The purpose of this Policy is to achieve an adequate protection of ARTICA’s information, preserving the following security features:
- Confidentiality: to ensure that the information is accessible only to those who are authorized to have access to it.
- Integrity: to ensure the accuracy and completeness of the information and the methods of its processing.
- Availability: to ensure that authorized users have access to the information and its associated assets when they require it.
These basic principles must be preserved and ensured in whatever form the information takes, whether in electronic, printed, visual or spoken format, and regardless of whether it is processed on or off ARTICA’s premises.
Likewise, these principles should be contemplated in the following safety areas:
- PhysicalThis includes the security of premises, facilities, hardware systems, supports and any physical asset that processes or may process information.
- LogicLogic: Including the protection aspects of applications, networks and prototypes of electronic communication and computer systems.
- Political-corporateFormed by the security aspects related to the organization itself, to internal rules, regulations and legal norms.
ARTICA bases its activity on the processing of different types of data and information. This allows you to execute basic business processes.
Thus, damage or loss of the organization’s assets affects the performance of its operations and may jeopardize the continuity of the organization.
In order to prevent this from happening, an Information Security Policy has been designed. Information Security Policy, the main objectives of which are:
- Protect, through controls and security measures, the company’s assets against threats that could lead to security incidents.
- Mitigate the effects of security incidents, which can affect both members of the organization and external stakeholders.
- Establish an information and data classification system to protect critical information assets, both internal and those that may be of interest to external stakeholders.
- Define the responsibilities for information security by creating the corresponding organizational structure.
- Develop a set of rules, standards and procedures applicable to management bodies, employees, partners, external service providers, etc. Such security policies and compliance with ISO 27001 standards will be of particular relevance to customers, suppliers and external organizations and should be communicated in a timely manner. Of course, internally, there will be greater communication of the functioning of the ISMS and all internal policies and regulations.
- Specify the effects of non-compliance with the Safety Policy in the workplace, through continuous training and internal communication.
- Continuously evaluate the risks affecting the assets in order to adopt the appropriate security measures/controls.
- Verify the operation of security measures and controls through internal security audits performed by independent auditors.
- Train users in security management and information and communication technologies.
- Control information and data traffic through communications infrastructures or by sending optical, magnetic or paper data carriers, etc.
- Comply with legislation on data protection, intellectual property, labor, information society services, criminal law, etc., affecting ARTICA’s assets and its relationship with external stakeholders.
- To guarantee an efficient service to our customers and other external stakeholders with a high level of quality and integrity, thus preserving their trust.
- Protect the organization’s intellectual capital from unlawful disclosure and use.
- Obtain the evidences that allow accrediting the security incidents and the identification of its author, whether it is external (suppliers, clients, users) or internal to the company.
- Reduce the possibility of unavailability through the proper use of the organization’s assets, both internal and external.
- Defend assets against internal or external attacks so that they do not become security incidents.
- Control the operation of security measures by ascertaining the number of incidents, their nature and effects.
- Protection of personal data
ARTICA processes personal data for purposes previously communicated to the data subjects (their owners) and, if necessary, previously consented to by them at the time of data collection or subsequently.
In data protection matters, data subjects have rights of access, rectification, limitation of processing, portability, opposition, erasure and others (called ARCO/ARLtPOS rights). This means that any natural person can ask ARTICA for information about what data is held about them, where it was obtained from, what is done with it, what it is used for, and request changes in its use. Before exercising the ARCO/ARLtPOS rights of any affected person, ARTICA staff is obliged to immediately notify the Data Protection Officer by sending an email to [email protected]. It is vitally important to do so immediately as there are strict legal deadlines for a response.
All persons with access to ARTICA’s information resources or information assets (both in-house and outsourced personnel) must read, understand, know and accept the Information Security Policy and the Information Systems Use Policy at the beginning of the employment or business relationship with ARTICA and its modifications on an annual basis thereafter.
Address and contact information
Ártica PFMS S.L.U
22-24 Casas de Miravete Street
Perez Iglesias Business Park
Building 24A, Floor 3 Office 3
28031 Madrid. Spain.
Office phone: +34-915597222
General contact e-Mail: [email protected]
Data Privacy Officer (DPO): [email protected]