Information Security Policy

1. OBJECTIVE

Ojmar fully recognises the information security implications associated with its operation and its commitment to stakeholders. Therefore, the main purpose of this document is to establish Ojmar's Information Security Policy. The fundamental purpose of this policy is to ensure the proper safeguarding of information assets and the continuity of the services offered, by having the necessary capacity to prevent, detect, respond and recover from possible security incidents. To this end, the organization adopts the necessary security measures to maintain a level of risk that is considered acceptable. It also recognizes the importance of monitoring the performance of services, analyzing identified vulnerabilities, and establishing effective responses to incidents.

It is a priority for Ojmar that the information services fulfill their functions and preserve the integrity of the data without interruptions or unauthorized alterations, and that unauthorized access to them is not allowed. In line with this objective, the organization's information systems and networks are required to be robust enough to reliably resist accidental events or malicious actions that may compromise the confidentiality, availability, and integrity of stored or transmitted data, as well as services used in digital environments.

It is Ojmar's responsibility to ensure that the security of Information and Communication Technologies (ICT) is integrated into all stages of the life cycle of information systems. This ranges from conception to decommissioning, including decisions regarding development or acquisition, as well as operational activities. The security requirements and funding needs linked to each phase are identified and considered in planning and project RFPs.

In order to comply with the provisions of this Information Security Policy and guarantee the level of security required by Ojmar, the Information Security Committee annually issues a report detailing the security measures approved by the Committee, based on risk management. These measures must be implemented during the following financial year after their approval due to their essential nature. In addition, the report includes those measures that are considered desirable to advance the security strategy designed by the Committee.

2. SCOPE OF APPLICATION

In accordance with the Information Security Policy and its respective regulations, security measures are established that must be applied, according to the guidelines defined in said standards, to all systems, services and resources related to Information and Communication Technologies (ICT) used by Ojmar to support its organizational processes, and that affect the various associated information elements.

The purpose of the entity's ICT resources is to provide support to business operations as well as management activities essential to its operation. These resources encompass both central and departmental systems, workstations, computers, printers, output devices and other peripherals, internal and external networks, communication services and storage systems owned by Ojmar.

In this context, computers or personal devices that are not purchased by the organization or registered in its name are not considered part of the entity's ICT resources, although they may occasionally be used in activities related to business processes. Therefore, they are excluded from the application of this policy, as well as from any security considerations or concerns. However, any personal device that connects to the corporate network or contains information from Ojmar will be subject to the obligations established in this Information Security Policy, as well as the regulations and guidelines that complement it.

This policy not only applies to the organization's internal staff, but is also binding on all persons, entities, institutions or units and services, both internal and external, that make use of ICT resources and have access to the entity's information elements. This includes those who connect directly or indirectly to such resources, either remotely or through third-party devices, and in particular includes services offered via the Internet. In the context of this activity, these individuals will be considered as users, in accordance with the terms set forth in this policy.

3. INFORMATION SECURITY PRINCIPLES

This policy, together with its corresponding regulations, is based on essential principles of protection with the aim of ensuring that the organization can achieve its goals through the correct management of information systems.

These fundamental principles, which must be taken into account in all decisions related to information security, are described below:

3.1. Comprehensive approach to security

Security is approached as a global process that involves all human, material, organizational and technological elements related to the system. Therefore, it is crucial to take appropriate measures so that all actors involved in the process are aware of the Information Security Policy and execute their responsibilities in accordance with it. Coordination between all participants is applicable to all initiatives and actions undertaken by Ojmar.

3.2. Risk Management

Risk analysis and management play a crucial role in information security. It is essential to keep risk levels within acceptable limits through the continuous implementation of appropriate and up-to-date security measures. This ensures proportionality between the nature of the data and processing processes, the risks to which they are exposed, and the corresponding security measures.

3.3. Incident Prevention and Recovery

System security should encompass prevention, detection, and recovery in order to prevent threats from materializing or having a significant impact on the data handled by the information systems or services offered. This is achieved through preventive measures, including deterrence and exposure reduction; detection measures that are complemented by effective responses to address security incidents, and recovery measures that allow for the restoration of services and information. The system ensures data preservation and service availability throughout the information lifecycle.

