Information Security Policy

This policy establishes the foundation for defining and delineating objectives and responsibilities for various technical and organizational actions necessary to ensure information security compliance. It adheres to applicable legal frameworks, specific directives, policies, and defined procedures.

These actions are selected and implemented based on a risk analysis, considering the balance between acceptable risk and the cost of measures. SIRT has established security requirements, identifying and prioritizing the significance of various elements of its activities, ensuring that the most important and/or sensitive processes receive enhanced protection.

It is a commitment of SIRT’s management and all employees to promote and support the implementation of necessary technical and organizational measures to minimize potential risks to which information is exposed, in line with achieving strategic business objectives.

The goal of this policy is to achieve an adequate level of compliance, commitment, and protection. In specific matters of the Company’s information security and respect for user privacy, this policy is developed to preserve the following security principles:

  • Confidentiality
  • Information Integrity
  • Availability
  • Authenticity
  • Traceability

These fundamental principles must be safeguarded and ensured in any form the information may take, whether electronic, printed, visual, or verbal, and regardless of whether it is processed on Company premises or off-site.

Additionally, these principles should be applied in the following security areas:

  • Physical: Encompasses security for premises, facilities, hardware systems, media, and any physical assets that process or may process information.
  • Logical: Includes protections for applications, networks, electronic communication prototypes, and IT systems.
  • Corporate Policy: Covers security aspects relating to the Company itself, internal regulations, and applicable legal norms and regulations.

The Information Security Policy has been developed to ensure the confidentiality, integrity, traceability, authenticity, and availability of the Company’s technology and information assets. It aligns with international information security standards. This Policy also references the General Information Security Regulations, and the controls of the National Security Framework in the high category apply.

In matters of data protection and privacy, the policy follows the guidelines of the regulatory authority (Spanish Data Protection Agency) and the recommendations of the European Data Protection Board, including the guidelines of the Article 29 Working Party.

The Company’s General Management formally commits to supporting the security plans derived from the application of this integrated Policy. This commitment includes:

  • Providing the necessary human and financial resources, within budgetary limits;
  • Assigning roles and responsibilities to personnel associated with security plans;
  • Supporting the training of human resources involved in the integrated management system to achieve the necessary awareness and competencies;
  • Ensuring the proper functioning of the Management System;
  • Facilitating communication with other organizations on information security matters, as well as direct contact with relevant authorities;
  • Promoting the development of this policy.

This policy is published to take effect and fulfill its intended purpose.