Acevedo’s Management, as a general company policy, ensures the proper management of Information Security processed and/or hosted by the systems and services included within the defined scope. To implement this policy, Acevedo’s Management commits to:
Carrying out periodic risk analyses in order to maintain an adequate understanding of the Information Security risks to which assets are exposed, and to develop the necessary measures to limit and reduce such risks by defining the security controls to be implemented.
Developing comprehensive security regulations governing the conditions under which the company, within the established scope, must carry out its activities in order to comply with the defined security requirements.
Allocating the necessary resources and means to implement all determined security measures, maintaining an appropriate balance between cost and benefit.
Establishing a training and awareness plan on Information Security to help all involved personnel understand and comply with the established security measures and to participate proactively in Information Security management.
Implementing all necessary measures to ensure proper management of security incidents that may occur, enabling the resolution of both minor incidents and situations that may jeopardize the continuity of the activities covered.
Periodically establishing a set of Information Security objectives and indicators to enable appropriate monitoring of the evolution of security within the company.
Establishing a methodology for review, audit, and continuous improvement of the system, following a PDCA cycle that ensures the continuous maintenance of the desired security levels.
Acevedo establishes the necessary procedures and courses of action to ensure the proper implementation of this policy. These are reflected in a security system that is documented, known by all Acevedo personnel, and compliant with the requirements established by the applicable standard.
1. General Principles
As established in the scope of application, all external personnel performing work for Acevedo must comply with the Security Policy set out in this document. In the event of non-compliance with any of these obligations, Acevedo reserves the right to veto the external personnel who committed the breach, as well as to adopt any sanctioning measures deemed appropriate in relation to the contracted company, which may include termination of the contracts in force with said company.
All personnel accessing Acevedo’s information systems must comply with the following rules of conduct:
Protect confidential information belonging to or entrusted by third parties to Acevedo against any unauthorized disclosure, modification, destruction, or improper use, whether accidental or otherwise.
Protect all information systems and telecommunications networks against unauthorized access or use, operational interruptions, destruction, misuse, or theft.
Access to Acevedo’s own information systems or those under its supervision shall require authorized access.
Knowledge, acceptance, and compliance with this Policy are required prior to accessing Acevedo’s information systems.
Additionally, all personnel with specific responsibilities within the defined scope of action must ensure compliance with the following measures:
As a general rule, all design, development, implementation, and operation activities must incorporate identification, authentication, access control, audit, and integrity mechanisms, which shall be specified on a case-by-case basis.
Secure and unique identifiers must be implemented for user authentication.
For proper security operation, security responsibilities must be shared among users, administrators, and those directly responsible for security.
All possible precautions must be taken to physically protect systems and prevent theft, destruction, or service interruption.
A system recovery plan must be in place in the event of theft, destruction, or service interruption.
The confidentiality of stored information must be ensured, both in electronic and non-electronic formats.
All participants in the business continuity plan must be familiar with and able to apply the plan when necessary.
Operations personnel must be familiar with procedures for the recovery of personal data, the securing of personal data storage media, and the procedures for logging the entry and exit of such media.
The Security Manager centralizes the overall efforts to protect Acevedo’s assets in order to ensure the proper functioning of the information technologies that support the organization’s processes. In general terms, assets include all forms of information, as well as the people and technology that support information processes.
The Security Manager shall maintain an up-to-date inventory of contractors, including the following information: contractor name and responsible person, contact telephone number and email address, Acevedo’s internal contractor manager, activities performed by the contractor, start date of the work, and end date.
For each contractor, information must also be provided on the users and corporate equipment used. The contractor manager at Acevedo must inform the Logical Security area of any changes to this information.
2. Information Confidentiality
Information confidentiality is defined as the assurance that information is not improperly disclosed to entities or processes.
In order to preserve confidentiality:
External personnel with access to Acevedo’s information must consider such information to be confidential by default. Only information accessed through Acevedo’s public information dissemination channels may be considered non-confidential.
Users shall protect the confidential information to which they have access against unauthorized or accidental disclosure, modification, destruction, or misuse, regardless of the medium in which such information is stored.
Maximum confidentiality shall be maintained indefinitely, and no confidential information shall be disclosed externally in any format unless duly authorized.
The use of paper-based reports containing confidential information shall be minimized, and such documents shall be kept in a secure location and out of reach of third parties.
With regard to the use of contact directories provided by Acevedo, external personnel shall only enter personal data that are strictly necessary, such as first and last name, roles or positions held, and postal or electronic address, telephone number, etc.
No external collaborator on projects or specific tasks shall possess, for purposes unrelated to their responsibilities, any material or information owned by or entrusted to Acevedo, either now or in the future.
