Version 1.0 — Effective date: May 15, 2025
1. Introduction
OSIX recognizes that information is one of the most critical assets for the development of its technological activity. This policy aims to establish the necessary guidelines, responsibilities, and principles to ensure that all information processed, regardless of its format, is properly protected. Information security is a cross-cutting commitment assumed by the entire organization.
2. Mission and Objectives
Our mission is to guarantee the comprehensive protection of information, ensuring its confidentiality, integrity, availability, and traceability. OSIX pursues the following objectives:
- Prevent security incidents.
- Ensure operational continuity.
- Comply with current legislation.
- Promote a security culture at all levels.
3. Regulatory Framework
The regulatory framework for OSIX activities under this Information Security Policy consists of the following standards:
- Royal Decree 311/2023, of May 3, which regulates the National Security Framework (ENS) of Spain.
- Regulation (EU) 2016/679 (GDPR) of the European Parliament and of the Council, of April 27, 2016.
- Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
4. Scope
This policy applies to:
- All OSIX personnel (employees, collaborators, and third parties).
- Technological assets, information systems, infrastructures, applications, and data managed by the organization.
5. General Principles
The principles guiding information security at OSIX are:
5.1 Strategic Commitment and Leadership
Security must be integrated into OSIX’s overall strategy, with the explicit support of senior management and the active involvement of area managers.
5.2 Prevention, Detection, and Response
A continuous cycle of:
- Prevention: minimizing exposure surface.
- Detection: identifying anomalous behavior.
- Response: restoring services quickly and effectively.
5.3 Defense in Depth
Implementation of multiple complementary security layers to contain possible incidents.
5.4 Continuous Supervision and Periodic Review
- System monitoring with specialized tools.
- Periodic reviews of controls to adapt measures.
5.5 Clear Assignment of Responsibilities
Defined roles:
- Information Manager
- Services Manager
- Systems Manager
- Security Manager
5.6 Security as an Integral Process
Secure practices in all phases of the systems lifecycle.
5.7 Risk-based Management
Decisions based on risk probability, impact, and criticality.
5.8 Continuous Improvement
Audits, reviews, and lessons learned to update the policy and controls.
5.9 Access Control
Principles of necessity, proportionality, and least privilege. Personal and non-transferable authentication.
Classification according to sensitivity to define controls for confidentiality, integrity, and availability.
5.11 Security by Default and by Design
- Security by design: anticipate risks at early stages.
- Security by default: basic configurations with appropriate minimum measures.
5.12 Personnel Management
Continuous training, awareness, and reporting of suspicious situations.
5.13 Activity Logs and Traceability
Maintain detailed logs in compliance with data protection regulations.
5.14 Security Incident Management
Procedures for detection, analysis, notification, and resolution of incidents.
5.15 Physical Protection of Facilities
Physical access controls, fire systems, environmental control, and power backup.
5.16 Secure Acquisition of Products and Services
Prioritize security in suppliers and compatibility with existing systems.
5.17 Interconnection with External Systems
Risk analysis and controls at connection points with public networks or external entities.
5.18 Business Continuity
Contingency plans, information backup, and disaster recovery.
6. Security Organization
6.1 General Management
Ultimate responsibility for approving and providing resources for the policy. Alignment with strategic and regulatory objectives.
Main functions:
- Oversee implementation of controls.
- Coordinate incident management.
- Maintain up-to-date risk analysis.
- Ensure policy compliance.
- Liaison between management and technical teams.
6.3 System and Service Managers
- Apply secure configurations.
- Keep software and firmware up to date.
- Implement backups.
- Report incidents to the ISO.
6.4 Users and Collaborators
Obligations:
- Ethical and secure use of systems.
- Credential protection.
- Incident reporting.
- Participation in training.
7. Risk Management
Risk identification, evaluation, and treatment process:
- Justification: informed decisions and regulatory compliance.
- Evaluation criteria:
- Probability of occurrence.
- Expected impact.
- Risk levels: low, medium, high, critical.
