Security Policy

ALTEN GROUP Management Agreement “ALTEN GROUP Security and Privacy Policy in accordance with the National Security Scheme, ISO 27001 and ISO 27701.

Article 156.2 (Law 40/2015, 1 October, on the Public Sector Legal Regime, provides for the creation, by means of the National Security Scheme regulation,.

In compliance with and development of this law, Royal Decree 311/2022 of 3 May was approved, regulating the National Security Scheme in the field of electronic administration. The purpose of this regulation is to establish the basic principles and minimum requirements of a security policy for the use of electronic media, which allows for the adequate protection of information.

Scope: It applies to public administrations to ensure access, integrity, availability, authenticity, confidentiality, traceability and conservation of data, information and services used in the electronic media managed in the exercise of their competences.

This policy aims to provide the necessary confidence conditions in the use of electronicmedia, through a series of measures that guarantee the security of systems, data, communications and electronic services in such a way as to allow users to exercise their rights and ALTEN GROUP to fulfil its duties through these electronic media.

Article 11 of the aforementioned Royal Decree establishes that all senior public administration bodies must formally have a security policy that articulates the ongoing management of security, which will be approved by the head of the corresponding senior body.

This security policy shall be established in accordance with the above basic principles and shall be developed by applying the following minimum requirements:

1. Organisation and implementation of the security process.
2. Risk analysis and management.
3. Personnel management
4. Professionalism.
5. Authorisation and control of access.
6. Protection of facilities
7. Procurement of products
8. Security by default
9. System integrity and updating.
10. Protection of stored and in-transit information.
11. Prevention of other interconnected information systems.
12. Logging of activity
13. Security incidents
14. Business continuity
15. Continuous improvement of the security process

In compliance with the National Security Scheme provisions, the ALTEN GROUP Management has agreed to approve the following document in each and every one of its points.

1. APPROVAL AND ENTRY INTO FORCE.

Text approved on 09 May 2023 by the ALTEN GROUP Management .

This Information Security Policy is effective from that date and until it is replaced by a new Policy.

2. VALIDITY AND ACCEPTANCE OF SECURITY POLICY

This policy shall be effective from the date of signature.

Ensuring that all persons who have an influence on security are aware of the policy and the objectives set out will be achieved through its dissemination by the Head of Security to all the appropriate levels of the organisation, as well as through the distribution of the documents that apply to each level in the different work posts.

When an employee (internal or external) joins the organisation, he/she accepts the organisation’s security policy and undertakes to comply with it.

This policy shall be reviewed at least annually at management reviews of the system to ensure its continuing suitability and effectiveness. Significant changes in the legal and business framework, audit results, risk analysis and suggestions for improvement shall be taken into account.

In this regard, documented and quantifiable objectives shall be established, which shall be drawn up and periodically reviewed by management.

3. INTRODUCTION

The Information Security Policy is drawn up in compliance with the following legal requirements:

• Royal Decree 311/2022 of 3 May, which regulates the National Security Scheme (ENS).
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (RGPD) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD).

In order for the services offered by ALTEN GROUP to be provided efficiently, in terms of service level, security, availability and scope, the company’s management is committed to management based on strict compliance with any legal requirements that affect it, on the creation of value for its customers and on the implementation of a series of good practices, articulated through reference models, such as the ISO Standards and the ENS, and taking the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity or traceability of the information processed or the services provided.

For this reason, ALTEN GROUP has decided to develop its Information Security Policy, which sets its Security Objectives aligned with business needs, the recognition of the added value of the systems to be protected and an understanding of the risks associated with these systems and expressed in the following terms:

• Compliance with business requirements.
• Protection of affected assets from internal, external, accidental or deliberate threats, unauthorised access, etc.
• The information security risks of all the services provided by the organisation included in the scope of the system shall be analysed and the associated controls necessary to mitigate the risks identified shall be established. These security controls shall be developed in accordance with the guidelines set out in the Information Security Regulations and the ENS.
• Maintaining the risk to which the information is subject below the level required by ALTEN GROUP.
• costs optimisation and guarantee of security in the provision of services included in the scope, by ALTEN GROUP, ensuring the confidentiality of the information and maintaining its integrity and availability.
• Compliance with legislative and regulatory requirements.
• Preparation, maintenance and testing of Business Continuity Plans.
• Establishing an Information Security Training and Awareness Plan to help the personnel involved to know and comply with this policy, and to prevent identified or potential risks.
• Management of all types of security incidents.
• Continuous improvement system implementation based on permanent management control and the risk management strategy adopted by the company.

