Information Security Policy with Suppliers

Information Security Policy with Suppliers

Version effective as of 20/03/2024.

1. Information security management policy with Suppliers

1.1. Purpose and Scope

This policy is intended to inform suppliers that Teknei will implement measures to ensure the security of Teknei’s information and systems. It applies therefore to supplier companies that access, process and/or store data and information of the organization or the end customer and to those who may provide services to physical facilities of Teknei.

In case of conflict or discrepancy with Teknei’s criteria or policies with those of the suppliers, those of Teknei or those required by the customer in relation to the services shall prevail.

1.2. Definitions

For the purposes of the following policy, the following definitions shall apply:

• Information asset: any valuable information (that the company wants to protect) regardless of the medium in which it is stored, processed or communicated.
• Responsible for processing: Teknei
• Security officer: person or persons that the Data Controller has formally assigned the function of coordinating the applicable security measures.
• Data communication: any output, delivery or access to data by a third party, regardless of the means of access or delivery, considering as a third party any public or private entity. Within the framework of data communications containing personal data (linked to compliance with the RGPD), 2 types of cases with different legal implications can be distinguished:
• Provision of services: delivery or access of data by a third party for the sole purpose of providing a service on behalf of the Data Controller and in accordance with the instructions given by the Data Controller.
• Transfer of data: data processing that involves its disclosure to a person other than the data subject, when the characteristics relating to the provision of services are not met.
• Data Transferee: a person or entity other than the Data Controller to whom the Data Controller discloses data for purposes directly related to the legitimate functions of the transferor and transferee, in the context of a data transfer.
• Data Processor: person or entity that, alone or jointly with others, processes personal data on behalf of the Controller, as a result of the existence of a legal relationship that binds it to the Controller and delimits its scope of action for the provision of a service.

1.3. Responsibility and authority

This policy will be reviewed periodically. However, due to the evolution of technology itself, threats, in relation to information security and new legal obligations in the field, Teknei reserves the right to modify this policy when necessary. The changes made will be disclosed to all interested parties by notifying the new version through the usual channels of communication of the company. It is the responsibility of all personnel who perform activities for Teknei, reading, knowledge and compliance with this policy of information security management with suppliers.

Teknei reserves the right to take any measures it deems appropriate in relation to the contracted company, which may lead to the termination of contracts in force with that company.

1.4. Risk identification

In the event of the need to use a supplier that may affect the security of information in Teknei, the risks and additional necessary controls must be identified, taking into account at least:

• The type of access needed: physical (offices, data processing areas, etc.), logical (applications, databases, etc.), network (remote access, permanent connections between offices, etc.), whether the information to be accessed is within the organization or outside the organization (in the facilities of third parties).
• The type of information accessed (classified, personal data, etc.).
• The type of physical facility being accessed (level of criticality of the facility for Teknei).
• The personnel involved belonging to the third party: if they are subcontracted, how they are identified, etc.
• The security controls that the third party has in place, considering the security certifications they may have.
• Legal requirements and contractual obligations.

If the product or service introduces new risks, mitigation actions and responsible parties will be determined. The necessary controls identified in the risk analysis will be included as annexes in the agreement contracts.

1.5. Acquisition of new components

For the acquisition of new resources for information processing (hardware or software), Teknei will select the most suitable offer and the purchase of the new resource will be authorized, considering:

• If the product or service introduces new risks, mitigation actions and responsible parties shall be determined.
• Technical, training and financing needs on a joint basis.
• Adaptation to the security architecture implemented in Teknei.
• Safety level according to European or international standards and certification by independent entities of recognized solvency. To this end, a list of certified products should be consulted before purchasing a product:
• List of Qualified Products of the OC-CCN (High Level)
• List of OC-CCN approved products (For high level you must indicate “High-ENS Qualified Product” and for medium level “Medium-ENS Qualified Product”).
• Guide CCN-STIC-105 Information and Communication Technologies Security Products Catalog.
• List of Common Criteria certified products.

The person in charge of systems shall maintain an updated list of all products, their analysis and conclusions and the corresponding security certificates.

1.6. Contracting of services

Relationships with suppliers must always be covered by the corresponding service delivery agreements (or SLAs), including clauses on guarantees in the use of information.

