Data protection
1. INTRODUCTION
With this Information Security and Data Protection Policy, WEARETESTERS, S.L. establishes the guidelines and principles necessary to commit to building a security model that protects information systems and the personal data processed, in accordance with business requirements and applicable standards, as well as intending to create a climate of trust in the use of our platforms and tools by our clients.
In this sense, it aims to comply with the defined security objectives, ensuring the confidentiality, integrity, and availability of the information systems, and guarantee compliance with the legal obligations arising therefrom, as well as to protect the information and data against threats and ensure business continuity.
WEARETESTERS, S.L. is exposed to threats and risks to which information systems and services are subjected, and a security policy is necessary to provide a better response in cybersecurity, reduce vulnerabilities, and promote continuous monitoring.
Security is understood as a way of ensuring that the use of information and communication technologies allows the entity to achieve its goals, develop its functions, as well as exercise its competences using its information systems.
This Security Policy contains a description of the key elements, both physical, organisational, technological, and documentary, that WEARETESTERS, S.L. applies to carry out the protection of information and especially personal data, preventing security incidents that put them at risk.
At all levels of WEARETESTERS, S.L., the real and effective application of the measures of prevention and control provided in this Policy will be ensured, so that this self-regulation system achieves the elimination of behaviours that may endanger the security of the information assets and the personal data processed by WEARETESTERS, S.L.
This Policy will be adapted to technological and legislative changes that occur in the future.
2. SCOPE OF APPLICATION
The Security Policy is of mandatory compliance in an integral manner by all services and departments of WEARETESTERS, S.L., including the management and the entirety of the personnel; both in terms of personal data processing, the resources, and processes affected by Data Protection as well as in terms of information security.
It is an integral process based on compliance with regulations and risk management with the aim of preventing, detecting, responding to, and recovering data and information in the event of any security incident.
The scope of application of this Policy will extend to all members of the organisation and those third parties who have access to the Information System.
Furthermore, for the Security Policy to have an integral reach, WEARETESTERS, S.L. commits to the creation of protocols, procedures, and specific guidelines and to control them through the corresponding process map.
3. REGULATORY FRAMEWORK
This Security Policy comprises the current regulatory framework in terms of information security and the protection of personal data. It will also incorporate any related standards that are approved in the future.
In any case, the current regulatory framework includes, among others:
- Regulation (EU) 2016/679 of the European Parliament and of the Council, regarding the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.
- Royal Decree 311/2022, of 3 May, which regulates the National Security Framework.
- Penal Code;
- Reference frameworks of ISO 27001 and ISO 27002 standards.
4. PRINCIPLES
The Company’s objectives in terms of information security are aligned with its business objectives, prioritising compliance with the legal obligations applicable to its activities. Ensuring the security of WEARETESTERS, S.L.’s information and data will be considered a priority objective. In this regard, the entity must protect information throughout its entire lifecycle – that is, from creation/reception, processing, communication, transport, storage, dissemination to eventual deletion or destruction. For this reason, a set of minimum principles must be followed:
- Principle of confidentiality: the entity will ensure that the information systems are accessible only to those users, bodies, entities, or processes expressly authorised, with respect to the obligations of secrecy and professional confidentiality.
- Principle of integrity and quality: the entity will ensure the maintenance of the integrity and quality of the information, as well as of the information processing procedures, establishing mechanisms to ensure that the processes of creation, processing, storage, and distribution of information contribute to preserving its accuracy and correctness.
- Principle of availability and continuity: the entity will ensure a level of availability in the information systems and will provide the necessary plans and measures to ensure the continuity of the services and recovery in case of serious contingencies.
Availability and continuity contribute to resilience, which involves ensuring the ability to recover systems and information after an incident that temporarily prevents access to them.
- The principle of authenticity: the entity will ensure that the origin and identities associated with the information are indeed those that appear in its attributes. This principle is linked to non-repudiation, which ensures that a user cannot deny the authorship of an act in the system or the link to a data or set of data.
