KYMOS depends on ICT (Information and Communications Technology) systems to achieve its objectives.<\/p>\n
These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that could affect the availability, integrity and confidentiality of the information processed or services provided.<\/p>\n
The objective of information security is to ensure the quality of information and the continued provision of services, acting preventively, monitoring daily activity and reacting promptly to incidents.<\/p>\n
To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure the continued provision of services.<\/p>\n
This implies that departments must implement the security measures required by ISO 27001 and the NIS 2 Directive (Annex I, point 5 \u201cHealth Sector\u201d, in conjunction with NACE Rev.2, Section C, point 21 \u201cManufacturing of medicine\u201d)<\/strong>, as well as continuously monitor service delivery levels, track, analyse and correct reported vulnerabilities, and prepare an effective incident response to ensure continuity of services provided.<\/p>\n The different departments must ensure that ICT security is an integral part of every stage of the system’s lifecycle, from its conception to its decommissioning, through development or procurement decisions and operational activities.<\/p>\n Security requirements and funding need to be identified and included in planning, request for tenders, and tender documents for ICT projects. Departments need to be prepared to prevent, detect, react and recover from incidents in accordance with NIS2 Directive in its article 29.a.<\/p>\n Departments must avoid, or at least prevent as far as possible, information or services from being compromised by security incidents. Both ISO 27001 and the NIS2 Directive state that systems must be designed and configured to ensure security by default, in line with the “Need to Know” least privilege policy.<\/p>\n To this end, departments must implement the minimum-security measures determined by ISO 27001, in accordance with the requirements stated in NIS2 Directive, as well as any additional controls identified through a threat and risk assessment. These controls, together with the security roles and responsibilities of all personnel, must be clearly defined and documented.<\/p>\n To ensure compliance with the policy, departments must:<\/p>\n As services can degrade rapidly due to incidents, ranging from a simple slowdown to a standstill, services must monitor the operation on a continuous basis to detect anomalies in service delivery levels and act accordingly as set out in ISO 27001 and NIS 2.<\/p>\n Monitoring is particularly relevant when establishing lines of defence. Detection, analysis and reporting mechanisms shall be established that reach those responsible on a regular basis and when there is a significant deviation from parameters that have been pre-established as normal.<\/p>\n Intrusion detection systems primarily monitor and audit the organisation’s resources, verifying that security policy is not violated and attempting to identify any malicious activity early and effectively.<\/p>\n The following classifications will have to be established according to needs:<\/p>\n Departments must:<\/p>\n To ensure the availability of critical services, the organisation will ensure the existence of a continuity plan and related recovery activities.<\/p>\n This policy applies to the information systems that support the analysis, quality control and certification of pharmaceutical, biotechnological and cosmetic products managed by Kymos Group.<\/p>\n KYMOS, as a private company, looks after the management of its interests and within the scope of the provision of its services for the Public Administration and\/or Private Companies in the pharmaceutical sector, serves with objectivity the general interests by providing services that contribute to satisfy the needs of the services provided.<\/p>\n The legal framework for information security is established by the following:<\/p>\n The Security Committee is the body that coordinates information security at the organisational level.<\/p>\n It shall consist of the Information Security Officer and representatives from other areas affected by ISO 27001 and NIS2.<\/p>\n <\/a>Associated Functions and Responsibilities<\/u><\/strong><\/p>\n It shall approve the Security Improvement Plan, with its corresponding budget allocation. The Information Security Committee is not a technical committee, but it shall regularly seek from its own or external technical staff relevant information for decision-making. The Information Security Committee shall take advice on matters on which it has to decide or give an opinion. This advice shall be determined on a case-by-case basis and may take different forms and shapes:<\/p>\n The Information Security Officer is the secretary of the Information Security Committee and as such:<\/p>\n The Security Policy must identify those clearly responsible for ensuring compliance and must be known by all members of the administrative organisation.<\/p>\n The following roles are established in the organisation related to Information Security.<\/p>\n It corresponds to the level of a top-level governing body which understands the mission of the organisation, determines the objectives it intends to achieve and is responsible for ensuring that they are achieved.<\/p>\n Their functions may be assigned to a natural person or by the Information Security Committee.<\/p>\n The person or body that undertakes it shall be identified for each Information handled by the organisation.<\/p>\n This role may coincide with that of the Service Manager.<\/p>\n This role shall not coincide with that of Information Security Officer, ISMS Manager or System Security Administrator, the latter if applicable.