BOOK A CALL

Security Policy

Security Policy

  1. APPROVAL AND ENTRY INTO FORCE

This Information Security Policy was approved by Llorenç Solé, Managing Director of Codigital Lab, on 02/04/2025, in accordance with Article 12 of Royal Decree 311/2022.

This policy will be reviewed annually or whenever significant changes occur in the services, organizational structure, or applicable regulations.

  1. INTRODUCTION

This policy establishes the general information security guidelines at Codigital Lab, within the framework of the National Security Scheme (ENS), applying the principles of Royal Decree 311/2022, the General Data Protection Regulation (GDPR), and other applicable legislation.

2.1. PREVENTION

Codigital Lab, through its managers and departments, must avoid—or, where applicable, minimize as much as possible—the impacts that may arise from security incidents affecting the confidentiality, integrity, availability, authenticity, or traceability of information and services.

To this end, the minimum measures required by the National Security Scheme (ENS) are implemented, as well as additional controls identified through risk and threat analysis, in accordance with the principle of proportionality and continuous improvement.

To ensure compliance with this policy, the following structural actions are established:

Formal authorization of ICT systems before they are put into production.
Periodic security assessments, including the review of routine configuration changes.
Requesting independent third-party audits and reviews, on a planned basis, as part of the improvement cycle.

The established controls, together with security roles and responsibilities, will be defined and documented in accordance with internal regulations and communicated to all relevant staff.

2.2. DETECTION

Early incident detection capability is essential to preserve service levels and reduce the impact of security events.

Codigital Lab will implement continuous monitoring mechanisms over its systems and services to proactively identify anomalous behavior, performance degradation, or deviations from previously established normal parameters.

The following measures are established:

Systematic monitoring of production systems and services.
Logging and analysis of relevant events, accessible to security officers.
Definition of alert thresholds and immediate reporting mechanisms in the event of anomalies.

The collected information will be handled with integrity and traceability criteria, facilitating event correlation, early pattern detection, and support for response processes.

2.3. RESPONSE

In order to act swiftly in the event of security incidents, specific protocols will be developed and implemented for their efficient and coordinated management.

Departments must:

Establish formal incident response procedures, integrated into the Information Security Management System.
Appoint points of contact responsible for internally coordinating the response and channeling communication with other departments, organizations, or authorities.
Establish information exchange channels with external bodies (CERT/CSIRT), such as INCIBE-CERT or CCN-CERT, ensuring bidirectionality, traceability, and confidentiality.

Any incident will be recorded, categorized, and handled according to its level of criticality, activating the planned escalation and communication levels.

2.4. RECOVERY

Codigital Lab will ensure the availability of critical services through the development of technological continuity plans, integrated into its overall business continuity plan.

These plans will include:

Identification of critical assets and processes.
Definition of backup and disaster recovery strategies (backup/restore, replication, fault tolerance, etc.).
Plan activation procedures, including responsible parties, resources, and acceptable recovery times (RTO/RPO).
Regular testing of the defined mechanisms, with follow-up of results and incorporation of improvements.

Service recovery must minimize the impact on users and ensure restoration of normal operations in the shortest possible time.

  1. SCOPE

This policy applies to all information systems, technological resources, processes, employees, collaborators, and third parties of Codigital Lab related to the management and processing of information, in any format, that form part of the Information System subject to the ENS.

  1. ORGANIZATION’S MISSION [org.1.1]

Codigital Lab’s mission is to provide technology solutions focused on citizen participation and communication, and the secure digital transformation of communities and local governments, ensuring at all times the protection of information and the services provided.

  1. REGULATORY FRAMEWORK [org.1.2]

Codigital Lab’s activities are carried out in accordance with the following regulatory framework:

Royal Decree 311/2022 (ENS)
GDPR (EU 2016/679)
Spanish Organic Law 3/2018 (LOPDGDD)
Law 39/2015 and Law 40/2015

Codigital Lab has an internal procedure to identify, register, and update all applicable regulations on security and data protection.

  1. SECURITY ORGANIZATION

6.1. COMMITTEES: FUNCTIONS AND RESPONSIBILITIES

In accordance with CCN-STIC Guide 402, Codigital Lab has established an Information Security Committee as a collegiate body responsible for coordinating, promoting, and supervising security activities within the Information Security Management System.

The ICT Security Committee is composed of:

Llorenç Solé Borràs, Service Owner (CEO)
Daniel Fargas Alcántara, Information and System Owner (CTO)
Antonio Martínez Cívico, Security Officer (Software Engineer)

The Secretary of the ICT Security Committee will be Antonio Martínez Cívico, whose responsibilities will include:

Preparing meeting notices and minutes.
Coordinating the execution of actions agreed by the committee.
Keeping the register of agreements and incidents up to date.

The ICT Security Committee reports directly to Codigital Lab’s General Management, represented by the CEO.