- Principle of proportionality: the entity will implement controls that mitigate security risks, seeking a balance between security measures, the nature of the information, and risk.
- The principle of traceability: the entity will ensure the possibility of determining at any time the identity of the people who access the information and the activity they carry out in relation to it, as well as the different states and paths that the information has followed.
- Principle of continuous improvement: the entity will review the degree of compliance with the planned security improvement objectives, with the aim of increasing adaptability to the constant evolution of risk and technological environment.
- Principle of awareness and training: the entity will implement initiatives that allow workers to understand their duties and obligations regarding the secure handling of information. Likewise, specific training in ICT security will be promoted for all those who manage and administer information and telecommunications systems.
5. BUSINESS CHARACTERISTICS AND VULNERABILITIES
The Company mainly operates in the service sector. This implies that its main assets are intangible in nature and are primarily made up of confidential information, know-how, personal data, intellectual property, industrial property, among others.
The immaterial nature of these types of assets makes them highly vulnerable to internal and external threats such as unauthorised access, unauthorised copying, disclosure, transfer to third parties, unauthorised use, unauthorised exploitation, and even destruction.
The protection of information assets requires a series of legal, technical, and organisational measures summarised in this policy and detailed in the Company’s norms and procedures.
6. MANAGEMENT COMMITMENT
The Management of WEARETESTERS, S.L. is aware of the importance of information security for the successful implementation of this Policy, as well as the business objectives. In this line, it commits to:
- Promote the functions and responsibilities in the area of information security within the organisation.
- Provide adequate resources to achieve the information security objectives.
- Promote the dissemination and awareness of the Information Security Policy among the entity’s employees.
- Demand compliance with this Policy, current legislation, and the requirements of regulators in the area of information security.
- Consider information security risks in decision-making.
7. ROLES, RESPONSIBILITIES, AND SECURITY FUNCTIONS
All roles and responsibilities will be differentiated and, as far as possible, assigned individually in the job description. In addition to this individual assignment, everyone belonging to the Company, regardless of their level, will be obliged to comply with the norms, procedures, and controls established in terms of information security.
The control structure is described in the document “Control Structure in Information Security”. In any case, the Management will be responsible for assigning functions and responsibilities, as well as the process of change and renewal.
The functions and obligations of staff in terms of security and data protection will be detailed in specific norms.
Information manager: Is the ultimate responsible for the use of information and therefore its protection. They are also responsible for any error or negligence that leads to a confidentiality and/or integrity incident.
- Has the authority to establish security requirements.
- Must validate or reject the system or information system categorisation proposals presented by the Security Manager and any possible modifications.
Service manager: Has the authority to establish the service’s security requirements and determine the security level of the service.
Security manager: The security manager reports to the service manager and the system manager, and their functions are as follows:
- Maintain the security of the managed information and services provided by ICT systems within their scope of responsibility, in accordance with the information security policy.
- Carry out or promote self-assessments or periodic audits that allow verifying compliance with information security.
- Promote training and awareness in information security within their scope of responsibility.
- Verify that the established security measures are adequate for the protection of the managed information and provided services.
- Analyse, complete, and approve all documentation related to system security.
- Monitor the security status of the system, which may be provided by specific elements or by security event management tools and audit mechanisms implemented in the system.
- Support and supervise the investigation of security incidents from their notification to resolution.
- Prepare the periodic security report for the senior management of the local entity, including the most relevant incidents of the period.
System manager: The system manager reports on security matters to the security manager and the organisation’s management, with the following responsibilities:
- Develop, operate, and maintain the information system throughout its lifecycle; from its specifications, installation, and verification of its correct functioning.
- Define the topology and information management system, establishing the criteria for use and the services available in it.
- Ensure that specific security measures are correctly integrated.
- Maintain the security of the managed information and services provided by ICT systems within their scope of responsibility, in accordance with the information security policy.
