1. INTRODUCTION
Vidas Prime holds a large amount of sensitive information on which its performance, sustainability, security and ability to maintain and develop its activities and results depend.
This information heritage covers:
Information on pre-sales, production and management, necessary for the operation of the various entities within the group. Intellectual heritage, composed of all the information treasured across the group with its knowledge and know-how. Information about its clients or third parties with whom it is in contact, whose alteration or disclosure could damage its brand image, that of its clients or interested third parties, or even lead to legal action. Information about its staff, such as administrative records, whose disclosure would constitute a violation of privacy.
The purpose of this document is to present the Information Systems Security Policy of Vidas Prime to protect information assets from the wide range of threats (fraud, espionage, accidents, human errors, etc.), in order to establish the trust of our clients, comply with legal and regulatory frameworks and with Vidas Prime’s objectives in information security.
This policy is the cornerstone of Vidas Prime’s global information security programme, aimed at protecting the information assets included within the scope of the Information Security Management System (hereinafter, ISMS).
This document provides the framework for information security. It ensures: availability, authenticity, integrity, confidentiality and traceability of information.
The senior management of Vidas Prime commits to putting in place the means and actions necessary to implement this policy.
The policy is accessible to any Vidas Prime employee through the intranet and through the Security Department for any interested party who requests it.
2. SCOPE
This policy is a document applicable to all Areas and all personnel of Vidas Prime.
The structuring of the organisation of security roles/functions is defined at corporate and operational level, developed in the organisational model.
The functional perimeter of this policy covers all Vidas Prime information assets, that is, all means to create, acquire, process, store, distribute or destroy information: Information: Any data stored in electronic or paper format belonging to Vidas Prime, employees, suppliers or their clients. Materials: all physical elements that support processes (laptop, server, printer, removable media, reader, storage cabinet, etc.). Software: All programmes or executables that contribute to data operations (operating system, monitoring software, office suite, executables, etc.). Network: all communication devices used in the interconnection of different computers or remote elements of an information system (Router, firewall, dedicated communication lines, telephone network, IP network, etc.). Personnel: all those involved in the information system (Vidas Prime staff, subcontractors, collaborators, etc.). Locations: all Vidas Prime sites and the physical requirements for the operation of these sites (building, offices, dedicated room, telephone lines, etc.). Organisational structure: all elements that form part of the organisation and its functioning (Organisational model, internal and business processes, etc.).
Likewise, the scope of its Information Security Management System established, documented, implemented and maintained by the Organisation applies to the information systems that support the processes of: design, development, operation and maintenance of the SaaS digital health platform for the intelligent management of healthcare and administrative workflows, the interoperability of clinical data and support for decision-making through advanced information processing and anonymisation systems, deployed in cloud architecture.
In accordance with the statement of applicability in force.
3. OBJECTIVE
This policy has as its main objective to ensure the availability, integrity, confidentiality, authenticity, traceability, intended use and value of information and services, together with the technology and information assets of Vidas Prime.
The generic objectives that Vidas Prime has established are: To provide confidence to clients by protecting their information throughout its entire lifecycle. To facilitate the continuous improvement of security processes, procedures, products and services. To comply with legal business requirements and other client requirements (explicit and implicit) related to information security. To ensure Business Continuity by establishing contingency projects in critical services while maintaining security at all times. To ensure that the necessary resources are provided to guarantee security, as well as to assign functions and responsibilities to all Vidas Prime personnel. To raise awareness, train and motivate Vidas Prime personnel on the importance of the development and implementation of the Information Security Management System in order to meet the strategic business objectives and their involvement in their correct achievement.
4. MANAGEMENT COMMITMENT
This policy sets out the commitments made by senior management in the area of Information Security. Specifically, to achieve a high level of security for our clients, to that end: We guarantee the security of our clients’ assets: the information heritage entrusted to us by our clients must be protected against any alteration, loss, damage, disclosure or unauthorised access. We ensure a high level of security in the services and/or projects we carry out for our clients. We reinforce the conformity of the Information System in order to minimise risks for our clients. We promote a culture of information security throughout the organisation. We manage security incidents in order to limit the impacts for Vidas Prime and our clients.
5. LEGAL FRAMEWORK
The legal and regulatory framework in which we carry out our activities is: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights. Royal Legislative Decree 1/1996, of 12 April, Intellectual Property Law. Royal Decree-Law 2/2018, of 13 April, amending the consolidated text of the Intellectual Property Law. Royal Decree 311/2022, of 3 May, regulating the National Security Framework. Royal Decree 203/2021, of 30 March, approving the Regulation on the action and functioning of the public sector by electronic means. Law 11/2007, of 22 June, on electronic access by citizens to Public Services. Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations.