The Security Policy is developed by means of specific documents (Procedures…), which determine, within its scope, the way in which this policy must be applied to the different assets and ALTEN GROUP processes included within the Scope of the ISMS, so that, by achieving their particular objectives, they contribute to the fulfilment of the mission and objectives of the company.

For all these reasons, ALTEN GROUP’s Management explicitly declares its knowledge and approval of the policy developed in this area, so that all affected staff (internal or external) must be aware of it and apply it as part of the tasks inherent to their role in the company.

ALTEN GROUP provides the necessary resources for the effective application of this policy, and for its proper development, both in the implementation activities and in the subsequent maintenance of the entire Information Security Management System.

This policy is known by all ALTEN GROUP personnel covered by the scope, in accordance with the requirements of the Management.

3.1  Prevention

ALTEN GROUP must avoid, or at least prevent as far as possible, information or services from being damaged by security incidents. To do so, the departments must implement the minimum security measures determined by the ENS and LOPD, as well as any additional controls identified through a threat and risk assessment and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined andpersonnel, should be clearly defined and documented.

To ensure compliance with the policy, departments should:

• Authorise systems before they go into operation.
• Regularly assess security, including assessments of configuration changes made on a routine basis.
• Request periodic review by third parties in order to obtain an independent assessment.
  

3.2 Detection

Since services can degrade rapidly due to incidents, ranging from a simple slowdown to a standstill, it is necessary to monitor the operation continuously to detect anomalies in service provision levels and to act accordingly as set out in Article 9 of the ENS.

Monitoring is particularly relevant when establishing lines of defence in accordance with Article 8 of the ENS. Detection, analysis and reporting mechanisms shall be established to reach those responsible, both on a regular basis and when there is a significant deviation from the parameters that have been preset as normal.

3.3 Response

ALTEN GROUP shall:

• Establish mechanisms to respond effectively to security incidents.
• Designate a point of contact for communications regarding incidents detected in other departments or other agencies.
• Establish protocols for the exchange of incident-related information. This includes two-way communications with Emergency Response Teams (CERTs).
  

3.4 Recovery

To ensure the availability of critical services, ALTEN GROUP develops system continuity plans as part of its overall business continuity plan and recovery activities.

4. SCOPE

ALTEN GROUP applies its ISMS based on ISO 27001 on its Information Security Management System, which comprises “THE INFORMATION SECURITY MANAGEMENT SYSTEM THAT SUPPORTS CONSULTING SERVICES, INFORMATION TECHNOLOGY AND ENGINEERING SERVICES, THE MANAGEMENT PROCESSES OF THE BUSINESS ACTIVITY, THE BID MANAGEMENT FOR PROJECTS IN THE PUBLIC ADMINISTRATION DOMAIN, ALSO TO THE DATA SECURITY OF THOSE PROJECTS IN WHICH SECURITY REQUIREMENTS OF THE MANAGEMENT ARE REQUESTED BY THE CLIENT, ACCORDING TO THE STATEMENT OF APPLICABILITY”, which applies to its offices in Madrid, Lisbon, Optimissa and Alten Delivery Center Spain.

ALTEN GROUP applies the National Security Scheme (ENS) on the information system that supports the Technological Implementation Services, Software Development, Infrastructure Management, Application Support, including support for NEDAES. According to the Declaration of Conformity in force, category HIGH.

ALTEN GROUP applies ISO 27.701 within the information privacy management system as responsible for the following processing of the ALTEN GROUP company:

• Customer management
• Supplier management
• PRL Service
• HR management
• Visitor access control and video surveillance of ALTEN GROUP facilities.

