Tickamore

REQUEST A DEMO

1. APPROVAL AND ENTRY INTO FORCE This document was approved by General Management on March 19, 2025. This Information Security Policy has been effective since that date and shall remain so until it is replaced by a new version.

2. INTRODUCTION SICOMORO SERVICIOS INTEGRALES, S.L. relies on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be diligently managed, with appropriate measures implemented to protect them from accidental or deliberate harm that could compromise the availability, integrity, or confidentiality of the information processed or services provided.

The goal of information security is to ensure the quality of information and the continued delivery of services through prevention, daily monitoring, and swift incident response.

ICT systems must be protected against rapidly evolving threats that can impact the confidentiality, integrity, availability, intended use, and value of information and services. An adaptive strategy is required to respond to environmental changes and guarantee service continuity.

Departments must implement the minimum security measures mandated by the National Security Framework (ENS), monitor service performance levels, analyze reported vulnerabilities, and prepare effective incident responses to maintain continuous service delivery.

Security must be integrated into every phase of the system lifecycle, from design to decommissioning, including development/acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in project planning, RFPs, and procurement documents.

Departments must be ready to prevent, detect, respond to, and recover from incidents in accordance with Articles 6, 7, 8, 9, 11, and 12 of the ENS (Royal Decree 311/2022, of May 3).

2.1. PREVENTION Departments must prevent or minimize the impact of security incidents on information and services. They must implement the ENS minimum security measures and any additional controls identified through risk assessment. These controls and the security roles and responsibilities of all personnel must be clearly defined and documented.

To enforce this policy, departments must:

  • Authorize systems before they become operational.

  • Regularly assess security, including routine configuration changes.

  • Request periodic third-party reviews for independent evaluation.

2.2. CONTINUOUS MONITORING To detect service degradation or anomalies, services must be continuously monitored. Procedures must ensure real-time system assessments and vulnerability detection and correction.

According to Article 6, Chapter II of the ENS, monitoring is crucial when defense layers are defined in Chapter II, Section 2. Mechanisms for detection, analysis, and reporting must be established and communicated regularly or when significant deviations occur.

2.3. RESPONSE The entity has mechanisms in place for effective incident response, including a point of contact for cross-department or external incident communication, and protocols for information exchange, including with CERT teams.

2.4. RECOVERY To ensure the availability of critical services, the entity has developed ICT continuity plans as part of its overall business continuity and recovery planning.

3. SCOPE This policy applies to all ICT systems and all organization members involved in services and projects for the public sector where ENS compliance is required.

4. MISSION Primary objectives:

  • Promote electronic interaction between users and the entity or its clients.

  • Reduce user service response times.

  • Shorten resolution times for user-requested processes.

  • Develop a document management system that enables quick staff access to user-requested information.

5. REGULATORY FRAMEWORK This policy is based on the following legislation:

  1. Royal Decree 311/2022, of May 3.

  2. Law 30/1992, of November 26.

  3. Law 40/2015, of October 1.

  4. Regulation (EU) 2016/679 (GDPR).

  5. Organic Law 3/2018, of December 5.

  6. Law 11/2007, of June 22.

  7. Law 7/1985, of April 2, as amended by Law 11/1999.

6. SECURITY ORGANIZATION

6.1. COMMITTEES: ROLES AND RESPONSIBILITIES The ICT Security Committee comprises the DPO, the Heads of Development, Administration, Systems/Support, and ISO/ENS Management Systems.

The Committee Secretary is the Head of Administration, responsible for convening meetings and recording minutes. The Committee reports to General Management.

Functions include:

  • Coordinating and approving information security actions.

  • Promoting a security-aware culture.

  • Participating in system categorization and risk analysis.

  • Reviewing security documentation.

  • Resolving security management issues.

6.2. ROLES: ROLES AND RESPONSIBILITIES

Information Security Officer:

  • Maintain adequate information and service security levels.

  • Conduct or promote ENS-mandated audits.

  • Manage ICT security awareness and training.

  • Ensure current measures meet organizational needs.

  • Review and approve security documentation.

  • Monitor system security status.

  • Support and supervise incident investigations, reporting to the Committee.

System Owner:

  • Manage the system throughout its lifecycle.

  • Define system use criteria and available services.

  • Set user access policies.

  • Approve changes affecting system security.

  • Define authorized hardware/software configurations.

  • Perform system risk analysis and management.

  • Develop and approve system security documentation.

  • Categorize the system per ENS Annex I and define applicable measures per Annex II.

  • Implement and control system-specific security measures.

  • Establish contingency and emergency plans, conducting regular drills.

  • Suspend service or data handling if critical deficiencies are detected.

6.3. APPOINTMENT PROCEDURES The Information Security Officer is appointed by Management upon recommendation from the ICT Security Committee. Review occurs every two years or when the position is vacant.

The department responsible for electronic service delivery (as per Law 11/2007) appoints the System Owner with defined duties approved by Management.

For outsourced services, the provider must appoint an Information Security Point of Contact (POC). If not, the entity’s ICT Security Committee will appoint one.

6.4. INFORMATION SECURITY POLICY REVIEW The ICT Security Committee reviews this policy annually and proposes updates. The revised policy is approved by Management and distributed to all relevant parties.

7. PERSONAL DATA The entity processes personal data. The “Personal Data Protection Manual,” accessible only to authorized personnel, outlines the relevant processing activities and responsible parties. All systems must comply with the necessary security measures based on risk analysis and applicable regulations.

8. RISK MANAGEMENT All systems under this policy must undergo risk analysis. This will be repeated:

  • At least annually, when data or services change.

  • After a significant security incident.

  • When serious vulnerabilities are reported.

To align risk assessments, the ICT Security Committee will define reference values for types of information and services, promote cross-system investments, and ensure resource availability.

9. POLICY DEVELOPMENT This Information Security Policy complements other internal policies:

  • Risk management policy

  • Personnel management policy

  • Procurement policy

  • Information protection policy

This policy will be supplemented with specific security regulations. These will be made available to relevant staff, especially system users, operators, and administrators.

The policy will be accessible via the TICKAMORE intranet and corporate website.

10. STAFF OBLIGATIONS All staff must be familiar with and comply with this Information Security Policy and related regulations. The ICT Security Committee is responsible for ensuring dissemination.

All staff will participate in ICT security awareness sessions. A continuous awareness program will be maintained, particularly for new hires.

Personnel with system-related responsibilities must receive appropriate training before assuming duties, whether it is their first assignment or a role change.

11. THIRD PARTIES When the entity provides services or processes data for other organizations, this policy will be shared, coordination channels between Security Committees will be established, and incident response procedures defined.

Third-party service providers or recipients of data must adhere to this policy and relevant regulations. They may develop their own procedures to comply. Specific reporting and resolution procedures will be in place, and third-party personnel must meet equivalent awareness standards.

If full compliance is not possible, a report from the Information Security Officer will identify associated risks and proposed treatment. This must be approved by the owners of the affected information and services before proceeding.

Zaragoza, March 19, 2025
Version 3

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.