Approval and entry into force

HOPU has always presented a concern and care for standardization, remote maintenance and control, and security in its architectures and projects. This concern has been initially embodied in the Privacy policy that has been in force in the organization since May 25, 2018, with an update on July 16, 2018, and remains in force in these terms. With the implementation of the ISO 27001 Information Security standard and the National Security Scheme ENS, this document is complemented by covering all aspects of security and privacy applicable to the organization. This policy not only covers the privacy aspects of the organization, but also expands these aspects according to the minimum requirements of the ENS. This document has been approved and thus comes into force on August 18, 2021. This Information Security Policy Annex 4 Rev.00 is effective from that date and until it is replaced by a new Policy.

Introduction

HOP Ubiquitous S.L., hereinafter referred to as HOPU, works with ICT (Information and Communications Technology) systems to achieve its objectives. These systems must be managed with diligence, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or services provided.
The objective of information security is to ensure the quality of information and the continued provision of services, acting preventively, monitoring daily activity and reacting quickly and efficiently to incidents.
ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure continuous service delivery. This implies that departments must implement the minimum security measures required by the National Security Scheme, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.

The different departments must ensure that ICT security is an integral part of each stage of the system's life cycle, from its conception to its decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning and in the request for bids.
Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS.

Prevention

Departments should avoid, or at least prevent as far as possible, information or services being impaired by security incidents. To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented. To ensure compliance with the policy, departments must:

  • Authorize systems before going into operation.
  • Regularly assess security, including assessments of configuration changes made on a routine basis.
  • Request periodic review by third parties in order to obtain an independent assessment.
Detection

Since services can degrade rapidly due to incidents, ranging from a simple slowdown to shutdown, services should monitor operation on an ongoing basis to detect anomalies in service delivery levels and act accordingly as set out in Article 9 of the ENS.
Monitoring is especially relevant when establishing lines of defense in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms shall be established that reach those responsible on a regular basis and when a significant deviation from the parameters that have been pre-established as normal occurs.

Response

Departments should:

Establish mechanisms to respond effectively to security incidents.

Designate a point of contact for communications regarding incidents detected in other departments or other agencies.

Establish protocols for the exchange of incident-related information. This includes two-way communications with Emergency Response Teams (CERTs).

Recovery

To ensure the availability of critical services, departments should develop ICT systems continuity plans as part of their overall business continuity plan and recovery activities.

Scope

This policy applies to the Grafana visualization platform, involving the members of the Software Dept. involved in the deployment of this visualization service for our customers. The rest of the platform on which the visualization is built is outside the scope of this ENS policy, since it is not a proprietary software, but a license for use.

Mission, vision and quality model

HOPU is a leader in innovation in Internet of Things (IoT) and smart city solutions. The company is certified in ISO9001 Quality Management, thanks to which they have set their mission, vision and objectives and which is available on the web: https://hopu.eu/quality-politics/.

The company's mission is: "To promote sustainability and decision making based on reliable data/evidence".

To this end HOPU offers services and solutions, always thinking about user experiences and value engineering. We are passionate about generating urban innovations through the latest technologies such as AI (Artificial Intelligence), IoT (Internet of Things) and Data-Quality. We love to engage citizens and decision-makers, to ensure that data is understandable for all, intuitive and usable. We are there to support any decision for urban development and digital transformation through data-driven tools with dashboards, decision support tools and a large number of IoT devices to objectively monitor impact, wealth, sustainability, environment, noise, weather, air quality status, etc. Our vision is to have Smart Cities in the present and in the future, where citizens and visitors really feel that they are in an efficient, sustainable and healthy City.
The vision of the company is: "A world with efficient, sustainable and healthy cities".

Regulatory framework

HOPU is subject to the following regulations in the provision of services provided to its customers:

  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), applicable to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file.
  • Occupational Risk Prevention Law 31/1995 of November 8, 1995 and Royal Decree 39/1997 of January 17, 1997, approving the Prevention Services Regulations.
  • The applicable collective bargaining agreement, corresponding to "Oficinas y Despachos".
  • Law 34/2002, of July 11, 2002, on Information Society Services and Electronic Commerce (LSSI-CE).
  • RD-Law 13/2012 of March 30, 2012, cookies law.
  • Royal Legislative Decree 1/1996, of April 12, which approves the revised text of the Intellectual Property Law, regularizing, clarifying and harmonizing the current legal provisions on the subject.
    The reference framework that gives legal coverage to this document is established in the following sections of the Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration (hereinafter, ENS):
  • ENS. Article 12. Organization and implementation of the security process
    Security shall involve all members of the organization. The security policy, as detailed in Annex II, section 3.1, shall identify those clearly responsible for ensuring its compliance and shall be known by all members of the administrative organization.
  • ENS. Annex II

Security Measures Organizational Framework [org]
Security policy [org.1]

Security Organization
Committee. Definition and coordination

The Information Security Management Committee shall be composed of the Chief Executive Officer (CEO), Department Directors, Security Manager, Information/Services Manager, System Manager.

The Committee will have the following functions:

  • Coordinates all activities related to ICT security.
  • It is responsible for drafting the Security Policy.
  • It is responsible for the creation and approval of the rules governing the use of ICT services.
  • Approve the procedures for action regarding the use of ICT services
  • Approve the training and qualification requirements for administrators, operators and users from the point of view of ICT security.
Roles. Roles and responsibilities

The different roles along with their respective functions and responsibilities are reflected in the HOPU roles and responsibilities matrix.

