Security policy
Commitment to security: GESI ensures proper information security management to protect its confidentiality, integrity, availability, traceability and authenticity. The company is committed to preventing incidents and guaranteeing continuity of services.
Scope: The policy applies to all ICT systems and personnel involved in public sector projects that must comply with the Esquema Nacional de Seguridad (ENS).
Security objectives: Increase resilience to incidents, ensure rapid service recovery and mitigate information security risks.
Regulatory framework: GESI complies with various regulations including the European General Data Protection Regulation (GDPR) and Spanish data protection and information security laws.
Security organisation: Management is responsible for providing resources to meet security objectives. Specific roles are assigned such as the Security Officer and the Security Committee, which makes key decisions on this matter.
Risk management: Systems subject to this policy must perform a risk analysis annually or when significant changes occur. The Security Committee manages these analyses.
Personnel management: All personnel must be trained in information security and sign confidentiality commitments. Annual security awareness sessions are conducted.
Access control: Security measures are implemented to prevent unauthorised access to systems and protect critical equipment. Security in the use of mobile devices and remote working is promoted.
Product acquisition: Security is integrated across all phases of the system lifecycle, from acquisition through to decommissioning.
Business continuity: Backup mechanisms and operational continuity procedures are established in the event of incidents affecting normal working practices.
Continuous improvement: The policy promotes continuous improvement of the security management system, aligned with international standards such as ISO 27001.