6. PRINCIPLES AND GUIDELINES
Vidas Prime depends on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed with diligence, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality or traceability of the information processed or the services provided.
The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, monitoring daily activity and reacting promptly to incidents.
6.1 Mission and Objectives
At Vidas Prime we are a Community of talented experts with the mission of helping our clients transform information silos, data complexity and digitalisation processes into true business opportunities that help them make better decisions, be more efficient and develop better products and services.
At Vidas Prime we develop, at least, the following objectives: Use of corporate ICT resources, such as email, internet access, IT and communications equipment. Management of information assets that are inventoried, categorised and associated with a responsible party. Necessary mechanisms so that any person who accesses, or may access, information assets knows their responsibilities and thus reduces the risk arising from misuse of those assets. Physical security, so that information assets will be located in secure areas, protected by physical access controls appropriate to their criticality level. The systems and information assets contained in those areas will be sufficiently protected against physical or environmental threats. Security in the management of communications and operations, so that information transmitted through communication networks must be adequately protected, taking into account its level of sensitivity and criticality, through mechanisms that guarantee its security. Access control, limiting access to information assets by users, processes and information systems through the implementation of identification, authentication and authorisation mechanisms appropriate to the criticality of each asset. Acquisition, development and maintenance of information systems, incorporating information security aspects at all stages of the lifecycle of those systems. Management of security incidents by implementing appropriate mechanisms for the correct identification, recording and resolution of security incidents. Continuity management by implementing appropriate mechanisms to ensure the availability of information systems and maintaining the continuity of business processes.
6.2 Prevention
To defend against threats, the various Areas and Departments of Vidas Prime must apply the minimum security measures required by the National Security Framework, as well as ensure that ICT security is an integral part of every stage of the system lifecycle.
Security requirements and funding needs must be identified and included in planning, proposals and tender documents for ICT projects.
Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with Article 7 of the ENS.
To ensure compliance with the policy, departments must: Authorise systems before entering into operation. Request periodic review by third parties in order to obtain an independent assessment.
6.3 Detection
Since services can deteriorate rapidly due to incidents, ranging from a simple slowdown to their complete cessation, services must continuously monitor operations to detect anomalies in service provision and act accordingly as established in art. 8 and art. 9 of the ENS.
Detection, analysis and reporting mechanisms will be established that reach those responsible on a regular basis and when a significant deviation from the parameters pre-established as normal occurs.
6.4 Response
Vidas Prime and all its Areas and Departments must: Establish mechanisms to respond effectively to security incidents. Designate a point of contact for communications regarding incidents detected in other departments or other organisations. Establish protocols for the exchange of information related to the incident.
6.5 Recovery
To guarantee the availability of critical services, the Areas and Departments of Vidas Prime must develop ICT systems continuity plans as part of their general business continuity and recovery activities plan.
7. SECURITY ORGANISATION
The implementation of this Security Policy at Vidas Prime requires that all members of the Organisation understand their obligations and responsibilities according to the position they hold.
As part of this Policy, the main roles are identified and detailed as follows: Security Officer, Information Officer, Service Officer and Systems Officer.
The Security Committee will be the body responsible for approving the policy and will be responsible for authorising its modifications, as well as all documented information of the organisation’s ISMS/ENS.
The Security Officer will be the one who makes appropriate decisions to meet the information and services security requirements. They will have the following functions: Supervising compliance with this Policy and its derived rules and procedures. Advising the members of the Security Committee who require it on security matters.
The Information Officer will be responsible for notifying this policy to all Vidas Prime personnel and of any changes made to it, as well as coordinating the implementation, maintenance and improvement actions of the organisation’s ISMS/ENS, and its audits, together with the Systems Officer.
The Systems Officer will be responsible for managing the technical security requirements of the information systems.
The Service Officer will be responsible for managing the security requirements of their area’s activities for the provision of services.
All Vidas Prime personnel, both internal and external, will be responsible for complying with this Information Security Policy within their area of work, as well as for applying all documented information on the ISMS security controls and measures of Vidas Prime in their work activities that affect their performance in information security.
8. APPOINTMENTS AND CONFLICT RESOLUTION
Coordination is carried out within the Vidas Prime Board of Directors, which may delegate to the Security Committee.