3.4. Multiple Layers of Defense

The system must have a protection strategy that consists of multiple layers of security arranged in such a way that, if one of them fails due to an unavoidable incident, there is enough time for an appropriate response, reducing the likelihood that the entire system will be compromised and minimizing the final impact. These layers of defense include organizational, physical, and logical measures.

3.5. Periodic review

Ojmar regularly reviews and updates the security measures implemented to ensure that they continue to be effective in the face of constantly evolving risks and protection systems.

4. LEADERSHIP & COMMITMENT

Ojmar's Management demonstrates its leadership and commitment to the fundamental principles of information security through the implementation of the Information Security Management System (ISMS), for which it assumes the following responsibilities:

  • Establish and align the Information Security Policy and Information Security Regulations with the strategic direction of the organization.
  • Ensure the availability of the necessary resources for the effective functioning of the ISMS.
  • Communicate the importance of efficient system management and compliance with established requirements at all levels of the organization.
  • Provide direction and support to the people who contribute to the operation of the ISMS, promoting a culture of information security.
  • Collaborate with other relevant management areas to strengthen their leadership in their respective areas of responsibility, ensuring the integration of information security into all processes.
  • Ensure that the ISMS achieves the expected results in terms of information protection and continuity of services.
  • Promote continuous improvement in the field of information security, supporting initiatives that lead to greater effectiveness and efficiency in security management.

5. MANAGEMENT POLICY AND SAFETY OBJECTIVES

Ojmar's management recognizes the need to ensure compliance with defined levels of confidentiality, integrity, and availability for its information assets. This is essential to carry out the company's activities and achieve strategic objectives, as well as to demonstrate its ability to efficiently manage the services offered to customers.

In order to achieve these goals, the Information Security Management System (ISMS) has been developed and implemented, which provides a solid framework for the safe management of the company's assets. In addition, this system acts as a guarantee to ensure the trust and satisfaction of all stakeholders, by integrating a secure methodology for the provision of services.

To reinforce its commitment, and taking into account that information security is aimed at ensuring the continuity of the organization's operations and mitigating risk by preventing and, if necessary, reducing the impact of security incidents, Ojmar establishes the following strategic objectives in the field of information security:In tune with the context and strategic direction of the company:

  • Promote an organizational culture in which information security is a fundamental pillar and is ingrained in all the organization's management practices and processes.
  • Protect the confidentiality, availability, and integrity of the organization's data to support business strategy, as well as comply with current legal and contractual requirements.
  • Perform risk analysis and management focused on information security.
  • Optimally utilize security resources to support business objectives.
  • Efficiently and effectively leverage existing security knowledge and infrastructure.
  • Safeguard the information resources and technology used by Ojmar against both internal and external threats, whether intentional or accidental.
  • Establish monitoring and reporting processes to ensure compliance with information security objectives and ensure adequate response to incidents.

In line with its strategy and business, Ojmar defines a series of specific information security objectives:

5.1. Information Asset Protection

The ability to protect system resources is a fundamental pillar in Ojmar's strategy. Risk management represents one of the most essential foundations of information security and is considered a core practice in all recognized security standards. Therefore, much of the efforts devoted to protecting the entity's information, assets, and business are based on the results derived from the analysis and assessment of security risks.

5.2. Logical Access Controls and Authentication

Ensuring that the information system is only accessible by authorized users is another key point for Ojmar. Implementing strong authentication is crucial to mitigate the risk of spoofing and other fraudulent access.

5.3. Protection of confidentiality

Ensuring data confidentiality is an integral part of information security. This involves protecting information exchanged between authorized parties and ensuring that it is not exposed to unauthorized third parties.

5.4. Integrity Protection

Ensuring data integrity is critical to prevent unauthorized modification or manipulation. The organization implements security measures to mitigate the risks of data tampering, especially in untrusted environments such as public networks or the internet.

5.5. Availability protection

Maintaining the uninterrupted availability of information systems is essential. Ojmar establishes procedures to maintain business continuity in adverse situations, thus minimizing the impact of disruptions and ensuring that systems are always available.

5.6. Audit of security activities

Continuous monitoring and recording of potential incidents and suspicious activity are key goals to prevent unwanted events. This contributes to security by proactively detecting and responding to threats.

