ENS Security Policy for Public Administrations
Introducción
This policy aims to establish the framework for identifying and implementing technical and organizational measures to ensure the security of information and the continuity of services Wetak offers to Public Administrations. To achieve this, Wetak applies the security measures established by the National Security Framework (ENS), a standard set by the Spanish Government as suitable for Public Administrations and private companies that provide services to them.
Wetak relies on ICT (Information and Communication Technologies) systems to offer its services and achieve its objectives. These systems must be protected to ensure the confidentiality, integrity, traceability, authenticity, and availability of the information and services provided. Information security is critical to ensuring the quality and continuity of services, acting preventively, supervising daily activities, and responding promptly to incidents.
ICT systems must be protected against rapidly evolving threats that may affect information and services. To defend against these threats, Wetak personnel must apply the following core principles:
- Security as an integral process
- Risk-based security management
- Prevention, detection, response, and conservation
- Multiple lines of defense
- Continuous monitoring
- Periodic reevaluation
- Differentiation of responsibilities
These are reflected in the following minimum security requirements demanded by the ENS:
- Organization and implementation of the security process.
- Risk analysis and management.
- Personnel management.
- Professionalism.
- Authorization and access control.
- Facility protection.
- Acquisition of security products and contracting security services.
- Least privilege.
- System integrity and updating.
- Protection of stored and in-transit information.
- Prevention with other interconnected information systems.
- Activity logging and malicious code detection.
- Security incidents.
- Business continuity.
- Continuous improvement of the security process.
Continuous monitoring of service levels is essential to analyze reported vulnerabilities and prepare an effective response to incidents, ensuring the continuity of services provided.
Wetak is committed to making ICT security an integral part of every stage of the system life cycle, from conception to decommissioning, including development or acquisition decisions and operational activities.
Scope
This policy applies to all ICT systems that provide Alejandria services to Public Administrations and all Wetak personnel involved in these projects or with access to the infrastructure or information of these systems. Information security is everyone’s responsibility; it is a team effort.
Mision/Objectives of Wetak
Wetak’s mission is to support its client organizations with their digital training needs, creating learning solutions and content for these solutions. For Public Administrations, we offer the Alejandria training platform.
Regulatory framework
Wetak is required to comply with the laws and regulations applicable to its nature and activities, as well as the obligations contracted with third parties. To ensure regulatory compliance, Wetak maintains a register to monitor applicable requirements, with particular attention to those related to personal data protection (GDPR, Protection of Personal Data and Guarantee of Digital Rights) and information security (ENS).
This register is reviewed annually by the Information Security Committee to ensure it is up-to-date and reflects current applicable regulations. The review includes the incorporation of new laws and regulations and the updating of existing ones to ensure continuous and effective compliance.
Security organization
Information Security Committee
The Information Security Committee is responsible for coordinating information security at Wetak and reporting to the organization. It consists of the following members:- Information and Service Officer
- Security Officer
- System Officer
The responsibilities of the Information Security Committee include:
- Addressing the concerns of management and different departments.
- Regularly reporting on the status of information security to management.
- Promoting the continuous improvement of the information security management system.
- Developing the organization’s security evolution strategy.
- Coordinating efforts across different areas of information security to ensure consistency with the decided strategy and avoid duplication.
- Drafting and regularly reviewing the Information Security Policy for approval by management.
- Approving the Information Security Regulation.
- Defining and approving the training and qualification requirements for administrators, operators, and users from the perspective of information security.
- Monitoring the main residual risks assumed by the organization and recommending possible actions.
- Overseeing the performance of security incident management processes and recommending actions related to them.
- Promoting periodic audits to verify the organization’s compliance with security obligations.
- Approving information security improvement plans for the organization, ensuring coordination between different plans in various areas.
- Prioritizing security actions when resources are limited.
- Ensuring that information security is considered in all ICT projects from the initial specification to the operational stage, particularly regarding the creation and use of horizontal services that reduce duplication and support consistent operation of all ICT systems.
- Resolving responsibility conflicts that may arise between different officers or areas of the organization, escalating cases where it lacks sufficient authority to decide.
- Promoting continuous system monitoring to detect abnormal activities or behaviors and ensuring an appropriate response.