The functions of the Information Security Committee include:

Reviewing and proposing the approval or modification of the Information Security Policy.
Overseeing the implementation of technical and organizational security measures.
Periodically assessing risks and their treatment.
Promoting security awareness and training activities.
Proposing resources and budgets required for continuous improvement.
Assessing relevant incidents and driving corrective actions.

6.2. ROLES: FUNCTIONS AND RESPONSIBILITIES

According to CCN-STIC Guide 801, the following roles have been formally designated:

Service Owner (RSERV):

Llorenç Solé Borràs (CEO)

Determines the security requirements applicable to the services provided and accepts the residual risk levels associated with those services.

Information Owner (RINFO):

Daniel Fargas Alcántara (CTO)

Determines the security requirements of the processed information, sets security levels, and collaborates in asset classification.

Information Security Officer (RSEG):

Antonio Martínez Cívico

Defines, coordinates, and supervises compliance with security measures. Acts as the point of contact with CCN-CERT or competent authorities. Advises other roles and actively participates in the Security Committee.

System Owner (RSIS):

Daniel Fargas Alcántara

Implements security measures in the system, monitors its status, applies patches, and configures technical security controls. May delegate to technical administrators under his supervision.

Note: If the organizational structure evolves, Delegated Security Officers may be appointed to assume specific functions in coordination with the RSEG.

6.3. APPOINTMENT PROCEDURES

The Information Security Officer (RSEG) will be appointed by Codigital Lab’s General Management, upon proposal of the ICT Security Committee. The appointment will be valid for two years and may be renewed or revoked for justified reasons or organizational changes.

The System Owner (RSIS) will be designated by the area responsible for the corresponding ICT service, in compliance with the provisions of Law 11/2007 (currently repealed, but integrated into Law 39/2015). The formal designation, functions, and responsibilities must be documented.

All responsible parties must sign a document accepting the position and its obligations, which will be kept in the Information Security file.

6.4. INFORMATION SECURITY POLICY

The annual review of this Information Security Policy is the responsibility of the ICT Security Committee. This review will include:

Verification of adequacy to technological, legal, and organizational changes.
Assessment of results from audits, risk analyses, and security incidents.
Updating responsibilities or measures when appropriate.

The updated version will be submitted for approval by Codigital Lab’s General Management and disseminated to all employees and third parties involved in information processing or the provision of technological services.

  1. PERSONAL DATA

Codigital Lab processes personal data in the course of its activities, both its own and that of third parties (users, customers, collaborators, and employees), and therefore undertakes to strictly comply with legal obligations regarding personal data protection.

The organization has a Security Document, with restricted access to authorized personnel, identifying the processing operations carried out, assigned responsible parties, categories of data processed, and security measures applied according to their nature, criticality, and purpose.

This document includes:

The files and processing operations carried out by Codigital Lab, including those performed on behalf of third parties.
The responsibilities assigned in relation to such processing.
The technical and organizational measures implemented to guarantee the rights and freedoms of data subjects.

All information systems where personal data processing takes place are classified and protected in accordance with the security levels established by Regulation (EU) 2016/679 and the LOPDGDD, and aligned with the requirements of the ENS.

Codigital Lab applies the principle of proactive accountability, which entails:

Identifying and documenting the legal basis for each processing activity.
Applying risk analyses to processing activities and, where appropriate, data protection impact assessments.
Appointing a security point of contact and, where necessary, a Data Protection Officer (DPO).
Keeping the Record of Processing Activities (RoPA) up to date in accordance with Article 30 of the GDPR.
Notifying, in the event of incidents, the Spanish Data Protection Agency (AEPD) and affected individuals, where applicable, within the legal deadlines.

All users of Codigital Lab’s ICT systems receive specific data protection training as part of the security awareness and sensitization program.

  1. RISK MANAGEMENT

All information systems within the scope of this Policy must undergo a systematic risk analysis and risk management process, with the aim of identifying, assessing, and treating threats that may affect the security of information and services.

The risk analysis will assess the likelihood of incidents occurring and the potential impact on the confidentiality, integrity, availability, traceability, and authenticity of the affected assets.

The analysis will be mandatorily repeated in the following cases:

At least once a year, as part of the continuous improvement cycle of the management system.
When the managed information or its categories are modified.
When changes are introduced in the services provided or their criticality.
When a serious security incident occurs.
When significant vulnerabilities are detected or reported.

To ensure the consistency and comparability of the analyses carried out, the ICT Security Committee will establish reference values and standardized criteria to harmonize risk assessment for different types of assets, services, and processing activities.

This committee will be responsible for:

Validating the methodology used for analyses (e.g., MAGERIT).
Promoting the use of risk assessment support tools appropriate to the size and complexity of the organization.
Ensuring that the analysis considers both internal and external threats, as well as technological, human, and organizational aspects.
Promoting the planning of cross-cutting investments to mitigate risks common to multiple systems or services.
Facilitating the availability of technical and human resources necessary for effective risk management.