Data processor:

1) The information systems that support the management process of the commercial activity and the management of bids for projects in the area of public administration,

2) Information security for those projects in which the client requires security and privacy requirements regarding the execution of the project.

According to the declaration of applicability for the protection of personal data version 1.0 and in accordance with the processing activity register version 1.0.

5. MISSION

ALTEN GROUP, within the framework of the purposes and functions legally and statutorily conferred upon it, is responsible for the implementation and execution of, among others, the following actions:

(i) Ensuring the satisfaction of the general interests related to the client.

(ii) Exclusive representation of this profession within the scope of its competence.

(iii) Defence of the professional rights and interests of workers.

(vii) The provision of services that contribute to the success of our stakeholders, while at the same time fostering the ongoing development of the organisation and of the people linked and related to it.

6. REGULATORY CONTEXT

The definition of a suitable information security management system such as that of ALTEN GROUP must take into account at least the following regulatory provisions:

• Regulation (EU) 2016/679 of the European Parliament of 27 April 2016 adopting the General Data Protection Regulation.
• Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
• Royal Decree 311/2022 of 3 May, which regulates the National Security Scheme.
• Law 34/2002 of 11 July 2002 on information society services and electronic commerce.
• Royal Legislative Decree 1/1996, of 12 April 1996, approving the revised text of the Intellectual Property Law, regularising, clarifying and harmonising the legal provisions in force on the matter.
• Law 6/2020, of 11 November, regulating certain aspects of electronic trust services.
• Law 9/2017, of 8 November, on Public Sector Contracts.
• Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights.
• Royal Decree 1720/2007, of 21 December, approving the Regulations implementing Organic Law 15/1999, of 13 December, on the protection of personal data.

Also included in the regulatory context are the ENS guidelines, in their most up-to-date version and in accordance with RD 311/2022.

As well as the following normative provisions from Portugal:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• Decree-Law no. 7/2004 – Information society services, in particular e-commerce (transposes Directive 2000/31/EC).
• Law no. 51/2011 – Amends the Electronic Communications Law, which establishes the legal framework applicable to networks and related services and defines the competences of the National Regulatory Authority in this area, transposing Directives no. 2002/19/EC, 2002/20/EC, 2002/21/EC, 2002/22/EC and 2009/140/EC.
• Law no. 58/2019 – Ensures the implementation in national law of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• Law no. 46/2012 – Transposes Directive no. 2009/136/EC, insofar as it amends Directive no. 2002/58/EC of the European Parliament and of the Council of 12 July on the processing of personal data and the protection of privacy in the electronic communications sector, making the first amendment to Law no. 2009/136/EC.
  
  

7. SECURITY ORGANIZATION

All ALTEN GROUP personnel involved in the processes included in the scope shall be responsible for the implementation of this Information Security Policy, within their areas of responsibility, as well as for the compliance with this policy by their work team.

7.1 Committee: roles and responsibilities

The ALTEN GROUP’s Quality and Information Security Committee has the following main functions:

• Implementation and continuous updating of the area’s ISMS. This Committee will ultimately be responsible for ensuring the correct development and implementation of the ISMS within the scope, defining the appropriate actions to achieve this purpose.
• Implementation of the plans defined in the Review and Continuous Improvement Procedure.
• Ensure that the information security objectives are identified, are in accordance with the entity’s requirements and are integrated into the critical processes.
• Creation of a forum to discuss and coordinate the strategic aspects affected within the scope of the ISMS at corporate level and at business, organisational, technical and people management levels.
• Analysis and resolution of complaints and non-conformities detected within the scope of the ISMS and proposal / validation of the associated work plan / corrective actions.

Provision of internal and external resources necessary for the proper functioning of the ISMS.

7.2 Roles: funciones y responsabilidades

The roles and responsibilities to be taken into account as part of the application of the Security Policy within the scope of the ISMS implemented in ALTEN GROUP are set out in more detail below:

• The ALTEN GROUP Management is the body responsible for approving the policy and authorising its modifications.
• The Head of Security Management (RGS) is the person in charge of coordinating all security-related actions within the scope of the ISMS.