If, for reasons directly related to the job position, an employee of the service provider company comes into possession of confidential information in any format, such possession shall be considered strictly temporary, subject to confidentiality obligations, and shall not confer any right of ownership, possession, or copying of such information.
The employee of the service provider company must return the aforementioned media immediately after completion of the tasks that justified their temporary use and, in any case, upon termination of the relationship between their company and Acevedo. Continued use of the information in any format or medium other than that agreed, and without Acevedo’s knowledge, shall not constitute any modification of this provision.
All these obligations shall remain in force after the completion of the activities performed by external personnel for Acevedo.
Breach of these obligations may constitute a criminal offense of disclosure of secrets under Article 197 of the Spanish Criminal Code and may give rise to claims for compensation.
To ensure the security of Personal Data stored in automated files, personnel belonging to service provider companies must also comply with the following rules of conduct, in addition to the considerations already mentioned:
Personnel may only create temporary files containing personal data when necessary for the performance of their work. Such temporary files shall never be stored on local disk drives of personnel workstations (personal computers) and must be destroyed once they are no longer necessary for the purpose for which they were created.
The removal of computer media containing personal data from the premises where such information is located may only be authorized by the person responsible for the information or file.
The information owner shall be responsible for verifying the definition and proper application of backup and data recovery procedures.
Computer media containing personal data must allow identification of the type of information they contain, be inventoried, and be stored in a location with access restricted to authorized personnel only.
3. Physical access control to Acevedo’s facilities
The following rules are established:
Access by external support personnel to specially protected areas shall be restricted. Such access, as with any other non-Acevedo personnel requiring entry to protected areas, shall be granted only when necessary, duly authorized, and always under the supervision of authorized personnel.
Visitors shall be accompanied at all times, and the date and time of their entry and exit shall be recorded.
4. Appropriate use of resources
The resources made available by Acevedo to external personnel, regardless of their type (IT resources, data, software, networks, communication systems, etc.), are provided exclusively to fulfill the obligations and operational purpose for which they were designed and implemented. All users of such resources must be aware that they have no right to confidentiality in their use. The following is strictly prohibited:
Use of these resources for activities unrelated to the purpose of the service, or excessive use beyond what is required.
Searching for or exploiting vulnerabilities in any application or equipment.
Use of equipment and/or applications that are not specified as part of Acevedo’s software or IT resource standards, or that are not under Acevedo’s supervision.
Introducing obscene, threatening, immoral, or offensive content into the information systems or corporate network.
Knowingly introducing any type of malware (programs, macros, applets, ActiveX controls, etc.), logical devices, physical devices, or any other sequence of commands that cause or may cause any type of alteration or damage to IT resources. The supplier shall be obliged to use antivirus software and its updates to prevent the introduction into the systems of any element intended to destroy or corrupt computer data.
Attempting to obtain rights or access other than those assigned.
Attempting to access restricted areas of the Information Systems without proper authorization.
Attempting to distort or falsify information system logs.
Attempting to decipher passwords, encryption systems or algorithms, or any other security elements involved in telematic processes.
Possessing, developing, or executing programs that may interfere with the work of other users, or damage or alter IT resources.
Attempting to destroy, alter, disable, or otherwise damage data, programs, or electronic documents. Such actions may constitute a criminal offense under applicable legislation.
Storing personal data on local disk drives of user workstations (personal computers).
Any file introduced into the corporate network or the user’s workstation through automated media, the Internet, email, or any other means must comply with the requirements established in these rules, in particular those relating to intellectual property, personal data protection, and virus control.
Connecting non-corporate computers to Acevedo’s communications network, except to the network specifically enabled for visits, suppliers, or others requiring an Internet connection.
5. Protection against malware
The resources used by the supplier to provide services to Acevedo must comply with the following guidelines:
Systems shall be kept up to date with the latest available security updates.
Antivirus software must be installed and used on all servers, where applicable, and on all personal computers to reduce the operational risk associated with viruses or other malicious software.
Antivirus software must always be enabled. Automatic updates of virus definition files shall be configured on both personal computers and servers, where applicable, as well as blocking mechanisms upon detection of computer viruses.
All software must be properly licensed; therefore, the use of pirated software, crackers, or similar tools is expressly prohibited.
If any malware is detected on equipment connected to Acevedo’s network, such equipment shall be disconnected from the network without prior notice. The Security Manager shall notify the issue using the available means, and it shall be the responsibility of the contractor to remove the detected malware. Reconnection to the corporate network must be authorized by the Security Manager, who shall request all necessary information about the equipment in order to ensure that it has been properly cleaned.