INFORMATION CONTROLLER

The Information Owner is usually a person who holds a senior management position in the organization. This position has the ultimate responsibility for the use of certain information and, therefore, for its protection.

The Information Officer is ultimately responsible for any error or negligence that leads to a confidentiality or integrity incident.

The ENS assigns to the 'Chief Information Officer' the power to establish the information security requirements. Or, in ENS terminology, the power to determine the levels of information security (although in this case, this responsibility will fall on the Chief Information Officer of the public bodies to which the service is provided).

The determination of security levels in each security dimension must be carried out within the framework established in Annex I of the National Security Scheme. It is recommended that the assessment criteria be supported by the Security Policy insofar as they are systematic, without prejudice to the possibility of particular criteria being applied in unique cases.

SERVICE RESPONSIBLE

The ENS assigns to the 'Service Manager' the power to establish the security requirements of the service. Or, in ENS terminology, the power to determine the security levels of the services (although in this case, the responsibility for defining the security levels will lie with the Chief Information Officer of the public bodies to which the service is provided).

The determination of security levels in each security dimension must be carried out within the framework established in Annex I of the National Security Scheme. It is recommended that the assessment criteria be supported by the Security Policy insofar as they are systematic, without prejudice to the possibility of particular criteria being applied in unique cases.

The provision of a service must always meet the security requirements of the information it handles (it is sometimes said that 'requirements are inherited'), and usually adds availability requirements, as well as others such as accessibility, interoperability, etc.

PERSON RESPONSIBLE FOR SECURITY

The Security Officer must be appointed directly by management to manage and maintain the ISMS.

Among his responsibilities is to maintain the process of continuous improvement of the system, working together with those responsible for the processes and services. It is also responsible for verifying compliance with this Management Manual, detecting any deviations in the system, recommending and channeling improvements and verifying and evaluating their implementation and effectiveness. With respect to management activities, he/she must plan internal audits and manage incidents related to the services he/she manages.

Person appointed by the Management, who will have the following responsibilities:

  • Maintain and supervise the management of the security of the information handled and of the services provided by the information systems in his/her area of responsibility, in accordance with the provisions of the Organization's Security Policy.
  • Promote information security training and awareness within its area of responsibility.

RESPONSIBLE FOR THE SYSTEM

The System Manager must be appointed directly by the Management to manage and maintain the ENS.

It should be noted that the System Manager will be responsible, among other duties, for:

  • Develop, operate and maintain the Information System throughout its life cycle, its specifications, installation and verification of its correct operation.
  • Define the topology and management system of the Information System, establishing the criteria for its use and the services available in it.
  • Ensure that the specific security measures are properly integrated within the general security framework.

The System Manager may agree to suspend the handling of certain information or the provision of a certain service if he/she is informed of serious security deficiencies that could affect the satisfaction of the established requirements. This decision must be agreed with those responsible for the affected information, the affected service and the Security Officer, before being executed.

Designation procedures

The Information Security Officer shall be appointed by the Management on the proposal of the Information Security Management Committee. The appointment shall be reviewed every 2 years or when the position becomes vacant.

Information security policy

The Information Security Management Committee shall be responsible for the annual review of this Information Security Policy and for proposing its revision or maintenance. The Policy shall be approved by the same committee and disseminated so that all affected parties are aware of it.

Personal data

HOPU processes personal data (names, email accounts, MACs...). The security document, to which only authorized persons will have access, lists the affected files and those responsible for them. All HOPU information systems will comply with the security levels required by law for the nature and purpose of the personal data included in the aforementioned Security Document.

Risk Management

All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated

  • regularly, at least once a year
  • when the information handled changes
  • when the services provided change
  • when a serious security incident occurs
  • when serious vulnerabilities are reported

For the harmonization of risk analysis, the Information Security Management Committee shall establish a baseline assessment for the different types of information handled and the different services provided. The Information Security Management Committee will streamline the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

Document management

The guidelines for structuring the system's documentation, its management and access are documented in the Quality and Environment Manual to which this Annex 4 belongs, in section 2.4. CONTROL AND MANAGEMENT OF DOCUMENTED INFORMATION.

The safety regulations will be available on the web https://hopu.eu/

Obligations of personnel

All members of HOPU have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the Information Security Management Committee to provide the necessary means to ensure that the information reaches those affected.

All HOPU members will attend an ICT security awareness session at least once a year. An ongoing awareness program will be established to serve all HOPU members, particularly new members.

Individuals with responsibility for the use, operation or administration of ICT systems shall receive training in the safe operation of the systems to the extent they need it to perform their work. Training will be mandatory prior to taking on a responsibility, whether it is their first assignment or a change of job or job responsibilities.

Third Parties

When providing services to other organizations or handling information from other organizations, they will be made aware of this Information Security Policy, channels will be established for reporting and coordination of the respective Committees, and procedures will be established for reacting to security incidents.

When HOPU uses third party services or transfers information to third parties, they will be made aware of this Security Policy and the Security Regulations that apply to such services or information. Such third party shall be subject to the obligations set forth in such regulations and may develop its own operating procedures to satisfy them. Specific incident reporting and resolution procedures shall be established. It shall be ensured that third party personnel are adequately security-aware to at least the same level as that set out in this Policy.

Where any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer will be required which specifies the risks incurred and how they will be addressed. Approval of this report by those responsible for the information and services affected will be required before proceeding further.