- Treatment guidelines:
- Mitigation
- Transfer
- Acceptance
- Elimination
8. Relationship with Personal Data Protection
Additional principles according to GDPR:
- Lawfulness, fairness, and transparency
- Legitimation of processing (Art. 6 and 9 GDPR)
- Purpose limitation
- Data minimization
- Accuracy and updating
- Protection by design and by default
9. Security Documentation and Standards
Documentation levels:
- Information Security Policy: main document.
- Norms and procedures: specific aspects.
- Technical guides and instructions: practical steps.
- Other supporting documents: records, templates, recommendations.
10. Associated Obligations
10.1 User Obligations
- Authorized use of resources.
- Credential protection.
- Data confidentiality.
- Reporting suspicions.
- Participation in training.
10.2 Consequences of Non-compliance
- Warnings or disciplinary actions.
- Withdrawal of access.
- Possible legal actions.
11. Third Parties
- Information and coordination with third parties.
- Application of the policy to suppliers and clients.
- Incident reporting and resolution procedures.
- Risk reports and alternatives if the policy cannot be met.
12. Approval and Entry into Force
This policy was approved by the General Management of OSIX on May 15, 2025, and comes into immediate effect. Any future modifications will also be approved and communicated.
© 2025 OSIX | All rights reserved
Personal Data Protection - OSIX
OSIX protects and guarantees the fundamental right to data protection and is especially committed to safeguarding individuals’ privacy. Data processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights. Such processing adheres to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and proactive accountability.
OSIX maintains a dynamic understanding of this policy to adapt it to regulatory updates, case law, decisions by supervisory authorities, or sector practices. Any modification will be announced in advance.
1. Data Controller
The general responsibility for data processing lies with David Manuel Raposeiras Canaval, Data Protection Officer of OSIX.
2. Inquiries
For any inquiries regarding data protection, you may contact:
3. Legal Grounds for Processing
- Provision of public higher education services (main basis)
- Consent given by the data subjects, where applicable
- Performance of contracts
- Compliance with legal obligations
- Public interest mission or exercise of public authority
All these bases are in line with Article 6.1 of the GDPR.
4. Purposes of Processing
OSIX processes personal data to fulfill its obligations and responsibilities in teaching, study, and research, university administrative management, information requests, and academic and institutional outreach activities. Each specific processing activity details its own purposes.
5. Source, Use, and Storage of Data
- Source: directly from the data subjects (forms, applications, questionnaires) or from other educational administrations.
- Special Categories of Data: protective measures are applied according to Article 9 of the GDPR.
- Disclosures and Transfers: only in exchange programs, academic collaborations, and to administrations with educational competence, as per Articles 44 et seq. of the GDPR.
- Data Processors: data is transferred in compliance with legal duties and agreements with processors.
- Statistical and Research Purposes: data may be pseudonymized.
- Storage: data will be kept as long as the purpose or legal obligations persist; once fulfilled, it will be blocked until the statutory limitation period expires.
6. Data Subject Rights
Data subjects may exercise their rights to:
- Transparency and information
- Access
- Rectification
- Erasure
- Restriction of processing
- Data portability
- Objection
- Not be subject to solely automated decision-making
- Withdraw consent at any time
- File a complaint with the Spanish Data Protection Agency
Rights may be exercised through the form at https://osix.tech or by emailing dpd@osix.tech.
7. Security Measures
OSIX implements technical and organizational measures pursuant to Article 32 of the GDPR:
- Pseudonymization and data encryption
- Ensuring confidentiality, integrity, availability, and resilience of systems
- Ability to restore data and access in case of an incident
- Regular verification and evaluation of measures
These measures are adapted to the state of the art, costs, nature, context, and purposes of processing.
8. Security Breaches and Incidents
Security breaches will be reported to the supervisory authority and, where appropriate, to affected individuals as per Article 34 of the GDPR.
OSIX provides an incident communication channel via the contact form at https://osix.tech or by emailing dpd@osix.tech.
© 2025 OSIX | All rights reserved