6. Information exchange
The following rules are established:
Users must not conceal or manipulate their identity under any circumstances.
In cases where Acevedo assigns a generic user account, it shall be the responsibility of the supplier to maintain an up-to-date list of the persons using such generic account at any given time.
The distribution of information, whether in digital or paper format, shall be carried out using the devices provided by Acevedo for this purpose and exclusively to facilitate job-related functions. Depending on the identified risk, Acevedo reserves the right to implement control, logging, and audit measures on such distribution devices.
With regard to information exchange, the following activities shall be considered unauthorized:
Transmission or receipt of copyright-protected material in violation of Intellectual Property Law.
Transmission or receipt of any type of pornographic material, messages or jokes of an explicitly sexual nature, racially discriminatory statements, or any other type of statement or message that may be classified as offensive or illegal.
Transfer of files containing Acevedo material or material that is in any way confidential to unauthorized third parties.
Transmission or receipt of files that violate Personal Data Protection Law or Acevedo’s guidelines.
Transmission or receipt of applications not related to business activities.
Participation in Internet activities such as newsgroups, games, gambling, or others that are not directly related to business activities.
Any activity that may damage Acevedo’s reputation is prohibited on the Internet and elsewhere. This also applies to activities carried out for the personal economic benefit of the user or third parties, as well as activities of a political nature.
Any transfer of information containing personal data (whether on computer media, paper, or by email) may only be carried out by authorized personnel and with the appropriate permission.
If personal data processing is carried out outside the premises where the file is located, such processing must be expressly authorized by the data controller and, in all cases, must guarantee the level of security corresponding to the type of file processed.
The transmission of high-level personal data through telecommunications networks shall be carried out by encrypting such data or by using any other mechanism that ensures the information is not intelligible or manipulable by third parties.
7. Use of email
The email account is considered a tool that the contractor must provide in order to perform the contracted work.
The following general criteria are established:
Each user of Acevedo’s IT systems shall have a specific and unique email account, assigned exclusively to that user.
External users shall not be provided with an Acevedo email address.
At the time of registration, the external user must provide an email address belonging to their own company’s domain (preferably) or, alternatively, a personal email address.
This general criterion is compatible with the fact that such external users may access generic mailboxes when necessary to carry out their work. Emails sent from these generic mailboxes do not identify the sender.
Exceptionally, and subject to justified circumstances and prior express authorization, an external user may be assigned an Acevedo email address. In such cases, the Acevedo service manager must submit the corresponding request, which shall be evaluated by the Security Manager.
The use of email by external users shall be subject to the following rules:
Email is considered a work tool provided to the user to be used solely for its intended purpose. This consideration authorizes Acevedo to implement control systems aimed at ensuring the protection and proper use of this resource. Such authority shall be exercised while safeguarding the user’s dignity and right to privacy.
Acevedo’s email system must not be used to send fraudulent, obscene, threatening, or similar messages.
Users must not create, send, or forward advertising or pyramid messages (messages distributed to multiple users).
The transmission via email of information containing personal data is not permitted unless the electronic communication is encrypted and the transmission is expressly authorized.
The transmission via email of Acevedo’s confidential information is not permitted unless the electronic communication is properly encrypted and the transmission is expressly authorized.
8. Internet connectivity
The use of the Internet by external users shall be subject to the following rules:
The Internet is a work tool. All Internet activities must be related to work tasks and activities. Users must not visit websites that do not support the services provided to Acevedo.
All traffic to and from the Internet shall be inspected for threats. If any equipment is found accessing websites classified as malicious (pornography, gambling, etc.) or unrelated to business activities, it may be disconnected from the network without prior notice.
Acevedo reserves the right, within the limits permitted by law and without prior notice, to restrict total or partial Internet access from Acevedo’s IT network and terminals.
Internet access from the corporate network is restricted through control devices integrated into the network. The use of other connection methods must be previously validated and shall be subject to the above considerations regarding Internet use.
Users must not use Acevedo’s name, symbol, logo, or similar symbols in any Internet element (email, websites, etc.) unless strictly justified by work-related activities.
Data transfer to or from the Internet shall only be permitted in connection with activities related to the services provided to Acevedo. Any file transfer unrelated to such activities (for example, downloading computer games, audio files, or multimedia content) is not permitted.
9. User responsibilities
All external users, by virtue of their status, assume certain responsibilities:
Each user shall be responsible for their identifier and all consequences derived from its use; therefore, it must be known only by the user and must not be disclosed to other users under any circumstances.
Users shall be responsible for all actions recorded in Acevedo’s IT systems under their identifier.
Users must comply with the directives defined regarding password management.