<\/p>\n Where different from the Information Manager, it may be at the level of a top-level governing body, like the Information Manager, or it may be at the level of an executive directorate or management, which understands what each department does and how departments coordinate with each other to achieve the objectives set by the relevant higher bodies.<\/p>\n Their functions may be assigned to a natural person or by the Information Security Committee.<\/p>\n The person or body that undertakes it shall be identified for each Service provided by the organisation.<\/p>\n This role may coincide with that of the Information Manager.<\/p>\n This role shall not coincide with that of Information Security Officer, ISMS Manager or System Security Administrator, the latter if applicable.<\/p>\n It corresponds to the level of an Executive Directorate or Management.<\/p>\n Only one person in the organisation shall be formally appointed as the Information Security Officer, although the Information Security Officer may delegate part of the functions to other people called delegates.<\/p>\n This role may not coincide with that of ISMS Manager and System Security Administrator, the latter if applicable.<\/p>\n For certain Information Systems which, due to their complexity, distribution, physical separation of their elements or number of users, require additional personnel to carry out the functions of the Information Security Officer, the Delegated Security Officers deemed necessary may be appointed by the Information Security Officer, prior approval by the Information Security Committee.<\/p>\n Through the designation of delegates, functions are delegated. The ultimate responsibility remains with the Information Security Officer.<\/p>\n The Delegated Security Officers shall be in charge of all the functions delegated by the Information Security Officer and shall report directly to the Information Security Officer.<\/p>\n Corresponds to the level of an Operational Directorate.<\/p>\n A natural person shall be formally appointed as ISMS Manager.<\/p>\n Its functions shall be as follows:<\/p>\n This role shall not coincide with that of the System Security Administrator and Information Security Officer.<\/p>\n Corresponds to the level of a qualified employee in IT systems security.<\/p>\n The System Security Administrator shall be nominated by the ISMS Manager, to whom the System Security Administrator shall report on all matters relating to information security of the systems managed.<\/p>\n This role shall not coincide with the role of ISMS Manager and Information Security Officer.<\/p>\n For certain Information Systems which, due to their complexity, distribution, physical separation of their elements or number of users, require additional personnel to carry out the functions of the System Security Administrator, the Delegated System Security Administrators deemed necessary may be appointed by the System Security Administrator, prior approval by the Information Security Committee.<\/p>\n Through the designation of delegates, functions are delegated. The ultimate responsibility remains with the Security System Administrator.<\/p>\n The Delegated Security Systems Administrators shall be in charge of all the functions delegated by the Security System Administrator and shall report directly to the Security System Administrator.<\/p>\n The Data Protection Officer is a role contemplated by the RGPD (European Data Protection Regulation) and the applicable Spanish Organic Law 3\/2018 on General Protection of Personal Data.<\/p>\n Such role shall be assumed by a natural person.<\/p>\n The main responsibilities are shown below in correlation with the security measures:<\/p>\n In this regard, see the following document: \u201cREG-03 RACI\u201d.<\/p>\n KYMOS processes personal data, thus, the organisation has the corresponding Register of Processing Activities <\/em><\/strong>according to the RGPD dispositions.<\/p>\n All KYMOS Group information systems shall comply with the security levels required by the regulations, for the purpose and effect of the nature and purpose of the personal data collected.<\/p>\n All systems subject to this Policy will be required to perform a risk analysis, assessing the threats and risks to which they are exposed.<\/p>\n The risk analysis will be the basis for determining the security measures to be taken which shall be detailed in the Risk Analysis and its Statement of Applicability.<\/p>\n For the harmonisation of risk analysis methodology, the Information Security Committee shall establish a baseline assessment for the different types of information handled and the different services provided.<\/p>\n Detailed risk assessment criteria shall be specified in the risk assessment methodology to be developed by the organisation, based on recognised standards and practices.<\/p>\n All risks that could seriously prevent the operational capability of the organisation or the achievement of the organisation’s mission shall be addressed.<\/p>\n Special priority shall be given to risks involving an interruption of the provision of services rendered.<\/p>\n The Information Security Committee will streamline the availability of resources to meet the security needs of the different systems, promoting horizontal investments.<\/p>\n Residual risks shall be determined by the Information Security Officer.<\/p>\n The residual Risk levels expected on each Information after the implementation of the treatment options (including the implementation of the security measures foreseen in ISO 27002 and in the NIS2 Directive) shall be accepted by the Information Security Committee.<\/p>\n The Residual Risk levels shall be submitted by the Information Security Officer to the Information Security Committee (ISC), which shall evaluate, approve or rectify the proposed treatment options as appropriate.