Agreements should always include the characteristics of the service provided and the responsibilities of the parties.

The minimum quality of the service provided and the consequences of non-compliance shall be detailed. The necessary control and follow-up reports may be requested to justify compliance or deviations.

The agreements, in turn, should include the intention or statement of the existence or not of subcontracting of persons or services by the supplier, a description of the system to be followed in the event of changes that may arise during the term of the contract, the applicable legislation, confidentiality clauses, conditions for renegotiation of the agreement, etc.

Agreements and contracts that involve accessing, processing, communicating or managing the organization’s information or information processing services, or adding products or services to the information processing services, shall indicate the security controls required by Teknei prior to the provision of the service.

If the supplier accesses or treats personal data Teknei will establish a contract of processing order on the legal requirements of the RGPD and RD 1720/2007, which must be signed.

The responsibility and control of the services rendered will be in the first term of Teknei’s project managers and/or area managers.

Any change in the scope of the contracted services must be previously agreed by both parties and reflected in writing, with sufficient time to allow the correct execution of the services agreed with the client.

1.7. Express information security agreement

In addition to what is indicated in the previous section, with respect to the security of the information, if necessary, the supplier company undertakes to:

• Comply with applicable safety policies, standards, procedures and guidelines.
• Protect personal data.
• Communicate to Teknei any anomaly due to malfunction or any suspected security breach (unauthorized access attempt, improper data handling, etc.).
• Ensure physical protection (self-protection, compliance with Health and Safety regulations and existing safety regulations within the building where the activity is carried out).
• Accept and comply with access controls to physical facilities, in order to protect and provide a high degree of confidence in aspects related to security in the execution of their activities and their stay in the company. Personnel must wear their identification badges at all times and may only access areas to which they have been authorized access.
• Regarding the organization of information security, the person responsible for information security must be identified by the supplier, who will be the interlocutor with Teknei for incidents, security breaches, unauthorized access, conflict resolution, communications to affected employees, etc..
• If required, make a responsibility matrix available to Teknei.
• Ensure compliance with Teknei’s secure development policy, in case of execution of services involving custom developments for Teknei.
• Comply with the Policy for the use of media and technological services for external users.
• Return or destroy Teknei’s resources (information, physical media, etc.) upon termination of the agreement.
• Delete the metadata of the file if it is to be sent to third parties outside Teknei or if it is to be published on the Internet.
• Raise awareness and train people under the service provision contract.
• Provide Teknei with auditing and monitoring so that compliance with the requirements and security controls of the agreement can be verified.

In the event that the supplier/third party supplies a software product, the organization must be provided with the security policy of the software product in accordance with the personal data protection legislation or, by means of an annex to the contract, the security measures that the environment must comply with must be addressed.

Teknei must ensure that security and continuity controls are implemented prior to the start of the contracted service and maintained and operated during the service.

1.8. Change management in third-party services

Teknei must manage changes in the provision of services by third parties, taking into account the degree of criticality of the systems and processes involved, and the results obtained in each new risk analysis performed.

The change management process of a service offered by a third party needs to consider the following aspects:

• Changes made by TEKNEI to implement:
  • Improvements in their activities.
  • Development of new applications and systems.
  • Modifications or updates to the regulatory framework (policies, standards, procedures, etc.).
  • New controls for resolving incidents related to information security and security improvement.
• Changes made by third parties to implement:
  • Changes and improvements in the services offered.
  • Changes in the scope of services
  • Use of new technologies.
  • Use of new products or new versions of used products.
  • New development tools and environments.
  • Changes in the physical location of the facilities.
  • Change of vendors.

2. Use of technological means and services for external users.

2.1. Purpose and Scope

In order to support simplicity and operational efficiency within the framework of the provision of the professional services it contracts, Teknei has, under its ownership and/or ownership, a series of technological means and services, such as computer and/or communication resources or its own network, which may be used and utilized by the companies providing such professional services (hereinafter, the “COMPANY”).

In order to protect the integrity and diligent use of these media and technological services, Teknei has this Policy of Use of Media and Technological Services for External Users that makes available to the COMPANY, for their knowledge and compliance.

The proper use of these technological means and services is the responsibility of the COMPANY, being this commitment an additional attribute of diligence in the rendering of the professional services contracted.

