officers, to be informed about the ISMS and to update the Information Security strategy.

Foster a corporate culture of information security, promoting awareness. Support the continuous improvement of information security processes and projects.

Ensure resources are available for compliance with the Information Security Policy, the Information Security Policy, the rules for the use of the systems and for the operation of the ISMS.

Determine the measures, disciplinary or otherwise, that may be taken against those responsible for security breaches.

7.2.2 CTO

Approve measures and budgets.

Ensuring compliance with the system.

Demonstrate leadership and commitment to the Information Security Management System.

Meet semi-annually, and whenever any extraordinary event or request demands it, with at least the Security and System

Managers, to be informed about the ISMS and to update the Information Security strategy.

Foster a corporate culture of information security, promoting awareness. Support the continuous improvement of information security processes and projects.

Ensure that resources are available for compliance with the Information Security Policy, the rules for the use of the systems and for the operation of the ISMS.

Define the approach to the analysis and management of information security risks and the criteria for taking risks and ensure risk assessment at least on an annual basis.

Ensure that internal information security audits are conducted and their results reviewed to identify opportunities for improvement.

Determine the measures, disciplinary or otherwise, that may be taken against those responsible for security breaches.

Contact the competent authorities in case of security incidents or breaches.

7.2.3 Head of SG

Implement, develop and maintain the Management System.

Coordinate quality management, information security, services and business continuity across the company.

Define and develop a set of quality, security, service and business continuity management procedures and the standards that support them.

Providing advice on all procedural aspects of quality management, information security, services and business continuity.

Identify any problems that affect the quality of products and service. Investigate all security incidents that occur together with the systems manager.

Initiate actions to prevent and/or correct non-conformities and ensure that these actions are carried out.

Ensure that awareness of customer requirements is promoted at all levels of the organisation.

Maintain and review Quality, Information Security, Service and Business Continuity processes, Documented Procedures and

Work Instructions.

Drawing up, in collaboration with the Security Officer, the security documentation.

Report to top management on the performance of the management system, the degree of achievement of objectives and any need for improvement.

Develop awareness and training programmes in quality and safety management for the company’s employees.

Monitor the effectiveness of the controls in place to ensure information security Propose improvement plans and seek approval for the investments they may entail.

Follow-up of the life cycle of systems: specification, architecture, development, operation, changes.

Coordinate and monitor the implementation of projects for compliance with ISO/IEC 27001:2022 and ENS standards, together with the Head of Security.

Conduct exercises and tests on existing security operating procedures and continuity plans. Provide support to:

  • Risk analysis.
  • Security-related projects.
  • Implementation and maintenance of the processes necessary for the quality and information security management system.
  • Audits.
  • Incorporation of information security requirements in contracts and agreements.
  • Development of business continuity plans in the organisation.
  • Measuring Customer Satisfaction.

7.2.4 CISO

Define, develop and supervise the set of procedures and technical instructions related to information security to support the management system.

Maintain and review technical documentation related to Information Security, documented procedures and work instructions.

Monitor compliance with this Policy and the security configuration of the systems.

Coordinate the management processes related to Information Security, together with the Head of the SG. Provide advice on all technical aspects of information security management.

Identify any problems affecting product and service safety.

Investigate all security incidents that occur and report them to the person responsible for the management system.

Implement the necessary technical corrective and preventive actions resulting from non-conformities.

Maintain and review technical documentation related to information security, documented procedures and work instructions.

Monitor the effectiveness of the controls in place to ensure information security.

Sign the Statement of Applicability, which contains the list of security measures selected for a system.

Establish adequate and effective security measures to meet the security requirements established by the management, following at all times the requirements of Annex II of the ENS, declaring the applicability of such measures and ISO/IEC 27001:2022.

Promote security awareness and training activities in their area of responsibility. Propose improvements to the person in charge of the management system.

In order to carry out any of his or her functions, the Security Officer may request the collaboration of the

System Manager.

It shall act as Point of Contact with the Public Administrations to which Signaturit Group (Spain) provides outsourced services.

7.2.5 Responsible for the Service and Responsible for the Information

Establish the security requirements of the service, including interoperability, accessibility and availability requirements.

Determine the security levels of the service, in agreement with the Security Officer and the System Administrator.

Maintain the security of the information handled and the services provided by the information systems in its area of responsibility.

Approve any substantial modification to the configuration of any element of the system.

Suspend the handling of certain information or the provision of an electronic service if it is informed of serious security deficiencies, subject to prior agreement with the Security Officer and management.

In addition, he/she will assume the role of Information Controller: ultimately responsible for any error or negligence leading to an incident of confidentiality or integrity (in terms of data protection) and availability (in terms of data protection). information security).

Ensure the proper use of information and therefore its protection. Establish information security requirements.

