Information security policy

The management of Transparent Edge Services, understanding the importance of proper information management, is committed to implementing an information security management system that seeks to establish a framework of trust in the performance of its duties, within the framework of current legislative compliance and in accordance with the entity’s mission, vision, and values.

For Transparent Edge Services, information protection seeks to reduce the impact on its assets caused by systematically identified risks, in order to maintain a level of exposure that ensures the integrity, confidentiality, and availability of information, in accordance with the needs of the various identified stakeholders.

According to the above, this policy applies to the entity as defined in the scope, taking into account that the principles on which the development of actions or decision-making around the ISMS is based will be determined by the following premises:

• Minimize risk in the entity’s most important functions.
• Comply with information security principles.
• Maintain the trust of its customers, partners, and employees.
• Support technological innovation.
• Protect technological assets.
• Establish information security policies and procedures.
• Strengthen the information security culture among employees, partners, collaborators, and customers.
• Ensure business continuity in the event of incidents.
• Transparent Edge Services, and on its behalf, the management team, has decided to define, implement, operate, and continuously improve an Information Security Management System aligned with business needs and in accordance with regulatory requirements.

Objectives or mission of the organization

Transparent Edge Services’ mission is to “offer our clients the ability to execute distributed services at the edge quickly and easily, providing them with the tools they need to achieve their goals and supporting them with our extensive experience in this type of environment.”

Legal and regulatory framework in which the activities will be carried out

The legal and regulatory framework to which the organization is subject is defined in the corresponding legal requirements compliance policy.

Organizational Framework for Security

Roles and responsibilities of the organization

CISO

The Security Officer is the most important personal figure in the development of information security.

Your information security responsibilities will be as follows:

• Comply with and ensure compliance with all organizational policies, especially those focused on information security.
• Develop, promote, and maintain the information security policy.
• Develop the risk plan and potential solutions to mitigate threats.
• Propose new information security objectives.
• Develop and maintain the security regulatory framework and monitor its compliance.
• Validate the implementation of the necessary security requirements.
• Lead the implementation of the ISMS.
• Establish technical and organizational controls and measures to secure information systems.
• Manage the organization’s information security as a whole.
• Manage and analyze security incidents occurring within the organization.
• Periodically review the status of information security.
• Track security incidents.
• Monitor and review defined indicators.
• Ensure security audits are conducted as frequently as necessary.
• Review audit reports.
• Define and verify the implementation of the data backup and recovery procedure.
• Define and verify the implementation of the incident notification and management procedure.
• Serves as a member of the security committee and, as such, reports relevant information security issues to the security committee.

Their appointment will be made by the organization’s Steering Committee or by a delegated person or persons from senior management, based on merit and experience in the position. Their appointment will be tacitly renewed until the appointed person leaves the position or is replaced by another person from the organization. This position may be outsourced.

DPO

The DPO figure has the following responsibilities:

1. Comply with and ensure compliance with all organizational policies, especially those focused on information security.
2. Inform and advise the data controller or processor and employees of their obligations regarding the implementation of data protection policies.
3. Verify compliance with the GDPR, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and corresponding audits.
4. Provide advice on impact assessments and monitor compliance with their internal application.
   • Must inform and advise the data controller or processor of their data protection regulatory obligations.
   • Must advise both the data controller and processor regarding the impact assessment they conduct regarding data protection.
   • Advise employees during data processing.
   • Oversee proper compliance with data protection regulations within the organization.
   • Review the organization’s internal privacy policies and their regulatory compliance.
   • Assign responsibilities among members of the organization regarding data protection obligations.
   • Carry out internal awareness-raising actions regarding effective regulatory compliance.
   • Train staff involved in data processing operations.
   • Supervise data protection impact assessments.
   • Control, coordinate, and verify applicable security measures.
5. Cooperate with the Regional Agencies and the Spanish Data Protection Agency
6. Address inquiries from data subjects regarding the processing of their data or the exercise of their rights.
7. Act as a liaison with the supervisory authority for issues related to processing and inquiries.
   • Act as a point of contact with the Spanish Data Protection Agency for issues related to the processing of personal data, including prior consultations.
   • Cooperate with the supervisory authority.

Therefore, any matter related to the Protection of Personal Data must be reported to the DPO for communication to the Spanish Data Protection Agency.

Their appointment will be made by the organization’s Steering Committee or by a delegated person or persons from senior management, based on merit and experience in the position. Their appointment will be tacitly renewed until the appointed person leaves the position or is replaced by another person from the organization. This position may be outsourced.

Information Officer

It determines the security requirements for the information processed according to the parameters established by current regulations or rules. The Transparent Edge Services Security Committee is the collegiate body that assumes this role.

Service Manager

Determines the security requirements for the services provided in accordance with current regulations or rules. The Transparent Edge Services Security Committee is the collegiate body that assumes this role. It must include security specifications in the lifecycle of services and systems, accompanied by the corresponding control procedures.

