INTRODUCTION

This document includes the Information Security Policy of Wise Security Global, (hereinafter WSG), understood as the basic action and organizational principles of WSG in connection with Information Security, also known as Cybersecurity.  

The rest of WSG Information Security documents will be aligned with the guidelines contained in this Policy.

1. OBJECTIVE 

The purpose of this Information Security Policy is to establish a regulatory framework in WSG that allows identifying, developing, and implementing necessary technical and organizational measures to guarantee the security and protection of both information, privacy of the people included, and information systems that support the activity of WSG.

2. DISTRIBUTION

This document will be disclosed in the SharePoint space WISE-CYBERSEC-PUBLIC and communicated to all interested subjects, especially internal staff who manage WSG's information assets.  

If Management considers so, this document may be published on the WSG website (https://wisesecurity.com) to make it accessible to external stakeholders. 
 

3. POLICY

Scope

WSG protects resources involved in information management assignments related to its standard development functions, fulfilling with current legislation, preserving confidentiality and privacy of information, and ensuring availability, access, integrity, quality, traceability, authenticity, and conservation. These objectives are also applied to the information systems used for the continuity of its activity. 

It is WSG’s will to win trust in electronic means usage and the continuous provision of its services, adopting the necessary measures aimed at protecting the information systems of the organization from those threats they are exposed, to guarantee information systems security, minimize risks and thus consolidate basis for preventing, detecting, reacting, and recovering from possible incidents that may happen.  

This Information Security Policy applies throughout the scope of WSG, which means:

• All resources, services and business processes that make up WSG. Following this, it will be applied to all information systems which take part of WSG services and, to all those systems that maintain the different functions and responsibilities of WSG.  
  
  
• All users, whether they are internal or external ones, directly or indirectly, to WSG who use those systems described in the previous point. 

Information Security Objectives   

Objectives to be achieved are:

• Guaranteeing, ensuring, and implementing adequate and necessary security measures on all resources, processes, functions, and services related, directly and indirectly, to internal and external users, and to customers, suppliers, partners or other third parties, to ensure availability, confidentiality, integrity, authenticity, traceability of information, and compliance with applicable legislation. 
  
  
• Guaranteeing the continuity, security and quality of the services offered.  
  
  
• Implementing and maintaining continual improvement processes to favor adequacy and effectiveness of the information security management system. 
  
  
• Minimizing security incidents and minimizing their impact if they occur. 
  
  
• Having the potential means used by the different users of the services and processes of WSG to information proper use, information systems and resources needed to execute their functions, obligations, and responsibilities, as well as those that do not compromise WSG information’s security. 
  
  
• Aligning with international best practices and standards in information security and/or cybersecurity; mainly, with ISO 27000 family, National Security – ENS, CSF-NIST and COBIT. 

In accordance with these objectives, this Information Security Policy seeks the adoption of security premises while it guarantees:

• Availability: information and information systems can be used in the required time and form. 
  
  
• Confidentiality: data and information systems will only be accessed by duly authorized subjects. 
  
  
• Integrity: information and information systems will keep up accurate against alteration, loss, or destruction, whether they are accidentally or fraudulently ones. 
  
  
• Authenticity: the quality of ensuring that a person or entity is who it claims to be, or the quality of guaranteeing the source which data comes from. 
  
  
• Traceability: the quality of relating unequivocally any action or transaction to the subject who carried it out. 
  
  
• Legality: information follows current regulatory framework. 
  
  
• Training: in accordance with the principle of comprehensive security, it is ensured an adequate level of awareness and training in information security to all personnel of the organization. 
  
  
• Incident management: analysis and management of risks is an essential part of the organization's security process. WSG’s environment is controlled: working on minimizing risks, in accordance with prevention, detection, reaction and recovery measures, as well as establishing protocols for the exchange of information related to incidents. 

Regulation Compliance

This Information Security Policy and documentation related are aligned with current legal scope of regulations that are applicable to WSG. Scope can go as far as: Privacy and Data Protection, Commercial Communications, Advertising, Marketing, Cookies, Intellectual Property, etc… or territorial (National regulations, EU regulations, etc.).

Resources application 

WSG Management expresses its commitment to guarantee, within its scope of functions and responsibilities, the provision of necessary resources for the purpose of implementing and maintaining the processes related to the security of WSG's information and their continual improvement. All this, to achieve the strategic objectives, dissemination, consolidation and compliance with this Information Security Policy, as well as implementing the appropriate distribution and publication mechanisms to make it accessible to right users.