Determine the security levels of the information processed, assessing the consequences of a negative impact.

7.2.6 System Security Administrator

The implementation, management and maintenance of the security measures applicable to the Information System.

The management of authorisations granted to users of the system, in particular the privileges granted, including monitoring that the activity carried out on the system is in accordance with what is authorised.

The implementation of security operating procedures.

Ensure that established security controls are strictly adhered to, as well as ensuring that approved procedures for managing the information system are applied.

7.2.7 IT Manager

The management, configuration and updating, where appropriate, of the hardware and software on which the security mechanisms and services of the information systems are based.

Implement information system configuration changes.

Ensure that established security controls are strictly adhered to, as well as ensuring that approved procedures for managing the information system are applied.

Monitor hardware and software installations, modifications and upgrades to ensure that security is not compromised and at all times conforms to the relevant authorisations.

7.2.8 DPO/Privacy Officer

Inform and train internally on data protection. Providing advice on data protection.

Monitoring compliance with the regulation (GDPR).

Participate in all organisational decisions on data protection.

Provide advice as requested on the data protection impact assessment and monitor its implementation in accordance with Article 35 of the GDPR – “Data Protection Impact Assessment”.

Cooperate with the supervisory authority, in this case, the Spanish Data Protection Agency, after coordination with

Management.

Act as a contact point for the supervisory authority for matters relating to processing, including prior consultation as referred to in Article 36 of the GDPR, and consult, as appropriate, on any other matter.

7.3 Review and approval of Security Policy

The mission of the SG Committee shall be the annual review of this Information Security Policy and the proposal for its revision or maintenance.

The policy will be approved by the organisation’s management and, as it is a public document in accordance with the Signaturit Group (Spain) Information Classification Policy (available in the Management System), it will be disseminated by the Communications Department so that all affected parties are aware of it, and will also be made available to the public.
made available to third parties via the organisation’s website: www.signaturit.com

In addition, it may be further reviewed in the event of significant changes affecting safety, the services provided by the organisation, regulatory changes or any other relevant issue.

8. Privacy Policy Signaturit Group (Spain)

In accordance with the provisions of the applicable data protection regulation (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF THE EUROPEAN UNION (EU)) EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing personal
data or RGPD and the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights) Ivnosys Soluciones SLU and Signaturit Solutions sL in its capacity as Controller of the Treatment or Joint Controllers as appropriate and Data Processor of the data of its customers undertakes to:

  • that the personal data of both customers and other employees and collaborators will be processed in accordance with the principles of legality, fairness and transparency. The data collected and used will be collected and used in the following ways for explicit and legitimate purposes. The data collected shall be relevant, adequate and limited in relation to the purposes established for such processing. The principle of accuracy shall be complied with and all necessary measures shall be taken for their rectification when necessary. The data will not be kept longer than necessary in relation to the purposes of the processing except for compliance with legal purposes.
  • that all security measures referenced in this Information Security Policy shall take into account protecting the privacy of information.
  • that the personal data whose processing is carried out in its capacity as Data Processor, employees undertake to comply with and enforce compliance with all the measures set out in this Policy that may affect the personal data they may have access to as a result of their work activity, in accordance with their responsibilities. Likewise, with regard to the
    personal data processed by Signaturit in its capacity as a data processor, employees undertake to comply with all the measures set out in this Policy that may affect the personal data they may have access to due to their work activity. Data Controller.
  • that both Signaturit and its employees and external collaborators, when, in order to provide the services contracted by its customers, it needs access to personal data, the storage and processing of which in files is responsible for the client (conditions of access to data for processing); the conditions set out in the documents “Processing activities to be carried out” of each service contracted, which will be sent to the client, as ANNEXES to the “Conditions Applicable to Access to Personal Data”, will be applied.
  • that both Signaturit and its staff and external collaborators shall participate proactively and communicate, according to the internal and external communication channels established in the Communications Plan, any incident or breach of security of which they are aware, especially those that may affect personal data, and shall collaborate in their management and resolution according to the degree of responsibility assigned to them.

Likewise, in all matters not expressly included in this Policy, Signaturit and all its personnel are committed to the strictest compliance with all the provisions and principles set out in the
data protection regulations currently in force, mentioned at the beginning of this section, and those regulations that modify or replace them.

Signaturit has an information security management system (ISMS) in place, implementing best practices for information security management in accordance with the ISO/IEC 27001:2022 standard and applying to all data processing it carries out, within the framework of the contracts signed with customers, the controls and measures aimed at guaranteeing the security of the personal data, under the responsibility of the customers, for which it is responsible. access for the purpose of the contract.

The organisation ensures that it will carry out the periodic checks and security audits necessary to verify that the security controls and measures implemented are effective in addressing the risks for which they have been implemented in each case.