In order to describe the process and hierarchy for resolving authority conflicts that may arise during the management of the Information System between critical profiles with responsibilities in security matters, the functions for resolving conflicts with those responsible have been defined and are applicable to all specific Information System management profiles.

The Information Security Officer, the Service Manager, and the Information Officer will be appointed by Management at the proposal of the Security Committee. These appointments will be reviewed every two years or when the position becomes vacant.

Safety Committee

The Transparent Edge Services security committee is made up of the following profiles:

• Chief Security Officer (CISO)
• Chief Executive Officer (CEO)
• Chief Operating Officer (COO)
• Chief Technical Officer (CTO)

The renewal of this committee will be carried out tacitly until one of its members ceases to operate, at which point a new member will become part of the committee, replacing the previous one.

The functions and responsibilities of the Safety Committee are:

• Comply with and ensure compliance with all organizational policies, especially those focused on information security.
• Implement management guidelines.
• Assign the various security roles and functions.
• Present information security policies, standards, and responsibilities to management for approval.
• Determine the security requirements for the information processed according to the parameters established by current regulations or rules.
• Determine the security requirements for the services provided according to current regulations or rules.
• Validate the risk map and proposed mitigation actions.
• Validate the Security Plan and submit it to management for approval.
• Oversee the development and maintenance of the Business Continuity Plan.
• Ensure compliance with current laws and regulations.
• Promote employee awareness and training on information security.
• Include security specifications in the lifecycle of services and systems, accompanied by the corresponding control procedures.
• Approve and periodically review the information security dashboard and the progress of the ISMS.

Risk analysis and management

All systems subject to this Policy have been evaluated through a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated:

• Regularly, at least once a year.
• When the information handled changes.
• When the services provided change.
• When a serious security incident occurs.
• When serious vulnerabilities are reported.

Categorization of systems

Transparent Edge Services categorizes its systems by completing the REG-ENS-00 AR Transparent Edge document, which defines the criteria for determining the required level of security in each dimension. To do this, the essential elements, information, and services are analyzed, pivoting around them the criteria that the person responsible for each type of information and each service may use. The authority to determine the system’s category rests with the person responsible for it.

The National Security Framework establishes in Annex II security measures conditioned on the assessment of the security level in each dimension and the security category of the respective information system. In turn, the security category of the system is calculated based on the highest security level of the assessed dimensions.

Personnel management and professionalism

All Transparent Edge Services members are required to understand and comply with this Information Security Policy and the Security Regulations, and the Security Committee is responsible for implementing the necessary measures to ensure that information reaches those affected.

All employees will receive a security awareness session at least once a year. Additionally, an ongoing awareness program will be established to educate all Transparent Edge Services members, particularly new hires, which is aligned with other implemented standards.

Personnel dedicated to security tasks are appropriately qualified, given the sensitivity and complexity of some of these tasks. This applies to all phases of the security process lifecycle (installation, maintenance, incident management, and decommissioning). To this end, personnel receive the specific training necessary to ensure the security of the information technologies applicable to the systems and services subject to the ENS.

Logically, the same internal requirements must be met by any provider providing security-related services. To this end, Transparent Edge Services has implemented a procedure for evaluating providers to ensure a level of security similar to that required by the organization.

Authorization and access control

The first step to ensuring that information and systems are protected is to limit access to them. Therefore, it has been defined who will have access to resources and to what extent, so that each person has the access necessary to perform their tasks, but not to equipment or data that should not be within their reach.

Transparent Edge Services’ information systems also have authorization mechanisms to allow access and deny and revoke it when necessary.

Facility protection

The facilities are protected against damage to the systems they house and against unauthorized access. Access to our facilities is secured and regulated by the established procedure.

Acquisition of security products and contracting of security services.

Transparent Edge Services establishes the business and information security requirements for your information systems, whether new or existing, whether being expanded or enhanced.

Therefore, any new acquisition of security products and services that may affect the ISMS must be previously evaluated from a functional perspective and in accordance with the necessary security requirements. Following validation, the product will be formally tested to determine whether it meets the requirements.

All contracted services must be evaluated before going live to ensure they meet the minimum security requirements defined in this Information Security Policy and current Security Regulations.

Minimum privilege

The Information Security System implemented at Transparent Edge Services follows the Principle of Least Privilege, according to which system users are granted the minimum access levels or permissions necessary to perform their functions, with the objective of restricting access to information and resources only to what is strictly necessary to fulfill a specific task.

This principle of least privilege ensures that each party, whether a process, user, or program, can only access what is essential for its legitimate purpose, without granting unnecessary privileges. However, this principle is not limited to human user access; it also applies to applications, systems, or connected devices that require privileges to perform necessary tasks.

Limiting privileges reduces exposure to cyberattacks and prevents “privilege stacking.”

System integrity and updating

To ensure the integrity of information systems, any physical or logical changes are always made only after formal approval and through a formal procedure.

To achieve this, systems are updated in a controlled manner and according to the required security status at any given time. Changes in manufacturer specifications, the emergence of new vulnerabilities, and the release of updates and patches that affect systems are analyzed to take the necessary measures to ensure that the systems and their security level are not degraded, while also managing the risks introduced by the changes to be implemented.