Mission

WSG Cybersecurity Service mission lies in monitoring and ensuring the protection of Wise Security Global's Information and IT, customer information and stakeholders’ interests.

This protection will be carried out against any potential internal and/or external threat or aggression, mainly of a cyberattack type, adopting the corresponding preventive and reactive measures and according to the available budget. This promotes a sturdy culture of cybersecurity and development and application of a specific regulatory framework in this area. 

Legislation 

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 
  
  
• Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales. 
  
  
• Real Decreto Legislativo 1/1996, de 12 de abril, Ley de Propiedad Intelectual 
  
  
• Real Decreto-ley 2/2018, de 13 de abril, por el que se modifica el texto refundido de la Ley de Propiedad Intelectual 
  
  
• Real Decreto 3/2010, de 8 de enero, de desarrollo del Esquema Nacional de Seguridad modificado por el Real Decreto 951/2015, de 23 de octubre. 
  
  
• Artículo 11 del Real Decreto 3/2010, de 8 de enero, de desarrollo del Esquema Nacional de Seguridad modificado por el Real Decreto 951/2015, de 23 de octubre. 
  
  
• Real Decreto 311/2022, de 3 de mayo por el que se regula el Esquema Nacional de Seguridad de 4 de mayo. 
  
  
• Ley 34/2002 de 11 de julio de Servicios de la Sociedad de la Información y de Comercio Electrónico (LSSI) 

Roles and responsibilities

Any user affected by this Policy shall have the obligation to:

• Always comply with the Information Security Policy, regulations, procedures, and instructions of the Organization’s Information Security. 
  
  
• Have an active role in the cybersecurity of any protected assets scope of this Policy. 
  
  
• Maintain professional secrecy and confidentiality in relation to the information of the Organization. 
  
  
• Report suspicious situations or anomalies, security incidents, and non-conformities or security breaches of the information systems and / or assets of the organization, following the proper procedure.   
  
  

Information Security’s responsibility falls on the person to whom the functions of Cybersecurity are assigned. 

Information Security coordination will be executed by CYBERSEC and the Cybersecurity Committee, which oversees the implementation of this Security Policy and those security regulations, procedures and instructions established before. 

Regarding the breach of the Information Security Policy of WSG and the rest of the documents related to information security, by anyone to whom they are applicable and puts at risk the security of information in any of its dimensions, the Management of WSG saves the right to initiate proper actions according to the codes and internal regulations of behavior and the current legal framework.  

For more information about WSG roles and responsibilities, refer to Organización de la Seguridad de la Información. 

Cybersecurity Committee

WSG has a Cybersecurity Committee in charge of aligning all the cybersecurity activities of the organization, highlighting physical and wealth security (facilities security), information security, compliance (security and legal compliance) and contingency plannings.  

For more information about operation and structure of the Committee, refer to Organización de la Seguridad de la Información.

Non-compliance 

This Policy will be assessed periodically (at least annually) through self-assessments coordinated by the Cybersecurity Committee and through internal or external audits (at least biennial), and whenever there are substantial changes in WSG's information systems. This Policy is approved during the Management Review, denoted in the ISMS. 

Approval and Revision

The Information Security Policy is formally approved by the WSG Cybersecurity Committee, which will reflect it in the proper minutes, and will be in force until it is replaced by a new version. Likewise, it will be assessed annually and whenever there are significant changes that require it, to adapt it to new circumstances, whether they are technical and / or organizational, avoiding its obsolescence. 

To achieve these purposes, suitability, timeliness, and accuracy it will be regularly reviewed. The modifications that may arise will be proposed by the Cybersecurity Committee for validation.   

4. REFERENCES

• ISO/IEC 27002:2013 “Information technology – Security techniques – Code of practice for information security management”. 
  
  
• ISO/IEC 27001:2013 “Information technology – Security techniques – Information security management systems – Requirements”. 
  
  
• Reglamento 910/2014, de identificación electrónica y servicios de confianza (eIDAS). 
  
  
• Real Decreto 3/2010, de 8 de enero, de desarrollo del Esquema Nacional de Seguridad modificado por el Real Decreto 951/2015, de 23 de octubre.