Contact

Table of Contents

Torrelavega, 1 June 2023
Jove Group Management

Information Security Policy on Information

Jove Group bases its business on the processing of various types of data and information, which enables enables the execution of the business’s own processes. The systems, programmes, infrastructures for communications, files, databases, data, archives, etc., constitute the main asset of Jove Group, in such a way that the damage or loss of these affects the performance of its operations and may jeopardise the continuity of the Organisation.

The priority objectives should be:

  • To protect the Organisation’s intellectual property so that it is not disclosed or used unlawfully.
  • To ensure an efficient service for our customers, delivering high standards of quality and safety, whilst safeguarding their rights and maintaining their trust.
To prevent this from happening, the following Information Security Policy has been drawn up, the principles and objectives of which are:
  • Information—both internal and relating to our clients—is of strategic value to the business; it must therefore be protected against unauthorised access and tampering, ensuring that it remains confidential and intact.
  • The source of the information must be reliable. The credibility of the information depends on the authenticity of the source.
  • The information must be available, allowing authorised access whenever necessary.
  • Information protection will be achieved by applying control measures to the assets that hold or process it: individuals, media, facilities, communications, systems, applications, etc. These measures must be proportionate to the value of the asset to be protected. The security controls applied shall never exceed the cost of the assets to which they apply or the damage that could be caused to them as a result of their absence.
  • Any technical or organisational means capable of safeguard the information must be coordinated and aligned with the business.
  • Information security is not merely an internal process, which is why one it is necessary to obtain a formal commitment from the suppliers and partners regarding the management of security of information.
  • Information security is the responsibility of everyone. Every user has the duty to comply with the requirements imposed and to address and report any indication that may compromise it.
  • It is essential to ensure the continuity of operations critical to the business.
  • The requirements for safety and theircompliance must be reviewed and verified periodically.
  • The processing of information and the security measures implemented must always comply with applicable laws, rules and regulations.
To ensure compliance with these principles and objectives of information security of information the following shall be required:
  • Define responsibilities in the area of information security by establishing the appropriate organisational structure.
  • Establish a system for classifying the information and the data in order to protect the critical information assets.
  • Draw up a set of rules, standards, norms and/or procedures applicable to the bodies of management, employees, partners, suppliers of external services, assets of the organisation, and operations relating to them themselves, etc.
  • Set out the consequences of failing to comply with the workplace security policy.
  • Assess the risks affecting assets with a view to implementing appropriate security measures and controls, in accordance with the risk analysis and management methodology and criteria adopted by the organisation, as set out in the document “Jove Group.AR.01 Methodology for Risk Analysis and Management”.
  • To protect assets, through controls and measures, against threats that could lead to security incidents.
  • To mitigate the effects of security incidents as quickly as possible, in order to minimise their impact and gather evidence to substantiate the incidents and identify the perpetrator.
  • To monitor the flow of information and data via communications infrastructure or through the dispatch of optical, magnetic or paper-based data storage media, etc.
  • Monitor and log logical and physical access to information and associated systems, and identify those who access them.
  • Verify the effectiveness of security measures and controls through internal security audits carried out by independent auditors.
  • Monitor the operation of the measures for safety by determining the number of incidents, their nature and effects.
  • Train the users in the management of security and in technologies for information and communications technologies.
  • Protecting people in the event of natural disasters, fires, floods, terrorist attacks, terrorist attacks, etc., through emergency plans.
  • Comply with the legislation on matters relating to data protection, intellectual property, employment, regarding services provided by the company and information, criminal law, etc., which affects the assets of the Organisation.
  • Reduce the risk of unavailability through the proper use of the assets of the Organisation.