Protection of information stored and in transit

A significant part of the information lifecycle is its storage and transportation. Information must be protected at all times. To this end, appropriate procedures have been developed, covering both electronic and paper information, as well as policies for information management and processing.

Prevention against other interconnected information systems.

Prevention of other interconnected information systems is a crucial aspect for Transparent Edge Services. To this end, measures have been established to ensure security when information systems connect to each other, taking into account aspects such as perimeter protection, access control, and proper activity logging to detect potential anomalies or unusual behavior in the interconnection.

Any connections to or from interconnected services will be made following the guidelines defined in the CCN-STIC guidelines published for this purpose.

Activity logging and malware detection

The company monitors its information and processing systems by recording them as security incidents and reviewing the operating and failure logs of its systems to identify the problem. Transparent Edge Services’ monitoring of the use of its systems complies with legal privacy requirements and is used to verify the effectiveness of the implemented security controls and compliance with the access control policy.

Security incidents

Transparent Edge Services management has established a formal reporting procedure requiring all staff to report security-related incidents through the established channel immediately and without delay. This ensures a rapid and effective response to security incidents and weaknesses.

Continuity of activity

The company has established a procedure to respond to business interruptions and protect critical processes from the effects of major information system failures and ensure their immediate restoration. To this end, a business continuity plan has been implemented to reduce the impact on Transparent Edge Services’ infrastructure, and consequently on the company, and to recover information assets (whether due to accidents, equipment failure, deliberate acts, etc.) so that the department’s processes achieve an acceptable level of continuity through corrective and preventive recovery measures.

Continuous improvement of the security process

Management, for its part, places special emphasis on and establishes as its primary criterion for assessing its risks the assessment of the confidentiality, integrity, and availability of critical company and client information, as well as ensuring its traceability and authenticity.

Thus, it is committed to developing, implementing, maintaining, and continually improving this Security Policy and its Management System with the goal of continuous improvement in the way it provides its services and handles information. 

Personal data

Transparent Edge Services processes personal data. In this regard, and in compliance with current data protection legislation, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of individuals, Transparent Edge Services has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which, where appropriate, includes, among others:

• The ability to guarantee the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• The ability to quickly restore the availability and access to personal data in the event of a physical or technical incident.
• A process for regularly verifying, evaluating, and assessing the effectiveness of technical and organizational measures to ensure the security of processing.

Guidelines for structuring documentation

This section establishes the criteria for classifying information held by Transparent Edge Services, regardless of the medium, and based on the following assumptions:

• Information assets must be inventoried.
• Information assets must have an owner.
• Information must be classified.
• Information must be labeled to classify it, thereby providing appropriate treatment for that classification.

Information assets must be classified according to the sensitivity and criticality of the information they contain, or according to the functionality they perform, and are labeled accordingly to indicate how the information is to be treated and protected.

Every information asset, as well as its storage, communication, and processing medium, must have a designated owner, with the responsibilities derived from this attribution detailed below in this document.

Information assets must be classified according to the sensitivity and criticality of the information they contain, or according to the functionality they perform, and are labeled accordingly to indicate how the information is to be treated and protected.

Every information asset, as well as its storage, communication, and processing medium, must have a designated owner, with the responsibilities derived from this attribution detailed below in this document.

From all these sections, the following security principles that support the Transparent Edge Services ISMS are resolved:

Safety principles

• Information security responsibilities are defined, shared, published, and accepted by each employee, supplier, business partner, or third party.
• Transparent Edge Services protects the information generated, processed, or stored by business processes, its technological infrastructure, and assets from the risk generated by access granted to third parties, whether suppliers or customers.
• Transparent Edge Services protects the information created, processed, transmitted, or stored by its business processes to minimize financial, operational, or legal impacts due to misuse. To achieve this, it is essential to apply controls in accordance with the classification of the information owned or held by its employees.
• Transparent Edge Services protects your information from threats originating from personnel by implementing the control mechanisms that may be necessary for this purpose.
• Transparent Edge Services protects the processing facilities and technological infrastructure that supports its critical processes.
• Transparent Edge Services controls the operation of its business processes, ensuring the security of technological resources and data networks.
• Transparent Edge Services implements access control to information, systems, and network resources.
• Transparent Edge Services ensures that security is an integral part of the information systems lifecycle.
• Transparent Edge Services ensures effective improvement of your security model through proper management of security events and weaknesses associated with information systems.
• Transparent Edge Services guarantees the availability of your business processes and the continuity of your operation based on the impact that events may generate.
• Transparent Edge Services guarantees compliance with established legal, regulatory, and contractual obligations.

Documentation and Communication

This Information Security Policy will be available as documented information and communicated within the organization. It will also be shared with relevant stakeholders, as appropriate.

Review and Update

This policy will be reviewed annually or sooner if there are significant changes in Transparent Edge Services’ operating or technological environment. Senior management is committed to maintaining this policy in line with the company’s objectives and applicable information security requirements.

Last revised: July 2024