1. Introduction
NeuronUP relies on ICT (Information and Communication Technology) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them from accidental or deliberate harm that could affect the availability, integrity, or confidentiality of the information processed or the services provided.
NeuronUP staff must ensure that security is an integral part of every stage of the system’s lifecycle, from conception to decommissioning, including development or acquisition decisions and operational activities.
NeuronUP’s departments, in accordance with their assigned functions, must be prepared to prevent, detect, respond to, and recover from incidents, in compliance with applicable regulations.
To ensure compliance with this policy, the Information Security Committee regularly develops and evaluates systems and ensures that all NeuronUP personnel are aware of and fulfill their roles in accordance with information security.
2. Scope of Application
This policy applies to all ICT systems of NeuronUP and to all members of the organization, without exceptions.
3. Purpose of this Policy
The purpose of this policy is to establish the framework for ensuring the security of information and the continuous provision of services.
This Policy is implemented through security documentation and regulations available to all members of the organization who need to know it, particularly for those who use, operate, or manage information and communication systems, via procedures, processes, technical instructions, etc.
The security regulations are available to all employees of the organization in the general documentation space within Google Workspace.
4. Regulatory Framework
NeuronUP is committed to complying with all applicable laws, regulations, and standards regarding Information Security.
5. Security Organization
The company’s Management assumes the responsibility of promoting and supporting the establishment of technical, organizational, and control measures that ensure the necessary levels of quality and security for the company’s operations, committing to the continuous improvement of the Information Security Management System (ISMS).
This task’s responsibility is delegated to the Information Security Management Committee (ISMC) or Security Committee.
NeuronUP’s management establishes the Security Committee as a cross-functional collegial body, composed of:
- Information Security Officer of the company and Chairman of the Committee
- Systems Administrator as Secretary of the Security Committee
- Chief Technology Officer
Appointments will be reviewed every 2 years or when a position becomes vacant, upon proposal by the Security Committee itself.
The responsibilities of these roles are included in the job descriptions of their respective incumbents, and the procedure for their appointment and/or renewal is approved by management.
5.1. Functions of the Security Committee
The primary function of the Information Security Committee is to set the Information Security Policy and the objectives of the Information Security Management System (ISMS).
The Security Committee will establish acceptable risk levels, determining appropriate actions to reduce risks that exceed these thresholds.
The Security Committee is responsible for the annual review of this Information Security Policy and the proposal for its revision or maintenance, which will be supplemented by security regulations and recommendations (policies, protocols, procedures, technical instructions, etc.).
Security points to be reviewed at least annually:
- The status of actions to be taken since the last control
- Significant changes to the ISMS
- Risk management, vulnerabilities, and threats
- Technologies, products, and services for continuous improvement
6. Risk Management
To harmonize risk analyses, the Security Committee will establish a reference assessment for the different types of information handled and the various services provided.
The Security Committee will study the availability of resources to meet the security needs of different systems.
All systems subject to this Policy must conduct a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:
- Regularly, at least once a year
- When a severe security incident occurs
- When serious vulnerabilities are reported
To ensure the availability of critical services in the event of incidents, the company has a Disaster Recovery Plan procedure that coordinates all recovery activities for business processes that may be affected.
7. Staff Obligations
All NeuronUP members are required to know and comply with this Information Security Policy and the security regulations, and it is the responsibility of the Security Committee to provide the necessary means for the information to reach those affected.
Non-compliance with this Information Security Policy and the regulations that develop it may result in disciplinary sanctions in accordance with the Workers’ Statute and the applicable collective agreement.
Specific guidelines for workers are developed in the Workers’ Privacy and Security Policy.
7.1. Awareness and Training
All NeuronUP members will attend an ICT security awareness session at least once a year. A continuous awareness program will be established to address all NeuronUP members, particularly new hires.
Individuals responsible for the use, operation, or management of systems will receive training for the secure handling of systems as needed to perform their jobs. Training will be mandatory before assuming responsibility, whether it is their first assignment or a change in job position or responsibilities within the same role.
7.2. Basic ISMS Guidelines
The basic guidelines for the secure handling of information and the structuring of system security documentation, its management, and access are developed in the ISMS manuals, policies, regulations, and procedures.
The basic guidelines for the secure handling of information are as follows:
- Information must be classified into the following categories: Public, Internal Use, Confidential, or Restricted.
- Media storing confidential or restricted information must be stored in a secure location.
- Access to information systems will be granted based on the need to know.
- Physical access controls to the building restrict access to authorized personnel only.
- All employees must register their entries and exits from company buildings through the time control/fichaje system.
- External individuals to the company must register as established by NeuronUP.
- NeuronUP’s password management policy will be followed.
- Computers are configured to automatically lock with a password-protected screensaver after a period of inactivity. However, it is up to the user to manually lock it whenever they leave their workstation.
- Whenever an employee leaves the company, their access rights will be deactivated.
- Users will have corporate email for the development of their work.
- Contracts with third parties will include appropriate security clauses.
- Users should never disable antivirus programs or any other tools or controls installed to enhance security.
- Users should not expect privacy when accessing the company’s information systems, as the company (within the established legal framework and to manage systems and enforce security) may review any information stored on its systems.
- Any security-related inquiry can be directed to [email protected].
- Upon detecting a situation affecting NeuronUP’s information security, any user (employee or external) must report it to the department head and/or security officer.
8. Personal Data
NeuronUP processes personal data and, therefore, has a Personal Data Protection Policy that complies with the security levels required by applicable regulations.
The Security Document is periodically reviewed and updated, thus demonstrating the required proactivity and ensuring the security of the personal data processed.
9. Third Parties
When NeuronUP provides services to other organizations or handles information from others, they will be made aware of this Information Security Policy, channels will be established for reporting and coordinating the respective Security Committees, and procedures will be established for reacting to security incidents.
When NeuronUP uses third-party services or transfers information to third parties, they will be made aware of this Security Policy and the Security Regulations applicable to such services or information. The third party will be subject to the obligations established in such regulations and may develop its own operational procedures to satisfy them. Specific procedures for incident reporting and resolution will be established. It will be ensured that third-party personnel are adequately aware of security matters, at least at the same level as established in this Policy.
When any aspect of the Policy cannot be met by a third party as required in the preceding paragraphs, a report from the Security Officer detailing the risks incurred and how to address them will be required. Approval of this report by the responsible parties for the affected information and services will be required before proceeding further.