Information Security Policy – OSIX Tech

Version 1.0 — Effective date: May 15, 2025

---

1. Introduction

OSIX Texh recognizes that information is one of the most critical assets for the development of its technological activity. This policy aims to establish the necessary guidelines, responsibilities, and principles to ensure that all information processed, regardless of its format, is properly protected. Information security is a cross-cutting commitment assumed by the entire organization.

---

2. Mission and Objectives

Our mission is to guarantee the comprehensive protection of information, ensuring its confidentiality, integrity, availability, and traceability. OSIX Tech pursues the following objectives:

• Prevent security incidents.
• Ensure operational continuity.
• Comply with current legislation.
• Promote a security culture at all levels.

---

3. Regulatory Framework

The regulatory framework for OSIX Tech activities under this Information Security Policy consists of the following standards:

• Royal Decree 311/2023, of May 3, which regulates the National Security Framework (ENS) of Spain.
• Regulation (EU) 2016/679 (GDPR) of the European Parliament and of the Council, of April 27, 2016.
• Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.

---

4. Scope

This policy applies to:

• All OSIX Tech personnel (employees, collaborators, and third parties).
• Technological assets, information systems, infrastructures, applications, and data managed by the organization.

---

5. General Principles

The principles guiding information security at OSIX Texh are:

5.1 Strategic Commitment and Leadership

Security must be integrated into OSIX Tech’s overall strategy, with the explicit support of senior management and the active involvement of area managers.

5.2 Prevention, Detection, and Response

A continuous cycle of:

1. Prevention: minimizing exposure surface.
2. Detection: identifying anomalous behavior.
3. Response: restoring services quickly and effectively.

5.3 Defense in Depth

Implementation of multiple complementary security layers to contain possible incidents.

5.4 Continuous Supervision and Periodic Review

• System monitoring with specialized tools.
• Periodic reviews of controls to adapt measures.

5.5 Clear Assignment of Responsibilities

Defined roles:

• Information Manager
• Services Manager
• Systems Manager
• Security Manager

5.6 Security as an Integral Process

Secure practices in all phases of the systems lifecycle.

5.7 Risk-based Management

Decisions based on risk probability, impact, and criticality.

5.8 Continuous Improvement

Audits, reviews, and lessons learned to update the policy and controls.

5.9 Access Control

Principles of necessity, proportionality, and least privilege. Personal and non-transferable authentication.

5.10 Classification and Processing of Information

Classification according to sensitivity to define controls for confidentiality, integrity, and availability.

5.11 Security by Default and by Design

• Security by design: anticipate risks at early stages.
• Security by default: basic configurations with appropriate minimum measures.

5.12 Personnel Management

Continuous training, awareness, and reporting of suspicious situations.

5.13 Activity Logs and Traceability

Maintain detailed logs in compliance with data protection regulations.

5.14 Security Incident Management

Procedures for detection, analysis, notification, and resolution of incidents.

5.15 Physical Protection of Facilities

Physical access controls, fire systems, environmental control, and power backup.

5.16 Secure Acquisition of Products and Services

Prioritize security in suppliers and compatibility with existing systems.

5.17 Interconnection with External Systems

Risk analysis and controls at connection points with public networks or external entities.

5.18 Business Continuity

Contingency plans, information backup, and disaster recovery.

---

6. Security Organization

6.1 General Management

Ultimate responsibility for approving and providing resources for the policy. Alignment with strategic and regulatory objectives.

6.2 Information Security Officer (ISO)

Main functions:

• Oversee implementation of controls.
• Coordinate incident management.
• Maintain up-to-date risk analysis.
• Ensure policy compliance.
• Liaison between management and technical teams.

6.3 System and Service Managers

• Apply secure configurations.
• Keep software and firmware up to date.
• Implement backups.
• Report incidents to the ISO.

6.4 Users and Collaborators

Obligations:

• Ethical and secure use of systems.
• Credential protection.
• Incident reporting.
• Participation in training.

---

7. Risk Management

Risk identification, evaluation, and treatment process:

1. Justification: informed decisions and regulatory compliance.
2. Evaluation criteria:
   • Probability of occurrence.
   • Expected impact.
3. Risk levels: low, medium, high, critical.
4. Treatment guidelines:
   • Mitigation
   • Transfer
   • Acceptance
   • Elimination

---

8. Relationship with Personal Data Protection

Additional principles according to GDPR:

• Lawfulness, fairness, and transparency
• Legitimation of processing (Art. 6 and 9 GDPR)
• Purpose limitation
• Data minimization
• Accuracy and updating
• Protection by design and by default

---

9. Security Documentation and Standards

Documentation levels:

• Information Security Policy: main document.
• Norms and procedures: specific aspects.
• Technical guides and instructions: practical steps.
• Other supporting documents: records, templates, recommendations.

---

10. Associated Obligations

10.1 User Obligations

• Authorized use of resources.
• Credential protection.
• Data confidentiality.
• Reporting suspicions.
• Participation in training.

10.2 Consequences of Non-compliance

• Warnings or disciplinary actions.
• Withdrawal of access.
• Possible legal actions.

---

11. Third Parties

• Information and coordination with third parties.
• Application of the policy to suppliers and clients.
• Incident reporting and resolution procedures.
• Risk reports and alternatives if the policy cannot be met.

---

12. Approval and Entry into Force

This policy was approved by the General Management of OSIX Tech on May 15, 2025, and comes into immediate effect. Any future modifications will also be approved and communicated.

---