Software i Automatismes Morvedre S.L. (in ahead SiAM) considers information an essential asset for the activities it develops and therefore should be protected. It is for this reason that, through this policy, the guidelines and basic principles of information security, understanding therefore all those factors associates to the protection of it, such as the systems that process and store it, the infrastructure of support who provides service, the facilities where they are located and the people who perform a treatment on they; regarding any threat that may affect the integrity, availability and / or confidentiality of the information.

Objectives of Information Security

To promote information security in all areas of the organization, SiAM establishes the following general objectives:

• Comply with the legal and contractual requirements applicable to the development of their functions, in special, and for the purposes of this Policy, in matters related to information security.
• Disseminate among all staff and enforce the applicable processes and regulations regarding information security, individually based on their tasks within the organization.
• Guarantee the protection of information, through the correct application of measures under the beginning security by default, the correct use of the systems that process it that are the responsibility of the organization, and the limitation of access according to the need to know people.
• Maintain the secrecy of the information and not disclose it to third parties, unless the communications are part of the employment relationship and in compliance with the due guarantees of confidentiality.

To achieve these objectives, SiAM will promote adapted and updated initiatives, within a framework of continuous improvement, to the legal, strategic and contractual needs of the organization, the expectations of interested parties, and the results of the assessment and treatment of risk in information security matters.

Likewise, the Management undertakes to promote these initiatives, granting the necessary resources and carrying out the due follow-up for its achievement.

Normative Framework?

SiAM acquires a firm commitment to the legal frameworks that regulate the activity of the organization regarding information security, both nationally and internationally.

This policy will be developed by the SiAM security document system, this being accessible and mandatory for all members of the organization and third parties with access or potential access to information, to provide services to it, to the extent that their work requires it.

Organization and Security Management

The maintenance and management of information security requires the establishment of a committed and trained organizational structure, by defining activities and responsibilities in the area of ​​information security management.

In order to form this structure, the SiAM Management, as the ultimate responsible for the information, appoints an Information Security Committee responsible for aligning all the activities of character organization's strategy in matters of internal security. Its main activities will deal with regarding the protection of the organization's assets, the management and acceptance of risks, and the supervision and approval of the documentary body that develops the security processes emanating from the present policy.

Likewise, this committee will be in charge of promoting safety in the organization, dealing with any deviation and exception that occurs, encouraging the participation of all users, and proposing the assignment of functions and responsibilities in the matter.

The Safety Committee will be led by the Safety Officer, as a representative of the Safety Committee. Information Security, guarantor that the information security management is in accordance with the applicable requirements and to inform the Management on the aspects that concern the security of the information.

Safety Principles

Both the management and maintenance of the information security of SiAM is based on the following basic principles, which form the core of the strategies for a correct decision-making decisions regarding information security:

• We understand security as an integral process where all technical elements are involved, human, material and organizational related to the protection of information.
• For the proper development of the Management System we promote training, education and awareness of the people involved, according to their roles and responsibilities in security of the information.
• Risk analysis and management is an essential part of the security process, and must be maintained permanently updated, in order to have a controlled environment, minimizing risks until acceptable levels.
• In order to reduce the probability of occurrence and the effects of the materialization of threats On the security of the system, we contemplate measures aimed at its prevention, detection and correction.
• The protection strategy is based on multiple lines of defense, consisting of measures of organizational, physical and logical nature, established in a framework of continuous improvement where evaluate and They update periodically to adapt their effectiveness.
• We promote security as a differentiated function, separating coordination and supervision, of the information system operation.

August 2020