Information Security Policy
CORPORACIÓN VECTALIA maintains a commitment to information security, expressed in different aspects. From our commitment to customers, employees, suppliers and institutions, one of the key aspects of our mission is to adopt the necessary measures to ensure that the information handled by the organisation is accurate and available when it is required.
CORPORACIÓN VECTALIA has implemented the necessary controls so that this information cannot be accessed by unauthorised personnel.
The security policy of Corporación Vectalia is based on the following fundamental security guidelines based on the requirements of the ISO/IEC 27001:2013 standards and the National Security Scheme, ensuring the quality of products, services and the confidentiality, integrity, availability, authenticity and traceability of the information systems.
- Management commitment. Information security has the commitment and support of all management levels so that it can be coordinated and integrated with the rest of the strategic initiatives of CORPORACIÓN VECTALIA. As proof of this commitment, the General Management ensures the fulfilment of this document, keeping it updated and approved, providing all the economic and logistic means for the constitution, implementation, maintenance and evolution of the management system and the national security scheme.
- Integral Process. Security shall be understood as an integral process made up of all the technical, human, material and organisational elements related to the system. Information security in the provision of services must be considered as part of normal operations, being present and applied from the initial design of the information systems.
- Risk-based security management. The study and assessment of the risks that may endanger the quality of the delivery of services and the security of the information managed therein is carried out. In this sense, the necessary measures will be applied to mitigate these risks based on their criticality, carrying out periodic evaluations to obtain the status of the management of risk treatment.
- Prevention, reaction and recovery. The security of the system includes aspects of prevention, detection and correction to ensure that threats do not affect information and the quality of services. To this end, review cycles based on risk planning, implementation of minimisation measures and their subsequent reassessment will be carried out.
- Line of defence: Appropriate mechanisms will be put in place to ensure the availability of information systems and to support the continuity of services, prioritising the appropriate reaction to incidents in order to reduce the likelihood of the service being compromised.
- Periodic reassessment. The Management carries out a periodic evaluation of the quality of the services provided and the security measures applied in order to adapt their effectiveness to the constant evolution of the risks, setting objectives as a commitment to the continuous improvement of the system.
- Differentiated responsibility. In the information systems, a distinction is made between the person responsible for the information, who determines the security requirements of the information processed; the person responsible for the service, who determines the security requirements of the services provided; and the person responsible for security, who determines the decisions to satisfy the security requirements.
For the elaboration of its Security Policy, CORPORACIÓN VECTALIA has taken into account what has been established for the fulfilment of the Integrated Management System and the requirements defined in the National Security Scheme, as well as the requirements established by the applicable legal and regulatory framework in which the activities are carried out.