The Security Management Officer (SMSO) is responsible for centralising the management of ISMS activities in the organisation. Within this scope, he/she will have the following functions:

• Periodically convene the Quality and Information Security Committee, coordinating its actions and preparing the relevant presentations or reports for the monitoring of the project to deal with issues concerning the organisation’s ISMS activities.
• Keeping minutes of these meetings (the minutes are treated as auditable records of the system).
• Report to the Management Committee, making relevant presentations or reports as necessary.Definición y aplicación del ciclo PDCA, a través de la realización y supervisión de tareas, propias y asignadas al Comité.
• Carrying out the annual Risk Analysis and preparation/submission of the corresponding report to the Management and/or Committee.
• Preparation and presentation of the annual Review and Improvement Reports.
• Proposing to Management the annual generic objectives for improvement of the system.
• Annual updating of the documents (regulations, policies, procedures, manuals…) and records that form the basis of the system, paying close attention to ensure that there are no discrepancies between the documentation and the current situation in the organisation.
• Definition of the indicators that make up the Scorecard in each improvement cycle, establishing specific objectives for each one.
• Coordination with the Legal Department for the periodic review of applicable legislation on information security and compliance with data protection requirements.
• Ensuring the exercise of data subjects’ rights.
• Coordination with IT for the preparation and closure of Security Incident Reports, taking the necessary measures.
• Management of the Control Registers together with those responsible for the areas included in the scope.
• Coordinating the actions of the annual internal audit, which must be carried out prior to the external audit, mainly checking compliance with the objectives set on the scorecard indicators, and the actions included in the annual Risk Action and Treatment Plans.
• It determines the decisions to satisfy the information and service security requirements.
• Coordination with IT for the review of new applications, in terms of security requirements, giving consent for their implementation in production, after carrying out and analysing the results of the relevant security audit (following the procedures established within the system).
• Data Controllers and Users

They are responsible for knowing, making known, complying with and enforcing compliance with the current Information Security Policy and the tasks derived from procedures, standards and instructions.

In general, corporate information security responsibilities are distributed as follows:

– Information Controller: Determines and defines the requirements of the information processed.

– Information User: any person who accesses the information contained in the asset. It is their responsibility to access it on a need-to-know basis and in accordance with defined policies and procedures.

• The Service Manager will be the person in charge of transferring and defining the safety requirements to the projects and/or service within the scope. This definition must be aligned with the requirements defined by the security manager and systems manager. Safety requirements should be aligned with project requirements.
• The System Manager has the following functions:
• Develop, operate, and maintain the information system throughout its lifecycle, including its specifications, installation, and verification of its correct operation.
• Define the topology and management of the information system, establishing usage criteria and the services available in it.
• Ensure that security measures are adequately integrated into the general security framework.

• Human Resources or the area managers in the case of external employees, will fulfill the function of notifying all incoming personnel of their obligations regarding compliance with the Information Security Policy and all the standards, procedures, and practices derived from it. •
• The Legal Area Manager – DPO will have the following functions:
• Verify compliance with this policy in the management of all contracts, agreements, or other entity documentation with its employees and third parties.
• Verify compliance with data protection requirements.
• Ensure the exercise of data protection rights on the interested parties.

Whoever is proposed by the Quality and Information Security Committee, will be responsible for conducting periodic audits on systems and activities related to information technology, having to report on compliance with the specifications and information security measures established by this policy and the standards, procedures, and practices that arise from it.

Designation Procedure

The Management of ALTEN GROUP appoints:

• The Security Management Manager.
• The Information Managers.

Appointments will be reviewed every 2 years or when the position becomes vacant.

Information Security Policy

The mission of the Quality and Information Security Committee will be the annual review of this Information Security Policy and the proposal for its revision or maintenance. The Policy will be approved by the same committee and disseminated so that all affected parties know it.

This policy will be reviewed with a maximum annual frequency, and its changes must be approved by the company’s Management.