<\/p>\n The analysis of risks and their treatment must be a regular activity, as required by ISO 27001 and the NIS2 Directive. This analysis shall be repeated:<\/p>\n All members of the organisation are obliged to know and comply with this Information Security Policy and the Security Regulations applicable to them, and it is the responsibility of the Information Security Committee to provide the necessary means to ensure that the information reaches those affected.<\/p>\n Compliance with this Security Policy is mandatory for all internal and external personnel involved in the organisation’s processes, and non-compliance with it constitutes a serious offence for employment purposes, in accordance with the collective labour agreement.<\/p>\n In this regard, the organisation has the document \u201cIT-REGU-04 Security Regulations of Duties and Roles of Staff\u201d.<\/p>\n The Management is committed to the Professional Training and Awareness of KYMOS Group Staff.<\/p>\n KYMOS\u2019s objective is to continuously raise awareness of cybersecurity among employees, and to this end, the organisation carries out:<\/p>\n When services are provided or information is managed by other organisations, they shall be made aware of this Information Security Policy, reporting and coordination channels shall be established for the respective Information Security Committees, and procedures shall be established for reacting to security incidents.<\/p>\n Where third party services are used or information is provided to third parties, they will be made aware of this Security Policy and the Roles and Duties of the Staff that applies to these services or information. This third party shall be subject to the obligations set out in this policy and may develop its own operating procedures to meet these obligations.<\/p>\n Specific incident reporting and resolution procedures shall be established. It shall be ensured that third party personnel are adequately security-aware to at least the same level as set out in this Policy.<\/p>\n Where any aspect of the Policy cannot be satisfied by a third party as required in the above paragraphs, a report from the Information Security Officer specifying the risks involved and how they will be addressed will be required. Such report shall be reviewed by the Information Security Committee and approved by the Information and Service Managers, together with the Management.<\/p>\n The Information Security Policy shall be reviewed by the Information Security Committee at planned intervals, not exceeding one year, or whenever significant changes occur in order to ensure that its suitability, adequacy and effectiveness are maintained.<\/p>\n Any changes to the Information Security Policy shall be reviews by the Information Security Committee and approved by Management.<\/p>\n Management shall ensure that all personnel understand and fulfil their information security responsibilities as well as shall promote compliance with information security policies, procedures and controls and shall provide the necessary support and resources for their implementation.<\/p>\n Finally, the Information Security Policy shall be communicated and made available to all KYMOS Group personnel and stakeholders.<\/p>\n<\/div><\/div><\/div><\/div><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":8,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"100-width.php","meta":{"_acf_changed":false,"footnotes":""},"categories":[],"tags":[],"class_list":["post-40063","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"\n2. Security Incident Management<\/h2>\n
<\/a><\/h1>\n
2.1 Prevention<\/h3>\n
<\/a><\/h2>\n
\n
<\/a><\/a>2.2 Detection<\/h3>\n
\n
<\/a><\/a>2.3 Response<\/h3>\n
\n
<\/a><\/a>2.4 Recovery<\/h3>\n
<\/a>3. Scope<\/h2>\n
<\/a><\/a>4. Mission and Services Provided<\/h2>\n
<\/a><\/a>5. Regulatory Framework<\/h2>\n
\n
<\/a><\/a>5.1 Protection of Personal Data<\/h3>\n
\n
<\/a><\/a>5.2 E-Government and Electronic Signature<\/h3>\n
\n
<\/a><\/a>5.3 Network and Information Security<\/h3>\n
\n
<\/a><\/a>6. Security Organisation: <\/a>Committees Roles and Responsibilities<\/h2>\n
\n
<\/a><\/a>In the event of an information security incident<\/u><\/h3>\n
\n
\n
<\/a><\/a>6.1 Role definition<\/h3>\n
<\/a>6.1.1 Information Manager<\/u><\/h4>\n
<\/a>Associated Functions and Responsibilities<\/h4>\n
\n
<\/a>Compatibility with other Roles<\/h4>\n
<\/a>6.1.2 Service Manager<\/u><\/h4>\n
Associated Functions and Responsibilities<\/h4>\n
\n
<\/a>Compatibility with other Roles<\/h4>\n
<\/a><\/a>6.1.3 Information Security Officer \/ CISO<\/u><\/h4>\n
<\/a>Associated Functions and Responsibilities<\/h4>\n
\n
In the event of an information security incident<\/h4>\n
The Information Security Officer shall analyse and propose safeguards to prevent similar incidents in the future.<\/h4>\n
<\/a>Compatibility with other roles<\/h4>\n
Delegation of Functions<\/h4>\n
<\/a>6.1.4 ISMS Manager<\/u><\/h4>\n
Associated Functions and Responsibilities<\/h4>\n
\n
<\/a>In the event of an information security incident<\/h4>\n
Shall plan the implementation of safeguards in the system and shall implement the approved security plan.<\/h4>\n
Compatibility with other Roles<\/h4>\n
<\/a><\/a>6.1.5 System Security Administrator<\/u><\/h4>\n
Associated Functions and Responsibilities<\/h4>\n
\n
<\/a>In the event of an information security incident<\/h4>\n
\n
Compatibility with other roles<\/h4>\n
<\/a>Delegation of Functions<\/h4>\n
<\/a><\/a>6.1.6 Data Protection Officer<\/u><\/h4>\n
Associated Functions and Responsibilities<\/h4>\n
\n
<\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a>6.2 Responsibilities under ISO 27001 and NIS 2<\/h3>\n
<\/a>7. Personal Data<\/h2>\n
<\/a><\/a>8. Risk Management<\/h2>\n
<\/a><\/a>8.1 Justification<\/h3>\n
<\/a><\/a>8.2 Risk assessment criteria<\/h3>\n
<\/a><\/a>8.3 Treatment guidelines<\/h3>\n
<\/a><\/a>8.4 Residual Risk Acceptance Process<\/h3>\n
<\/a><\/a>8.5 Need to conduct or update risk assessments<\/h3>\n
\n
<\/a><\/a>9. Obligations of Staff<\/h2>\n
<\/a>10. Staff Training and Awareness<\/h2>\n
\n
<\/a><\/a>11. Third Parties<\/h2>\n
<\/a><\/a>12. Review and Approval of the Security Policy<\/h2>\n