Users must ensure that equipment is protected when unattended.
The following clean desk policies are established to protect paper documents and removable storage devices, in order to reduce the risks of unauthorized access, loss, and damage to information, both during and outside normal working hours:
Lock away, where applicable, paper documents and IT media in secure furniture when not in use, especially outside working hours.
Do not leave equipment assigned to critical functions unattended and lock access when strictly necessary.
Ensure the confidentiality of documents at both information receipt and dispatch points, as well as at duplication devices (photocopiers and scanners).
The reproduction or transmission of information using such devices shall be the responsibility of the user.
Lists containing personal data or confidential information must be stored in a secure location accessible only to authorized personnel.
Lists containing personal data or confidential information must be securely destroyed once they are no longer necessary.
If information security incidents or weaknesses are identified, users are prohibited from carrying out tests to detect and/or exploit such alleged weaknesses or security incidents.
10. User equipment
The following principles apply to IT equipment associated with user workstations:
All user workstations with connectivity to Acevedo’s IT resources shall be controlled by Acevedo.
No user shall attempt, by any means, to breach security systems or authorizations, nor possess tools capable of doing so.
Network traffic capture by users is prohibited, except when expressly authorized audit activities are being carried out.
When a workstation is unattended for a short period of time, the user must activate its lock. At the end of the working day, the equipment must be powered off.
11. User identifiers and passwords
Personnel from service provider companies who access Acevedo’s information systems within their scope of work are responsible for ensuring that data, applications, and IT resources are used solely for the operational purposes for which they were created and implemented. Such personnel are required to use Acevedo’s resources and the data contained therein without engaging in activities that may be considered unlawful or illegal. To access the information systems, this personnel must have authorized access (user identifier and password) and, as information system users, must observe the following principles of conduct and good practices:
When users receive their access identifier to Acevedo’s systems, they are deemed to have formally accepted the current Security Policy.
Users must keep their access credentials confidential.
All users with access to an information system shall have a single access authorization consisting of a user identifier and password.
Failed login attempts are limited in number.
All login attempts are logged, whether successful or not.
Users are responsible for all activity related to the use of their authorized access.
Users must not use another user’s authorized access, even if they have the owner’s permission.
Users shall have authorized access only to the data and resources necessary to perform their duties.
Users must not include passwords in automated login processes, for example those stored in function keys or macros.
Passwords shall consist of a combination of alphabetic and numeric characters.
Users must not disclose their identifier and/or password to any other person under any circumstances, nor keep them written down in a visible place or within reach of third parties.
Users must not use the same passwords for personal and professional purposes.
Temporary authorized accesses shall be configured for a short period of time. Once this period has expired, they shall be deactivated in the systems.
With regard to personal data, only personnel authorized in the Information Classification Document may grant, modify, or revoke authorized access to data and resources, in accordance with the criteria established by the data controller.
If a user suspects that their authorized access (user identifier and password) is being used by another person, they must immediately change their password and contact Acevedo to report the incident.
Password changes shall be carried out through Acevedo’s access management system.
12. Software
The following principles apply to software:
All personnel accessing Acevedo’s information systems must use only the software versions specified and in accordance with their usage rules.
All personnel are prohibited from installing illegal copies of any software, including standardized software.
The use of non-validated software is prohibited.
The use of software without the corresponding license is prohibited.
The use of cracked or pirated software is prohibited.
13. Network connection
The following principles apply to network connections:
Remote user access shall be subject to compliance with authentication procedures and prior validation of access.
Acevedo reserves the right, without prior notice, to block, suspend, modify, or monitor the services supported on its IT network and made available to external entities.
No one shall connect to the corporate network using means other than those defined by Acevedo.
Acevedo reserves the right to disconnect from the corporate network, without prior notice, any equipment used by a supplier when activities are detected that contravene the principles and rules set out in this document.
14. Access management
There is a formal process for the registration, granting, modification, and revocation of user access, applicable to all Acevedo Information Systems.
The following principles are established:
Communication of the rules and responsibilities for the use of Acevedo’s information systems must be ensured when any access to the systems is granted to users.
Each system has a set of profiles and privileges assigned to users according to their needs.
System access privileges are assigned considering the actual needs required to perform users’ duties, and must not be granted either excessively or insufficiently.
System access privileges ensure proper segregation of duties. In cases where segregation of duties cannot be guaranteed, appropriate compensating controls are implemented.
Any request for the granting or modification of access privileges to Acevedo’s systems must be recorded in the identity and access management tool and subsequently approved.
Access and corresponding privileges are implemented in the systems only after all required approvals have been obtained.