The results of the risk analyses will form part of the system’s security documentation and will be used as a basis to:

Define additional measures beyond those required by the ENS.
Develop risk treatment plans.
Accept, transfer, mitigate, or avoid residual risks, in accordance with the security policy.

  1. DEVELOPMENT OF THE INFORMATION SECURITY POLICY

This Information Security Policy constitutes the general framework on which Codigital Lab’s entire Information Security Management System (ISMS) is structured, and it is complemented by other specific policies and regulations in related areas, which establish more detailed operational and technical guidelines.

The policies currently in force that complement this ISP include:

Personal Data Protection Policy
Business Continuity and Disaster Recovery Policy
Access Control and User Management Policy
Security Incident Management Policy
Information Classification and Handling Policy
Acceptable Use of ICT Resources Policy
Third-Party Contracting and Relationships Policy

Regulatory development

This Policy will be developed through internal security regulations, which will include:

Operational procedures.
Technical standards.
User instructions.
Good practice guides.

Such regulations will address specific ENS aspects such as asset management, access control, backup management, secure communications, change management, etc., in accordance with the measures in Annex II of Royal Decree 311/2022.

Availability of regulations

All development regulations will be made available to members of the organization who require them, especially:

Technical staff who manage or administer information systems.
Users with access to sensitive services or information.
Collaborators and suppliers with contractual responsibilities regarding security.

The regulations will be available in digital format on Codigital Lab’s website accessible from the internet: Link URL

Any policy development document will be subject to version control and will be formally approved by the ICT Security Committee before entering into force.

  1. STAFF OBLIGATIONS

All members of Codigital Lab, regardless of their hierarchical level or function, are obliged to know, respect, and apply the provisions of this Information Security Policy, as well as the complementary security regulations developed from it.

It is the responsibility of the ICT Security Committee to ensure that all information related to policies, regulations, procedures, and technical instructions reaches the affected persons adequately, and that they have the necessary knowledge to comply with their duties.

Awareness and sensitization

In order to foster an organizational security culture, Codigital Lab establishes an annual ICT security awareness program, mandatory for all employees, covering topics such as:

Good practices in the use of systems.
Common risks and their prevention.
Secure information management.
Individual responsibilities under the ENS.

In addition, a continuous sensitization program will be implemented to keep employees up to date regarding new threats, regulatory changes, or technological improvements.

This program will include specific sessions for:

Newly hired staff.
Users with access to specially protected data or critical systems.
Technical and administrative teams with sensitive functions.

Specific technical training

Individuals with technical responsibilities in the use, administration, or operation of ICT systems must receive specific security training appropriate to the functions they perform.

Such training:

Will be mandatory before assuming the position or responsibility, either in a new role or due to reassignment of functions.
Will be adjusted to the criticality of the managed systems and the risk profile of the affected processes.
Will include content adapted to the ENS, data protection regulations, and Codigital Lab’s internal procedures.

All courses, workshops, or training sessions delivered will be documented by the ICT Security Committee, which will also supervise their content and quality.

  1. THIRD PARTIES

When Codigital Lab provides services or manages information on behalf of other bodies, whether public or private entities, it will ensure that such bodies are aware of this Information Security Policy, as well as any specific applicable regulations.

In these cases:

A copy of the ISP and relevant annexes will be provided to the representatives designated by the affected bodies.
Communication and coordination channels will be established between security committees, where applicable, or at least between the security officers of both parties.
Joint procedures will be defined for reporting, analysis, and response to incidents that may impact shared services or data.

When Codigital Lab contracts third-party services, technology solutions, or technical support, or shares information with external providers, the following measures will be strictly applied:

Contractual security obligations:

Specific clauses will be included in contracts and service level agreements (SLAs) reflecting the security requirements established by this policy, the ENS, and personal data protection regulations.

Adoption of this policy and related regulations:

The third party will be formally provided with the Security Policy and any additional regulations relevant to the contracted service or shared data.

Provider responsibility:

The provider will be responsible for developing and applying its own operational security procedures, provided that they ensure a level of protection equal to or higher than that required by Codigital Lab.

Incident reporting and handling:

Specific channels will be established for immediate notification of security incidents, as well as documented procedures for their analysis, response, and resolution.

Training and awareness of external personnel:

Third-party personnel will be required to receive appropriate security training and, in particular, training on the rules applicable to services provided to Codigital Lab. Such personnel must have been informed of their obligations and associated risks.

Handling of exceptions

If a third party cannot comply with any aspect of this policy, the Security Officer must issue a risk report that:

Clearly identifies the non-compliant aspects.
Assesses residual risks and their impact.
Proposes compensatory or alternative measures.

This report must be validated and approved by the affected Information Owner and Service Owner before formalizing the contract, continuing with the disclosure of data, or allowing access to the information systems.

Approved by: Llorenç Solé