The System Manager may agree to suspend the use of certain information or the provision of a particular service if informed of serious security deficiencies that may affect the normal use of the established requirements. This decision must be agreed with the responsible for the affected information, the affected service, and the Security Manager before its execution.
Security administrators: Due to their complexity, distribution, physical separation of their elements, or number of users, the system manager may appoint Security Administrators, as necessary, to execute the following tasks:
- Prepare, when determined by the System Manager, the application and management of security operational procedures.
- Manage, configure, and update, if necessary, the hardware and software according to the system’s security forecasts.
- Implement, manage, and maintain the security measures applicable to the information system.
- Inform the Security and System Managers of any anomaly, compromise, or vulnerability related to security.
- Supervise hardware and software installations, their modifications and improvements to ensure that security is not compromised.
- Ensure that the established security controls are strictly complied with.
- Ensure that the approved procedures for managing the information system are applied.
- Ensure that traceability, audit, and other security records are carried out frequently, according to the security policy established by the organisation.
- Establish monitoring procedures and reactions to alarms and unforeseen situations.
- Initiate the response process to incidents occurring in the information system under their responsibility, informing and collaborating with the Security Manager in their investigation.
8. PHYSICAL AND ENVIRONMENTAL SECURITY
The Company will take necessary measures to ensure that staff comprehensibly understand the security obligations affecting the development of their functions, as well as the consequences of non-compliance.
The Company will assess the risks and threats of the surrounding environment. This verification will include all risk sources that could pose a danger to information security. This assessment will be updated whenever there is a change in the environment.
The Company will be vigilant to provide early warning of those threats that may jeopardize the security of people and the Company’s infrastructures.
9. RISK ANALYSIS
All systems subject to this Security Policy must undergo a risk analysis, evaluating the threats and risks to which they are exposed. This analysis will be repeated periodically.
Risk analysis will be carried out through an inherent risk map, evaluating the existing gross risks before the application of prevention, detection, and mitigation controls, and through a residual risk map, where the net risks existing after the application of the controls are evaluated in an automated manner.
In this regard, to effectively carry out a detailed risk assessment, it will be necessary to review the Treatment Activity Record, as well as to conduct an analysis of the impacts on the rights and freedoms of natural persons through impact assessments, if necessary.
10. GUIDELINES FOR RISK MANAGEMENT AND MINIMIZATION
Below are the guidelines applied to activities and resources of WEARETESTERS, S.L., including areas such as physical security, personnel security, administrative security, and network security.
10.1. Logical Access Security
The first perimeter of security protection will be desktop computers and terminals located at the Company’s premises. Access to WEARETESTERS, S.L.’s information systems, equipment (servers, desktop computers, terminals, laptops, etc.), and applications requires a User and a Password.
The second level corresponds to mobile devices: laptops, smartphones, and tablets, among others, and the third level will be the applications.
Users will have authorized access only to those data and resources they need for the development of their functions.
Each application with confidential information or personal data will manage the list of users and the profiles and permissions of each of them.
Operating systems and applications used in processing will have mechanisms to prevent a user from accessing resources with rights different from those authorized.
10.1.1. Logical access of individuals to computer systems
The entity will apply a two-factor authentication system. On one hand, the user will be assigned by the System Administrator (Information Security Manager), and the user will assign their own password. On the other hand, the user will receive a code to validate this authentication.
The password will always be unintelligible even to the Administrator. If necessary (e.g., if the USER has forgotten it), the System Administrator may force a password change process for the User without needing the previous one.
10.1.2. Access control to data and resources
The Information Security Manager will produce an updated list of Users who have authorized access to the Information System, the physical files, and their applications.
Only the Information Security Manager may grant, alter, or cancel authorized access to WEARETESTERS, S.L.’s data and resources.
The use of the identifier and password assigned to each User will imply acceptance, as documentary evidence of the operation performed, of the records generated in said log files and stored in the Company’s computer system. Unless proven otherwise, it will be presumed that the acts carried out with the identifier and password assigned were carried out by the holder of the same.