The information and data contained in the computer systems or accessible through them, may be classified in different degrees of confidentiality by Teknei. Therefore, the leakage of information and / or data, whether intentional or unintentional, may have a negative impact, economically and reputationally, to Teknei and the COMPANY itself. In this sense and given the importance of following and complying with this policy, it is expressly and transparently informed that any unauthorized dissemination of information and / or data by the COMPANY will constitute a real damage to Teknei, which may be derived to the COMPANY.

As above, the purpose of this policy is to inform the COMPANY that Teknei will monitor and audit the use of the means, resources and technological services of Teknei, to prevent, protect and ensure that there is no malicious or improper use of them, and ensure compliance with the confidentiality, integrity, availability, privacy and traceability of communications and information systems of the COMPANY.

For the purposes of the provisions of this policy, by means, service or technological, computer and communication resource, whether or not owned by Teknei, are understood, by way of example but not limited to, information systems, files, electronic documents and information, technological and computer applications, technological and computer tools, communications infrastructure, connection to internal or external networks, terminals, software, hardware, telematic services, network infrastructure, Internet access and all technological resources to which, as a user, the professional staff of the COMPANY has access.

Hereinafter, all of the foregoing shall be referred to collectively as the “ASSETS” and individually as the “ASSETS”.

This policy shall apply to all COMPANY users accessing the use of one or more ASSETS.

Teknei performs, under legal criteria, regulatory compliance and cybersecurity, investigations and controls necessary for these purposes on all ASSETS. This is carried out without harming and without violating the dignity or privacy of those who use them.

The objectives of these controls are:

• Protect ASSETS, Information Security, Teknei’s corporate image and reputation and the technological elements that make up Teknei’s technological ecosystem.
• To guarantee the confidentiality of the information to which the user has access within Teknei.
• Verification of compliance with legal obligations.
• Prevention of third party liability.
• Verification of the adequate monitoring and compliance with the Compliance Policies and Programs applicable to the corresponding use of the ASSETS by the COMPANY.
• Verification of the existence or non-existence of improper, inadequate or illicit use of the ASSETS. This is to protect that the ASSETS will be used diligently, respectfully and exclusively within the framework of the professional services contracted.

Therefore, all ASSETS, contents, information, files stored therein, including temporary information, may be subject to access, verification, control, inspection and audit by Teknei or by those responsible designated for this purpose, under the terms defined in this Policy.

2.2. IT and communication assets

The proper use of these ASSETS is the responsibility of THE COMPANY, which, through its professionals as users, uses and uses them.

The ASSETS that Teknei makes available to users are, solely and exclusively, to be used for purposes appropriate to the development of the functions related to the provision of contracted services.

To safeguard both the information and the integrity of access to it, a number of points must be observed:

• All ASSETS have access controls defined by Teknei’s ITS area. Each user must keep secret the passwords assigned to them for access to the ASSETS. If users suspect that someone else is using their authorized access (user ID and/or password), they will notify ITS of the corresponding incident.
• It is not allowed to disable the information security mechanisms of any ASSET. In case of detecting and/or suspecting an anomalous operation of the corresponding ASSET, it must be disconnected from the organization’s internal network and, immediately after, communicate the problem to ITS.
• It is strictly forbidden to modify the security settings of the ACTIVO. The user is also prohibited from running applications, portable or not, that are not supported and supplied by Teknei.
• In case the supplier needs to connect mobile devices to Teknei’s infrastructures, Teknei’s requirements will be followed.

2.3. Applications

All applications installed on the ASSETS are either owned by Teknei or are licensed for use by a third party. The installation of copies of programs that have not been acquired by Teknei and/or THE COMPANY, if so authorized in writing by Teknei, is a criminal offense and is therefore expressly prohibited.