6. SECURITY ORGANIZATION

In order to meet all these objectives during all phases of the information lifecycle and appropriately assign responsibilities for their implementation, Ojmar establishes a structure that encourages the consistent application of the information security policy. This structure adapts effectively to the frequent technological and organizational changes in the environment in which it carries out its business activity.

Accordingly, Ojmar establishes the following committee and role related to the oversight and management of information security:

  • Information Security Committee.
  • Head of Security.

7. PERSONAL DATA

Ojmar carries out the processing of personal data and maintains a Register of Processing Activities that documents these processes and identifies the corresponding controllers. Each of its information systems conforms to the security levels required by the regulations, considering the nature and purpose of the personal data involved.

The security measures implemented in accordance with this information security policy, as well as the risk assessments carried out to comply with the obligations of the General Data Protection Regulation, are effectively coordinated with the Security Officer and the Information Security Committee. This ensures that the protection of personal data is fully integrated into the ISMS framework and that applicable privacy regulations are complied with.

8. OBLIGATIONS OF USERS

It is the responsibility of all members of Ojmar to know and rigorously comply with the Information Security Policy and the Security Regulations that emanate from this policy. The Directorate is responsible for ensuring that these policies reach all stakeholders, providing the necessary means for their dissemination and understanding.

It is vitally important that all employees in the organization are fully aware of the importance of preserving the security of information systems. Each individual plays an essential role in maintaining and improving safety at Ojmar.

Accordingly, an ongoing awareness program is established that encompasses all members of the organization, with special emphasis on those who have recently joined. Those individuals with responsibilities related to the use, administration or operation of information and communication technology (ICT) systems receive specific training in the secure management of these systems, as necessary to fulfill their tasks. This training is mandatory before taking on any responsibility, either in your first position or in the event of a change of roles or responsibilities within the organization.

9. USERS' RESPONSIBILITIES IN THE EVENT OF NON-COMPLIANCE

The Information Security Committee is empowered to assess whether the organization's users are in breach of any of the obligations set forth in this policy, as well as in the related regulations and additional instructions.

In the event that any non-compliance is identified, both preventive and corrective measures are implemented with the main objective of preserving and protecting the organization's information systems and networks. These measures shall be applied without prejudice to any disciplinary consequences that may result.

Once a breach of the Information Security Policy has been confirmed, the Committee follows the established procedures to initiate appropriate disciplinary action. The procedure to be followed and the sanctions to be applied are in accordance with the legislation in force that regulates the disciplinary regime of personnel employed in the organization.

10. RELATIONSHIP WITH THIRD PARTIES

When Ojmar provides services to other organizations or handles information from them, the person responsible for this relationship is responsible for informing them about the Information Security Policy, as well as those rules and instructions that are necessary to share. In addition, communication and coordination channels are established between the respective Information Security Committees in order to ensure effective collaboration in security matters. Procedures are also implemented for responding to potential security incidents, allowing for quick and efficient reaction in the event of events that put information security at risk.

When Ojmar uses third-party services or shares information with them, contractual agreements are established that obligate these third parties to comply with the obligations and security measures specified in such contracts. These third parties may implement their own operating procedures to ensure compliance with these obligations. In addition, specific procedures can be established to prevent, detect, report, and resolve security incidents in collaboration with third parties. The objective is to ensure that the personnel of these third parties are properly informed and trained in security matters, at least to the same level as set out in this security policy.

In particular, third parties must ensure compliance with standards-based security measures that may be auditable, and may be subject to controls and reviews by certified third parties verifying their compliance with these policies.

If a third party is unable to comply with any aspect of this security policy, a report is requested from its Security Officer identifying the risks involved and measures to address them. This report must be approved by Ojmar before proceeding with the relationship or service in question.

11. REGULATORY FRAMEWORK

This policy has been developed and approved in accordance with the following regulatory framework:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.
  • Royal Legislative Decree 1/1996, of April 12, 1996, approving the revised text of the Intellectual Property Law (LPI), regularizing, clarifying and harmonizing the provisions in force on the matter.

12. APPROVAL AND ENTRY INTO FORCE

Ojmar's Management has approved this Information Security Policy on October 30, 2023.

This policy will be effective as of the above date and will remain in effect until it is replaced by a new version.

All provisions of equal or lesser rank that conflict with the provisions of this Information Security Policy are automatically repealed.