9. Risk management

All systems subject to this Policy shall conduct a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be carried out on a regular basis, at least once a year. In addition, it may be repeated in the following cases:

  • When the information handled changes.
  • When the services provided change.
  • When a serious security incident occurs. When serious vulnerabilities are reported.
  • For the harmonisation of risk analyses, the SG Committee will establish a baseline assessment for the different types of information handled and the different services provided.
  • The methodology used for risk assessment is MAGERIT and allows for the effective management incidents that could occur in the different information assets and affect any of the principles of confidentiality, integrity, availability, authenticity and traceability.
  • The SG Committee will streamline the availability of resources to meet the security needs of the different systems by promoting horizontal investments.

10. Development of the Security Policy

This Information Security Policy complements the security policies of Signaturit Group (Spain). in different areas:

  • Management System Policy.
  • eIDAS Services Policy and Practice Statements. Acceptable use of assets policy.
  • Security risk analysis. Incident management.
  • Asset Management.
  • Physical and Environmental
  • Security. Access Control.
  • Communications and Operations Security.
  • Security Organisation.
  • Continuity.
  • Change management.
  • Classification of information.
  • Secure development.
  • Continuous improvement.

This Policy shall be developed by means of security regulations that address specific aspects. The security policy shall be available to all members of the organisation with a need to know, and in particular to those who use, operate or administer the information and communications systems.

Said regulations (processes, procedures, work instructions and any other necessary documentation) shall be published in the Management System in Confluence, as well as in the corporate Wiki of Signaturit Group (Spain).

11. Obligations of Staff

All members of the Signaturit Group (Spain) are obliged to know and comply with this Information Security Policy and the Security Regulations, and it is the responsibility of the SG Committee to make the necessary means available. to ensure that the information reaches those affected.

All members of Signaturit Group (Spain), within the framework of the Annual Training Plan, shall attend an ICT security awareness session at least once a year. A continuous awareness programme shall be established, based on the regular dissemination of e-mails on information security, to attend to all members of Signaturit Group (Spain), particularly new
recruits. For these personnel, in addition, we will will undertake specific training and assessment of the knowledge acquired, as part of the process of joining the organisation.

Persons with responsibility for the use, operation or administration of ICT systems will be trained in the use, operation or administration of ICT systems. safe operation of systems to the extent that they need it to perform their work. Training shall be mandatory before taking up a responsibility, whether it is their first assignment or a change of job or job responsibilities.

12. Third Parties

When the Signaturit Group (Spain) provides services to other organisations or handles information from other organisations, they will be made aware of this Information Security Policy, and channels will be established for reporting and coordinating the information security of other organisations.

The respective responsible persons and procedures shall be established, in accordance with the organisation’s Incident Management Procedure, for reacting to possible security incidents that may occur.

When Signaturit Group (Spain). uses third-party services or transfers information to third parties, they will be made aware of the following this Security Policy and the Security Regulations pertaining to such services or information. Such third party shall be subject to the obligations set forth in this Policy and may develop its own operating procedures to satisfy such obligations.

Specific incident reporting and resolution procedures shall be established. See ensure that third party personnel are adequately security-aware to at least the same level as set out in this Policy. Where any aspect of the Policy cannot be satisfied by a third party, the third party shall ensure that the third

As indicated in the previous paragraphs, the Security Manager, together with the person responsible for the service, shall meet to define and specify the risks incurred and how to deal with them. The Signaturit Group (Spain) undertakes to ensure proper compliance with the legal obligations established contractually with its suppliers by drawing up a Supply Chain Policy and controlling and supervising compliance with the same.

Third parties with or without a contractual relationship with the Signaturit Group (Spain) shall refrain from testing for intrusions, vulnerabilities and/or any type of access or attempted access to any of the Signaturit Group (Spain) information systems, except with prior express consent, in accordance with the provisions of national and international
criminal law.

Annex – Glossary of Terms

Risk analysis

Systematic use of available information to identify hazards and estimate risks.

Personal data

Any information concerning identified or identifiable natural persons.

Incident management

Action plan to address any incidents that occur. In addition to resolving them, it should incorporate performance measures
that provide insight into the quality of the protection system and detect trends before they become major problems.

Risk management

Coordinated activities to direct and control an organisation with respect to risks.

Security incident

Unexpected or undesired event with consequences detrimental to the security of the information system.

Information

Specific case of a certain type of information.

Security policy

A set of written guidelines that govern how an organisation manages and information and services that it considers
critical.

Information Officer

A person who has the power to establish the security requirements for information.

Responsible for security

The security officer shall determine the decisions to satisfy the information and service security requirements.

Responsible for the system

Person in charge of the operation of the information system.

Information system

An organised set of resources to enable information to be collected, stored, processed or handled, maintained, used,
shared, distributed, made available, presented or transmitted.