DECLARATION OF INTENT
“Information related to our customers is, by principle and essence, the business objective of intermediation between companies in different sectors, offering solutions that cover the whole spectrum of supplier management, procurement processes, contracting and decision making.
The trust and confidence that our customers have already placed in us is underpinned by adherence to fundamental information security principles and strict compliance with policies, standards and procedures that ensure systematic, adequate, effective and continuous security”.
José Luis Ramiro Oter
Director CONSTRURED, Construcciones y transacciones informáticas en la red, S.L.
ORGANIZATIONAL PRINCIPLES WITH REGARD TO SECURITY
Awareness raising: Employees and contractors should be made aware of the need for secure information systems and networks, and what they can do to promote and strengthen security.
Responsibility: All employees are responsible for the security of information systems and networks.
Response: Employees will act in a timely and cooperative manner to prevent, detect and respond to security incidents.
Ethics: Employees will respect the legitimate interests of others, and will follow Construred’s code of ethics.
Democracy: The security of information systems and networks must be compatible with the essential values of a democratic society.
Risk assessment: Employees must carry out risk assessments in their functional areas.
Security design and implementation: Information security will be managed as an essential element of information systems and networks.
Management: Employees should take a holistic view of security management.
Assessment: The security of information systems and networks shall be reviewed and reassessed, and appropriate modifications to security policies, practices, measures and procedures shall be implemented.
- Ensure compliance with applicable laws, regulations and standards, as well as with all ISMS requirements.
- Meet the needs and expectations of the stakeholders involved within the scope of the ISMS.
- Demonstrate management leadership by ensuring that the information security policy and objectives are consistent with Construred’s strategic direction.
- Continuously evaluate the ISMS, in order to adapt it to its requirements, through ongoing reviews, establishment of security indicators, staff training, establishing appropriate risk levels and conducting audits.
- Analyse the risks that may affect the security of information for Construred’s activities, according to the risk appetite and the treatment options approved by Management.
- Define methodologies for the secure development of management software applications or platforms, taking into account the security objectives defined by the organisation, as well as the countermeasures that risk analyses may recommend.
- Maintain a continuity plan for internal processes and the business management technology platform to withstand any disaster, without serious and lasting damage to our employees, our customers, our business assets and, ultimately, our company, supported by a test plan that, with the periodicity deemed appropriate, verifies the operability of the business continuity and recovery procedures in the event of disasters.
GENERAL SECURITY OBJECTIVES
Likewise, based on the typology of the information assets considered most critical for the business process, these criteria must be taken into account for the management of countermeasures and related security actions:
- AVAILABILITY OF INFORMATION: all information relating to clients (both construction companies and associated suppliers) processed through the corporate website must be available at all times, and as far as possible, which implies the implementation of all those technical, technological and procedural measures deemed necessary to guarantee this objective and business need.
- INTEGRITY OF INFORMATION: all possible means shall be taken to avoid partial and/or total loss of information assets, both those available on the website and those supported by the SICONDOC application.
- CONFIDENTIALITY OF INFORMATION: every effort will be made to prevent any breach of confidentiality of the information assets housed in our system.