The Company will develop the norms and procedures that expand, specify, and detail the control measures indicated in this section.
10.1.3. Operating systems
All Operating Systems used in WEARETESTERS, S.L.’s computer systems require validation and authentication for access and use.
10.1.4. Viruses and Malware
All computers at WEARETESTERS, S.L. will have antivirus and antimalware software installed, which will be updated periodically. Regarding servers, control is performed via a firewall.
Firewalls will also be available to control network traffic and detect unauthorized intrusions.
Users will be timely informed of the basic measures to take to prevent the entry of viruses and malware.
10.1.5. User Management
The Information Security Manager keeps and updates the list of all network users who have authorized access to the Information System, with the delimitation of their access levels in such a way that guarantees their confidentiality and integrity. Likewise, the Company will perform access controls and monitoring of the computer systems made available to workers to protect information.
10.1.6. Access limitation
To access the computer resources, it is necessary to have previously been assigned a user account and be registered on the domain servers. The authorization of access will establish the necessary profile with which the functionalities and privileges available in the applications according to the competencies of each user, adopting a policy of assigning the minimum necessary privileges for the performance of the assigned functions.
The circle of authorized persons may temporarily include suppliers or customers when there is a clear justification for it, a contractual relationship that requires it, or a legal obligation.
10.1.7. Wi-fi and wireless network security
WEARETESTERS, S.L. will apply appropriate measures to protect against unauthorized access to the Entity’s wi-fi.
10.1.8. Servers and physical supports
The entity does not have physical servers. All confidential information, as well as personal data, are stored on external providers’ servers that offer an adequate level of compliance concerning data protection and information security.
10.1.9. Backup copies
The entity will perform cloud backups covering all the information necessary to recover the service in case of corruption or loss of information.
Such information may include data, programs, configuration files, and even the image of some servers.
For all relevant systems, security standards will be defined, which will include, at least, the following information:
- Frequency of backups
- Retention periods for backups
- Location of security supports
- Procedures for information recovery
- Procedures for restoration and verification of the integrity of the backed-up information.
Performing backups periodically will allow the Company to have its information available in case of destruction of the equipment or errors in the data or applications.
10.1.10. Authentication
User Codes and Passwords are personal and non-transferable, with the User being the only responsible for the consequences that may arise from misuse, disclosure, or loss of the same.
All Users will be informed that the use of the identifier and the assigned password will imply acceptance, as documentary evidence of the operation performed, in the records of the Company’s computer systems. It will also be brought to their knowledge that, unless proven otherwise, it will be presumed that the acts carried out with the identifier and password assigned had been made by the User holder of the same.
The passwords of authorized users will be changed periodically. While they are valid, passwords will never be visible and will be stored on the Server in an unintelligible format. It will be the responsibility of the Information Security Manager to verify and update, where appropriate, aspects related to password renewal in accordance with continuous improvements made to the computer systems.
10.1.11. Temporary files
Temporary files are considered those work files created by Users or processes necessary for occasional treatment, or as an intermediate step, during treatment.
Temporary files and copies of documents created exclusively for temporary or auxiliary works must comply with the corresponding level of security.
10.1.12. Use of licensed software
All authorized software used in WEARETESTERS, S.L.’s information systems will be provided with its corresponding use license.
Periodic random audits will be conducted on User equipment to check the installed applications.
10.1.13. Security at the workplace
Workers will be informed of the norms established by WEARETESTERS, S.L. that must be applied in relation to security at the workplace, among which the automatic locking of devices requiring activation through a password after a few minutes of inactivity, as well as the application of a zero paper policy on work desks.
10.1.14. Teleworking
Only those users authorized by WEARETESTERS, S.L., that is, those with a signed teleworking agreement, in order to ensure compliance with labor and information security norms, may access their desktops or the network from outside the facilities. The remote connection will be made through a web connection to the entity’s applications and software with the security defined in the previous points, as well as IP control in relation to access to some servers.