- Promoting the continuous evaluation of asset security to measure its evolution, detect vulnerabilities, and identify configuration deficiencies.
Roles and Responsibilities
Wetak defines the following responsibilities for each designated role:
Information and Service Officer
- Determines the security requirements for the information processed and services provided.
- Assesses the consequences of a negative impact on the security of information and services.
- Is the owner of the information and services risks and responsible for monitoring them.
- Must include security specifications in the service and system life cycle, accompanied by the corresponding control procedures.
Security Officer
- Convenes the meetings of the Information Security Committee.
- Prepares the topics to be discussed at the Committee meetings, providing timely information for decision making.
- Prepares the meeting minutes.
- Is responsible for the direct or delegated execution of the Committee’s decisions.
- Determines the relevant security decisions to meet the requirements set by the information and service managers.
- Oversees the implementation of measures necessary to ensure that the requirements are satisfied and will report on these matters.
- Is hierarchically independent of the System Manager.
- In the acquisition of information and communications technology security products, those that have certified security functionality related to the object of their acquisition shall be used, proportionate to the category of the system and security level determined, except in those cases in which the requirements of proportionality in terms of the risks assumed do not justify it in the opinion of the Head of Security.
- Signs the relationship of selected measures from Annex II formalized in a document called Declaration of Applicability.
- Formally approves the replacement of security measures referenced in Annex II by compensatory ones, provided it is justified that they protect equally or better against the risk on the assets (Annex I) and the basic principles and minimum requirements provided for in Chapters II and III of the royal decree are met.
- Analyzes self-assessment and audit reports and submits conclusions to the System Manager to adopt appropriate corrective measures.
- Proposes indicators for risk monitoring and defines them alongside their owners.
System Officer
- Responsible for the operation of the information system, in compliance with the security measures determined by the Security Manager.
- May have responsibility located within the organization (using its own systems) or split between mediate responsibility (within the organization) and immediate responsibility (third-party outsourced systems).
- May decide to withdraw information, services, or systems from operation based on audit opinions until prescribed modifications are made.
Designation procedure
It is the function of the Management of the entity to designate:- The Information and Service Manager.
- The Security Manager, who must report directly to the Management.
- The System Manager, after consulting those responsible for the information and services concerned.
Conflict Resolution
Wetak establishes a clear and defined mechanism for the resolution of conflicts related to information security. This mechanism includes the following steps:- Identification of the conflict: Any conflict related to information security must be reported immediately to the Information Security Officer.
- Initial assessment: The Information Security Officer assesses the conflict to determine its nature, impact, and urgency.
- Internal mediation: A meeting is convened with all parties involved to attempt mediation.
- Decision of the Information Security Committee: If mediation fails, the Committee will make a final decision.
- Documentation and communication: All decisions and actions are documented and communicated to the parties involved.
- Follow-up and Review: Follow-up ensures the effectiveness of the solutions, and the Committee reviews the case to identify possible improvements.
Documentation
The documentation on which this policy is based will consist of a set of rules, guidelines and procedures that will help users in the development of their tasks.
This documentation is available in the Drive file system.
Methodology for the management of documented information
Documents are classified as follows:
- FOR – Format or template
- IT – Instruction
- RG – Register
- P – Policies
- PR – Procedures
- PS – Process
- DO – Document
- M – Manual
The structure of documents consists of:
HEADER:
- Wetak logo,
- Document name,
- Document code,
- Revision level,
- Date of last revision,
- Information category,
- Page number of the total number of pages.
Personal Data
Wetak processes personal data. To ensure adequate protection of this data, there is a risk analysis of personal data and a register of processing activities as well as other documents detailing the security measures applied to this data, in compliance with current regulations on data protection.
All information systems that process personal data in Wetak will comply with the security levels required by the regulations on the protection of personal data and the purpose.
Awareness and Training
Wetak commits to ensuring staff awareness of information security through awareness programs, ongoing training, and specific instructions for ICT personnel.
Risk Management
The Information Security Committee conducts regular risk assessments for information systems, ensuring a proactive approach to addressing threats and vulnerabilities.
Approval and Entry into Force
This security policy was approved by Wetak’s management on October 16, 2024, and is effective from that date. It will be reviewed annually and updated as necessary.