2.4. Information and Data

Information embedded in digital media and assets

The use of information and data by users within the ASSETS is subject to the following:

• The user must maintain the confidentiality of all information and data to which it has access and hosted on Teknei’s digital assets or servers, or circulating through its network through communication or transmission elements, which are owned or entrusted to it.
• Users are obliged to protect the information, avoiding unauthorized sending to the outside, including both access and visualization of this information.
• No right is conferred to the user as to the possession, ownership or right to copy the information, so its use must be strictly professional.
• Users with access to information and data must use them only for operations related to the provision of professional services contracted by Teknei, without using them for other purposes or engaging in activities that may be considered unlawful or illegal. Likewise, they must only access those data and resources that they need for the exercise of the functions that correspond to them, and carry out only those treatments that are necessary for the fulfillment of the provision of services entrusted by Teknei.
• Users are obliged to protect the information and data to which they have access. This protection must prevent actions or operations that may cause undue alteration, disablement or destruction, theft or unauthorized use, in short, any way that could damage the data, computer applications and electronic documents Teknei own.
• Users are obliged to notify their contact person at Teknei of any incident or anomaly in the use of the ASSETS that they detect: loss of information, listings or removable storage units, unauthorized access, use of their user ID or password, introduction of malware or malicious code, data recovery, disappearance of computer media and, in general, any situation that may compromise the proper use and operation of information systems.
• As long as possible, the location of files containing personal data on digital devices that are not provided by Teknei and are owned by THE COMPANY will be avoided. Temporary files containing personal data may only be created when they are necessary for the performance of their functions, and must be deleted when they are no longer useful for the purpose for which they were created.
• At the end of the professional service contracted by Teknei to THE COMPANY, all the ASSETS and data that have been used in the professional activity provided must be returned in the same state.
• The handling, transmission, extraction and printing of documents with sensitive information can be audited with automatic systems or manually by Teknei.
• All files with Teknei data must be stored on the network drives or cloud storage assigned to the user.
• It is not allowed to provide the individual password to another person, to simulate the identity of another user using his password or to create copies of files without Teknei’s authorization.

Corporate e-mail and electronic messaging applications

Teknei’s e-mail, distribution lists, corporate instant messaging services and applications and other electronic communication services (hereinafter, the “TEKNEI COMMUNICATION SERVICES”) are tools whose primary purpose is to facilitate communication between users and not a tool for mass, indiscriminate dissemination of information.

Your use and enjoyment of the TEKNEI COMMUNICATION SERVICES shall be subject to the following terms and conditions:

• The use of the communication services for personal use is prohibited, as well as the sending of e-mails with offensive, inappropriate, threatening, illicit or fraudulent content or that in any way attempt, infringe or violate the aforementioned directives.
• The use and utilization of the TEKNEI COMMUNICATION SERVICES for personal gain or commercial purposes, for recreational use or any other use unrelated to the purpose for which they are made available to users is prohibited.
• The use and use of Teknei’s mail for the registration to “newsletter”, newsgroups or similar that are not directly related to the professional activity provided by the user, based on the service contracted to THE COMPANY, and that are necessary for the provision of such activity, is prohibited.
• Mailing lists may only be used for the purposes of the service contracted by Teknei.
• Unauthorized access to communications circulating on Teknei’s data network is prohibited, as well as their manipulation, destruction and misappropriation.

2.5. Web, e-mail and voice communications

Use of Web services, e-mail

It is strictly forbidden to use the ASSETS to access illegal web services, ethically reprehensible, contrary to the code of ethics, which may violate the dignity, honor and reputation of persons or that may pose a risk to the security of Teknei’s information systems.

Access to this type of content may incur civil and criminal liability. Teknei will cooperate to the best of its ability to investigate such acts, including cooperation with the courts.

Use of voice communications

Voice communications (e.g. telephone calls and videoconferences), through Teknei’s ASSETS, for personal matters are generally not allowed. However, exceptionally, voice calls will be tolerated, for a personal reason, on an ad hoc basis and for as short a duration as possible, provided that the other rules set forth in this Policy are observed and complied with.

2.6. Web browsing and Internet monitoring

Within the limits provided by law, the user’s connection data (user identification, identification of professional services, address of sites visited, etc.) are recorded by Teknei which, for statistical, quality of service and security purposes, monitors Internet traffic and allows regular audits of information systems.

The main purpose of these connection trace files is to ensure normal, diligent and proper use of the ASSETS.

Teknei implements automatic filtering mechanisms, linked to the categorization of the Internet sites visited or to keywords in accordance with the general conditions of use announced above.

In the event that breaches or risks are detected, countermeasures may be taken using as evidence the audit information stored for each of the users, as well as, among other measures, to hold the COMPANY accountable.