A formal record of all authorized users and their respective system access privileges is maintained.
Changes in system access needs must entail corresponding adjustments to access rights.
System access privileges assigned to users are automatically revoked when their professional relationship with Acevedo ends.
Periodic reviews are carried out to eliminate or block redundant or unnecessary accounts.
Users must have individual identifiers (user IDs) protected by passwords.
The use of generic identifiers (generic or group accounts) is permitted only in duly justified, approved, and recorded exceptional cases.
Generic accounts have an associated individual user who is responsible for them.
The nomenclature used in generating identifiers follows rules defined by Acevedo.
The user identifier allows the user’s identity to be recognized, but never their privilege levels.
The identifier must be personal, for exclusive use, and unique across all systems, where technically feasible.
Identifiers of users who no longer have a relationship with Acevedo may not be reassigned to other users.
For exceptions, a record and history of the persons associated with a user ID must be maintained.
Acevedo reserves the right, without prior notice, to block, suspend, modify, and monitor users of its systems and their respective access privileges.
The contractor’s manager must notify Acevedo’s responsible party of any changes regarding the persons, identities, and equipment connected to the corporate network. In addition, Acevedo’s responsible party must communicate this information to the Security Manager, who shall maintain an up-to-date inventory of the connections made to the corporate network by contractors.
15. Intellectual property
With regard to Intellectual Property, the following principles shall apply:
External entities accessing the Internet through Acevedo’s IT network and terminals are responsible for respecting the intellectual property rights applicable to the accessed content.
Compliance with legal restrictions on the use of material protected by intellectual property regulations shall be ensured.
External users may only use material authorized by their company or by Acevedo for the performance of their duties.
The use of software programs without the corresponding license is strictly prohibited.
Likewise, the use, reproduction, assignment, transformation, or public communication of any type of work or invention protected by intellectual property without proper authorization is prohibited.
Acevedo shall only authorize the use of material produced by Acevedo itself, or material authorized or supplied to it by its owner, in accordance with the agreed terms and conditions and applicable regulations.
16. Incidents
If any incident related to information systems is detected, the following rules shall apply:
Any incident detected that affects or may affect the security of personal data must be reported to the Security Manager, including loss of lists and/or storage media, suspected misuse of authorized access by other persons, data recovery issues, etc.
17. Security requirements for outsourcing
The supplier company must document and apply appropriate procedures to ensure the following requirements:
Affected personnel must be aware of and comply with the Security Policy.
Applicable regulatory and legal requirements must be met (LOPD GDD, LSSI, etc.).
Acevedo shall provide the supplier with a document containing guidelines for connecting to its corporate network and installing workstations.
The list of authorized users and access logs shall be available for verification by the service manager.
Occasional access to the facilities by unauthorized persons must be recorded. Such persons must be properly identified and accompanied at all times by authorized personnel.
Acevedo’s service manager may verify these conditions personally or delegate this task to another Acevedo representative or to a specialized company. Access must be granted for aspects related to internal or external audits whenever Acevedo deems it appropriate.
The system must include procedures for the return and/or destruction of data and assets once the service has ended.
Acevedo reserves the right to require:
The implementation of any mechanism Acevedo deems necessary to guarantee secure access to its data and assets. Likewise, it may require appropriate penalties and/or guarantees based on the risks of non-compliance or deterioration of service assets.
The presence and cooperation of all collaborating and supplier companies, and their best assistance, in restoring—under Acevedo’s direct coordination—the normal operation of business activities after they have been interrupted by an emergency or disaster.
The existence of business continuity or contingency policies and plans to ensure the continuity of these companies’ activities in the event they are affected by a catastrophe or disaster situation. Acevedo also reserves the right to audit the existence and level of implementation of such plans.
18. Monitoring and control
In order to ensure the proper use of the aforementioned resources, through the formal and technical mechanisms deemed appropriate, Acevedo shall verify—either periodically or when specific security or service reasons so require—the correct use of such resources by all users.
If it is observed that someone is improperly using applications and/or data, in particular, as well as any other IT resource, such circumstance shall be communicated and, where appropriate, the necessary training for proper resource use shall be provided.
If bad faith is detected in the improper use of applications and/or data, in particular, as well as any other IT resource, Acevedo shall take the legal actions available to protect its rights.
19. Update of the Security Policy
Due to the ongoing evolution of technology, security threats, and new legal developments in this area, Acevedo reserves the right to modify this Policy whenever necessary.
Any changes made to this Policy shall be communicated to all service provider companies to which it applies, using the means deemed appropriate. Each supplier company is responsible for ensuring that its personnel read and are aware of the most recent version of Acevedo’s Security Policy.