8. RISK MANAGEMENT

All systems subject to this Policy must carry out a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be repeated:

• Regularly, at least once a year.
• When the information handled changes.
• When the services provided change.
• When a serious security incident occurs.
• When serious vulnerabilities are reported.

For the harmonization of risk analyses, the Quality and Information Security Committee will establish a reference valuation for the different types of information handled and the different services provided. The Quality and Information Security Committee will stimulate the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

Risk management will be documented in the Analysis and Risk Management report.

9. DEVELOPMENT OF THE INFORMATION SECURITY POLICY

This Information Security Policy complements the rest of the procedures, processes, and technical instructions approved by the Management.

The security regulations will be available to all members of the organization who need to know it on the intranet, in the internal tool Inside, and on the company’s website, particularly for those who use, operate, or administer information and communication systems.

10. STAFF OBLIGATIONS

All employees of ALTEN GROUP have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the Quality and Information Security Committee to provide the necessary means for the information to reach those affected. Likewise, all the procedures and technical instructions that encompass the information security management system will be mandatory.

All employees of ALTEN GROUP will be adequately informed about awareness in security matters. A continuous awareness program will be established to attend to all employees of ALTEN GROUP, particularly those newly incorporated.

People with responsibility in the use, operation, or administration of ICT systems will receive training for the safe handling of systems to the extent that they need it to perform their work. Training will be mandatory before assuming a responsibility, whether it is their first assignment or if it is a change of job or responsibilities in it.

11. THIRD PARTIES

When ALTEN GROUP provides services or handles information from third parties, they will be made participants in this Information Security Policy, channels will be established for reporting and coordinating the respective Committees, and procedures will be established for action in response to security incidents.

When ALTEN GROUP uses services from third parties or transfers information to third parties, they will be made participants in this Security Policy and the Security Regulations that pertain to such services or information. This third party will be subject to the obligations established in this regulation, being able to develop their own operational procedures to satisfy it. Specific reporting and incident resolution procedures will be established. It will be ensured that third-party personnel are adequately aware of security matters, at least at the same level as established in this Policy.

When some aspect of the Policy cannot be satisfied by a third party as required in the previous paragraphs, a report from the Security Manager will be required that specifies the risks incurred and how to deal with them. Approval of this report by the managers of the information and the affected services will be required before proceeding.

12. VIOLATION OF THE SECURITY POLICY

Non-compliance with the Security Policy and Regulations by an employee (internal or external) may give rise, in the labor field, to responsibilities in accordance with the provisions of the Workers’ Statute and for the case of civil or commercial linkage with ALTEN GROUP to those responsibilities derived from the nature of such linkage.

13. DOCUMENTATION CLASSIFICATION CRITERIA

The classification, labeling, and protection of information will be done as established in procedure PO-SI-06 Procedure for Classification, Labeling, and Protection of Information, which establishes the levels of information classification in Public, Internal, and Confidential.

14. PERSONAL DATA

ALTEN GROUP processes personal data. The security document, which will only be accessed by authorized persons, collects the affected files and the corresponding managers. All information systems of ALTEN GROUP will adjust to the security levels required by the regulations for the nature and purpose of the personal data collected in the aforementioned Security Document.

15. DATA PROCESSING MANAGER

In compliance with the provisions of the General Data Protection Regulation (hereinafter “GDPR”), we inform you that the data collected regarding your person and that have been provided by you are incorporated into a file whose manager is ALTEN SOLUCIONES PRODUCTOS AUDITORIA E INGENIERÍA, S.A.U. In accordance with article 13 of the GDPR, the following information is provided regarding the processing of your personal data:

Titular	ALTEN SOLUCIONES PRODUCTOS AUDITORIA E INGENIERÍA, S.A.U
C.I.F	A79153920
Address	Calle Vía de los Poblados 3, edificio 5 planta 2, 28033 Madrid
Contact	A/A Delegado de protección de datos
e-mail	gestiondedatos@alten.es
Phone number	917910000

16. PRIVACY POLICY FOR CANDIDATES AND CONTACTS

ALTEN GROUP establishes Privacy Policies for contacts and candidates, as well as relevant legal information for its stakeholders. All policies are published on their website.