The Company will extend and reinforce the controls established in terms of information security to the ICT corporate resources used by Users in their private homes.
The Company may develop norms and procedures that expand, specify, and detail the control measures indicated in this section.
10.1.15. Mobile devices
The Company will establish appropriate security measures on corporate mobile devices and on personal mobile devices authorized to have corporate applications installed (BYOD).
Those Users assigned corporate mobile devices must comply with specific usage norms and apply the corresponding security measures.
BYOD device Users must also comply with specific usage norms and apply the corresponding security measures, which must take into account the coexistence of personal information and corporate information on the same device.
10.1.16. Media management
The Entity has a document for the delivery of portable devices (e.g., laptops, mobiles, iPads, etc.). It also has a “media inventory”, where the Users assigned to them are detailed.
11. PERSONNEL MANAGEMENT: AWARENESS AND TRAINING
WEARETESTERS, S.L. has the obligation to be aware of and comply with the Information Security and Data Protection Policy. In this sense, staff must be trained and informed about their duties and obligations regarding security, essentially through the security procedures that are appropriate in each case, in addition to complying with the regulations on the use of physical and digital assets.
The actions of personnel must be supervised according to established roles to verify adherence to defined procedures.
Individuals with responsibilities in the use, development of operations, or administration of ICT systems will receive training for the secure use of systems as needed for their work. Training will be mandatory before assuming responsibility, whether it is their first assignment or if it is a change of job or responsibility within the same.
Each worker will be responsible for complying with this policy and the protocols derived from it according to their job position, as well as for notifying any security incidents that are detected.
12. MANAGEMENT OF SECURITY BREACHES AND INCIDENTS
Any situation that could compromise the confidentiality, integrity, availability, authenticity, or traceability of the Company’s information will be considered a security breach.
The Company will establish appropriate cybersecurity measures, including protection against threats from communication networks, such as cyberattacks, denial of service attacks, unauthorized access, and system hijacking or ransomware, among others.
Any person who is aware or suspects any incident that could affect information security must immediately report it through the established channels. Failure to report a security incident will be considered a serious employment offense.
WEARETESTERS, S.L. has a protocol defining the systematic approach followed by the Company for the notification and management of security incidents and vulnerabilities with the aim of ensuring that security incidents and weaknesses associated with information systems are recorded and addressed appropriately, through the relevant activities of repair and resolution, and the restoration of normal service levels of the affected services, being able to adopt corrective actions to eliminate their causes and prevent them in the future.
13. INFORMATION DESTRUCTION
The destruction of information will be carried out according to the retention periods established in the regulatory, legal, and judicial requirements affecting WEARETESTERS, S.L.
Information will be destroyed in a manner that ensures confidentiality during its process.
In the event that, during the established conservation process, the information and data are not necessary for the entity, data blocking will be proceeded with, adopting technical and organizational measures to prevent their access, processing, and visualization, except for making the data available to judges and courts, the Public Prosecutor’s Office, or the competent Public Administrations.
14. SECURITY AUDITS
A periodic identification of technical vulnerabilities of the information systems and applications used in the organization should be conducted in order to detect suspicious activities, obtain records of unsuccessful or denied access, among other vulnerabilities.
Once vulnerabilities are identified, WEARETESTERS, S.L. must apply the necessary corrective measures as soon as possible. The identification, management, and correction of vulnerabilities must be carried out according to a risk-based approach, considering the criticality and exposure of the assets.
15. APPROVAL AND REVIEW PROCESS
This policy will be kept up-to-date to reflect changes and improvements made in information security and data protection. WEARETESTERS, S.L. will perform a periodic verification of the implementation of prevention and control measures, and propose the appropriate modifications required in case of detecting relevant breaches of this policy, significant changes, or changes in the entity’s information systems.