Information Security Policy

1. Mission and Objectives

SPHERAG’s Management, aware of the commitment made to its clients and the importance of comprehensive security, has established an Information Security Management System within its organization based on Royal Decree 311/2022, of May 3, which regulates the National Security Framework, addressing the following objectives:

• SPHERAG relies on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be diligently managed, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity, and traceability of the information processed or services provided.
• SPHERAG’s goal is to ensure the quality of information and the continuous delivery of services by acting preventively, supervising daily activities, and responding promptly to incidents.
• SPHERAG’s ICT systems must be protected against rapidly evolving threats that could impact the availability, integrity, confidentiality, authenticity, and traceability of the information processed or services provided. Defending against these threats requires a strategy that adapts to changing environmental conditions to ensure continuous service delivery. This implies that departments must comply with all provisions of the National Security Framework (basic principles and minimum requirements), continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare effective responses to incidents to guarantee service continuity.
• SPHERAG’s various departments must ensure that ICT security is an integral part of every stage of the system’s life cycle, from conception to decommissioning, including development or acquisition decisions and operational activities.
• The ultimate objective of SPHERAG’s information security is to ensure that the organization can fulfill its objectives using information systems. Security decisions must consider the following basic principles:
  • Security as an integral process and security by default.
  • Periodic reassessment and system integrity and updating.
  • Personnel management and professionalism.
  • Risk-based security management and risk analysis and management.
  • Security incidents, prevention, reaction, and recovery.
  • Lines of defense and prevention against other interconnected systems.
  • Differentiated function and organization and implementation of the security process.
  • Authorization and access control.
  • Protection of facilities.
  • Acquisition of security products and contracting of security services.
  • Protection of stored and in-transit information.

2. Scope

SPHERAG will apply this Information Security Policy to systems related to the development of applications used within its activities.

Specifically, this Security Policy applies to ICT and the information system associated with activities related to creating IoT solutions for irrigation system control, according to the current statement of applicability.

The organization excludes the application of this Information Security Policy to information systems not reflected in this section.

3. Regulatory Framework

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data.
• Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
• Royal Decree 311/2022, of May 3, regulating the National Security Framework.
• Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI).
• Law 9/2017, of November 8, on Public Sector Contracts.
• REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of July 23, 2014.
• Royal Decree 1720/2007, of December 21, approving the Regulation implementing Organic Law 15/1999, of December 13, on the protection of personal data.

4. Roles and Responsibilities

The Information Owner is responsible for the data and will have the following duties:

• Establish and approve the applicable security requirements for information within the framework established in Annex I of Royal Decree 311/2022, based on proposals from the Security Officer and/or the Information Security Committee.
• Accept the levels of residual risk that affect the information.

The Service Owner will define the requirements for the services provided and will have the following duties:

• Establish and approve the applicable security requirements for the service within the framework established in Annex I of Royal Decree 311/2022, based on proposals from the Security Officer and/or the Information Security Committee.
• Accept the levels of residual risk that affect the service.

The Security Officer will be responsible for making appropriate decisions to meet the information and service security requirements. Duties include:

• Maintain and verify the appropriate level of security for the information handled and electronic services provided.
• Promote training and awareness in information security.
• Appoint individuals responsible for performing risk analysis, declaration of applicability, identifying security measures, determining configurations, and producing system documentation.
• Provide advice for determining the system’s category, in collaboration with the System Owner and/or the Information Security Committee.
• Participate in the development and implementation of security improvement and continuity plans, and validate them when necessary.
• Manage internal and external audits of the system.
• Manage the certification processes.
• Submit for approval any changes or additional requirements to the Information Security Committee.

The System Owner, within their area of responsibility, will perform the following functions:

• Suspend access to information or service delivery if serious security deficiencies are identified.
• Develop, operate, and maintain the information system throughout its lifecycle.
• Prepare the necessary operational procedures.
• Define the system’s topology and management, setting usage criteria and available services.
• Ensure the integration of specific security measures into the overall security framework.
• Provide support to the Security Officer and/or the Information Security Committee regarding the system’s category.
• Collaborate in the creation and implementation of security and continuity improvement plans when required.
• Perform security administration duties, including:
  • Managing, configuring, and updating hardware and software used for security mechanisms.
  • Managing user authorizations, especially privilege levels, and monitoring system activity for compliance.
  • Approving changes to the current system configuration.
  • Ensuring strict compliance with established security controls.
  • Enforcing approved procedures for system handling.
  • Supervising hardware and software installations and modifications to ensure continued compliance.
  • Monitoring security status using event management and technical audit tools.

