Information Security Policy

The OESIA Group relies on ICT (Information and Communications Technology) systems to achieve its business objectives. Therefore, the company is aware that these systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, authenticity, traceability, integrity or confidentiality of the information processed or the services provided.

The Oesia Group has opted for an Information Security Management System based on the ENS medium level in general throughout the company, so the Information Security Policy is adapted to the provisions of the CCN-STIC 805 standard of September 2011.

The objective of information security is to ensure the quality of information and the continued provision of services, acting preventively, monitoring daily activity and reacting promptly to security incidents. The ICT systems of the Oesia Group must be protected against rapidly evolving threats that affect the confidentiality, integrity, authenticity, traceability or availability, intended use and value of information and services. To defend against these threats, a security strategy that adapts to changing environmental conditions is required to ensure the continued provision of services. This implies that departments must implement the minimum security measures required by the applicable legal framework, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.

To this end, the Information Security Policy states that:

  1. The present policy materializes the commitment of the Top Management of the Oesia Group regarding the security of the information and what is exposed in it is of obligatory fulfillment for the whole organization.
  2. The entire organization has Information Security responsibilities.
  3. The safety requirements imposed by customers for the products or services provided to them must be complied with at all times and cover their entire life cycle.
  4. The different departments must make sure that the ICT security is an integral part of each stage of the life cycle of the systems, products or services of the Oesia Group, from their conception to their decommissioning, including the development or acquisition decisions and the exploitation activities.
  5. Cybersecurity requirements and cybersecurity funding needs, when necessary, should be identified by the various departments, and included in resource planning, in bids, and in tender documents for Oesia Group projects.

Information Security Policy