Appointments are established by the senior management of Vidas Prime and are reviewed every 2 years or when a position becomes vacant.
Differences of criteria that could lead to a conflict will be dealt with within the Security Committee and the criteria of the executive Board will prevail in all cases.
9. DISSEMINATION, UPDATE AND REVIEW OF THE POLICY
It will be the mission of the Security Committee to carry out the annual review of this Information Security Policy and to propose its revision or maintenance.
The Policy will be approved by the senior management of Vidas Prime and will be disseminated so that all affected parties are aware of it.
This Policy will be developed through security regulations that address specific aspects. The security regulations will be available to all members of the organisation who need to know them, in particular for those who use, operate or administer information and communications systems.
10. DOCUMENTATION STRUCTURE
The Security Officer will be the person responsible for the custody and dissemination of the approved version of the documentation generated.
The documentation on which this policy is based will be composed of a set of Standards, guidelines and procedures that will help users in the development of their tasks.
11. PERSONAL DATA
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the Spanish legislation in force, Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, defines the conditions under which the processing of personal data may be carried out. It grants the persons affected by the processing the right to access and correct the data recorded in their account.
Vidas Prime has designated the role of Data Protection Officer (DPO) whose mission is to ensure compliance with these provisions.
Before carrying out any processing, it is mandatory for the data controller/processor to consult with the DPO.
Vidas Prime will only collect personal data when it is adequate, relevant and not excessive, and when it is related to the scope and purposes for which it was obtained. Likewise, it will adopt the technical and organisational measures necessary for compliance with the Data Protection regulations. These measures will be included in the policies, regulations and procedures that emanate from this security policy.
12. RISK MANAGEMENT
All systems subject to this Policy must carry out a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be repeated: Regularly, at least once a year. When the information handled changes. When the services provided change. When a serious security incident occurs. When serious vulnerabilities are reported.
For the harmonisation of risk analyses, the Security Committee will establish a reference assessment for the different types of information handled and the different services provided.
The Security Committee will promote the availability of resources to meet the security needs of the different systems, promoting horizontal investments.
Risk management will be documented in a Risk Analysis and Management Plan.
13. NON-COMPLIANCE
Vidas Prime may take appropriate measures against any person who contravenes this Security Policy and which results in a threat to the business and/or maintenance of activities or a violation of the legal regulations and/or contractual agreements to which Vidas Prime is bound.
The level and degree of the measures will depend on the nature, intent and scope of what has been contravened.
Both in the case of employment relationships and those of any other nature, Vidas Prime reserves the right to take legal action, regardless of the termination of the contractual relationship, depending on the damage caused to the company.
14. THIRD PARTIES
When Vidas Prime uses third-party services or transfers information to third parties, they will be made participants in this Policy and in the Security Regulations that relate to those services or information.
Said third party will be subject to the obligations established in those regulations and may develop their own operational procedures to satisfy them. If necessary, specific incident reporting and resolution procedures will be established. It will be ensured that third-party personnel are adequately aware of security matters, at least to the same level as established in this Policy.
When any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, a report from the Security Officer will be required specifying the risks incurred and how to address them. Approval of this report by those responsible for the affected information and services will be required before proceeding.
15. TRAINING AND AWARENESS
An annual training and awareness action in the area of security will be carried out. The objective of the training and awareness action is twofold: To keep personnel most directly related to the handling of information and the systems that process it informed about existing security procedures, risks, protection measures, protection plans, etc. To raise awareness among personnel in general of the importance of security and the basic procedures for handling and exchanging information.
16. REMOTE WORKING
This policy and its associated procedures, regulations and provisions will apply, and are therefore mandatory, for all Vidas Prime personnel working under a Remote Working arrangement.
17. BACKGROUND CHECKS
Background checks on all job candidates must be carried out in accordance with applicable laws, regulations and ethical codes and must be proportional to the business needs and the classification of the information accessed and the perceived risks.
18. MANAGEMENT RESPONSIBILITIES
Management must require employees and contractors to apply information security in accordance with the policies and procedures established in the Organisation.
19. APPROVAL AND ENTRY INTO FORCE
This Information Security Policy will be approved by Senior Management by signature and will be disseminated to the interested parties of Vidas Prime.
Likewise, senior management will provide the necessary resources for the effective application of this policy, and for its proper development, both in the implementation activities and in its subsequent maintenance and improvement of the entire Vidas Prime ISMS.