The Information Security Committee, which spans the entire company, serves as the coordination and conflict resolution body. Its functions include:

• Respond to security-related requests from the organization and its security roles, regularly reporting on the status of information security.
• Advise on information security matters.
• Resolve conflicts of responsibility between administrative units.
• Promote the continuous improvement of the Information Security Management System by:
  • Coordinating cross-department efforts to ensure consistency and alignment with strategy.
  • Proposing improvement plans with corresponding budgets and prioritizing actions when resources are limited.
  • Ensuring that information security is considered in all projects from planning to implementation.
  • Promoting shared services that reduce duplication and support consistent operation across all ICT systems.
  • Monitoring residual risks and recommending actions.
  • Overseeing security incident management and recommending responses.
  • Reviewing and proposing updates to this policy for approval by senior management.
  • Developing supporting security regulations and procedures in coordination with management.
  • Reviewing procedures and documentation for approval.
  • Creating training programs to raise awareness, particularly regarding personal data protection.
  • Defining required qualifications and training for administrators, operators, and users.
  • Promoting regular ENS and data protection audits to verify compliance.

The overall responsibility for information security lies with the Security Officer, with final accountability resting with the Information Security Committee and the senior management of SPHERAG as the highest authority in the Information Security Management System. The composition and duties of the Committee are outlined in its official meeting records.

SPHERAG management is responsible for appointing the:

• Information Owner
• Service Owner (can also be the Information Owner)
• Security Officer
• System Owner

Appointments will be reviewed every two years or when any position becomes vacant.

In the event of a conflict between roles, it will be resolved by their direct supervisor, or failing that, the Security Officer’s decision will prevail.

By this statement, SPHERAG’s management assumes ultimate responsibility for compliance with this policy.

5. Policy Review

The Information Security Committee is responsible for annually reviewing this Information Security Policy and proposing updates or continuation. The policy must be approved by Management and communicated to all relevant stakeholders.

6. Personal Data

SPHERAG will only collect personal data that is appropriate, relevant, and not excessive, in relation to the purposes for which it was collected. Technical and organizational measures will be adopted to comply with applicable data protection regulations.

With the General Data Protection Regulation (EU) 2016/679 (GDPR) effective from May 25, 2018, and its incorporation into Spanish law via Organic Law 3/2018 of December 5, measures such as the legal legitimacy analysis of data processing, risk analysis, impact assessments (if high risk), activity records, and appointment of a Data Protection Officer (DPO) have been implemented.

SPHERAG must ensure compliance with its established data protection policy.

7. Risk Management

All systems subject to this policy must undergo a risk analysis to evaluate threats and vulnerabilities. This analysis must be repeated:

• Regularly, at least once a year.
• When the type of information processed changes.
• When the services provided change.
• In the event of a major security incident.
• When serious vulnerabilities are reported.

To standardize risk assessments, the Information Security Committee will define baseline values for different types of data and services. The committee will also promote resource availability and horizontal security investments.

8. Staff Obligations

Each user of SPHERAG’s information systems is responsible for protecting information assets through correct usage, in line with their professional and academic roles.

All SPHERAG members are required to know and comply with this Information Security Policy and related regulations. The Information Security Committee will ensure this information reaches all relevant parties.

All staff will receive information security training. A continuous awareness program will be established, especially targeting new hires.

Personnel responsible for using, operating, or managing ICT systems will receive training appropriate to their responsibilities. This training is mandatory before assuming new roles or job changes.

Failure to comply with this Information Security Policy may result in disciplinary measures, without prejudice to any applicable legal actions.

9. Third Parties

When SPHERAG provides services to or manages information for third-party entities, those parties will be informed of this Information Security Policy. Coordination channels and incident response procedures will be established with their respective Information Security Committees.

When SPHERAG uses third-party services or shares information with them, those third parties will also be made aware of this policy and related regulations. They will be required to comply with its provisions and may implement their own procedures to ensure compliance. Incident response protocols and awareness programs will be established to ensure third-party staff meet SPHERAG’s security standards.

If a third party cannot comply with any part of this policy, a Security Officer’s report detailing the associated risks and mitigation measures will be required. Approval from the relevant Information and Service Owners must be obtained before proceeding.