Model management system

SG Quality – SG Environment – SG IT Services – SG Information Security

The model recognises that excellence in all aspects of an organisation’s results and performance can be achieved on a sustained basis:

Good results (operation) are achieved by guiding people (leadership) to achieve the set objectives (improvement) and by bringing together people, material resources and best practices (structure) in the right way.

All this must lead us to a process of continuous change, ensuring that we do not return to old ways. Our system is dynamic: evolution and learning enhance the processes leading to improved results.

Consequence of applying the Model:

By satisfying ALL constituents the company GROWS

Open mind
Passion
Effort

At Sothis,
we are committed to

Clients

Customer satisfaction is at the heart of what we do. The customer is our guide. We do not care about how big they are; however, we do care about their trust in technology to improve their business.

Comply with our clients’ requirements vis-à-vis information security. Involve them in our commitment to information security, establish channels for reporting and coordination of the respective Security Committees and action procedures for reacting to security incidents as required.

Suppliers

Collaborate with our suppliers to provide us with suitable technological solutions and meet our customers’ needs.

Convey the requirements of the SG Information Security and the Security Regulations pertaining to such services or information.

Set out specific procedures for reporting and resolving incidents. Ensure that our suppliers are adequately security-aware. Take appropriate action in the event of non-compliance with these requirements.

People

Foster continuous training for all our people, including environmental awareness and sensitisation in terms of information security and occupational risk prevention.

Society

Comply with the legal and regulatory requirements applicable to our activity, especially those governing information security, as well as the commitments voluntarily adopted, including environmental management regulations.

Adopt the commitment to prevent pollution and protect the environment. Undertake to implement measures to mitigate climate change as part of our business activities.

Capital

Continuously review our commitment to ensure the ongoing adequacy thereof.

En Sothis nos
comprometemos

Processes

Maintain, improve and enhance the process management approach in all areas of the organisation. Our Integrated Management System adopts a process-based approach: the first major process is the Management System itself. All Sothis, processes are built up from it in a hierarchical relational structure. A unique system

Take technical and organisational measures necessary to protect the availability, confidentiality and integrity of information, as well as to restrict and control access to information and how it is processed.

Improvement

Put in place the necessary mechanisms to ensure that the continuous improvement of the Integrated Management System (SG Quality – SG Information Security – SG IT Services – SG Health and Safety) is part of everyone’s day-to-day life.

Maintain a controlled environment, minimising risks to acceptable levels in terms of information security by continuously updating security risk analysis and management.

To reduce the probability of occurrence and the effects of the materialisation of threats on the security of the system, including measures aimed at their prevention, detection and correction.

Structure

Provide and allocate the necessary resources for the correct execution of the works and to comply with the requirements set out.

Put in place the necessary measures to prevent, study and eliminate, whenever possible, factors that could negatively affect the management of services.

Keep the complete list of services in the service catalogue up to date and make it available to all our Employees, Customers and Suppliers.

Leadership

Communicate and disseminate our commitment to all our People and make it available to anyone who requests it.

Ensure the protection of information, by correctly implementing security measures, correctly using the systems that process it that are the responsibility of the organisation, and limiting access on a need-to-know basis.

Maintain secrecy with respect to the information and not disclose it to third parties, unless the communications are part of the employment relationship and in compliance with the due guarantees of confidentiality. Only disclose information to third parties that offer sufficient guarantees to ensure that the processing is in accordance with the established requirements.

Regulatory and Legal Framework SG Information Security

  • Royal Decree 3/2010, of 8 January, regulating the
  • National Security Framework in the field of e-Government.
  • Royal Decree 951/2015, of 23 October, amending Royal Decree 3/2010, of 8 January, which regulates the National Security Framework in the field of e-Government.
  • Law 1/2019, of 20 February 2019, on Business Secrets and the related provisions of Organic Law 10/1995, of 23 November 1995, on the Criminal Code.
  • With regard to Personal Data Protection, SOTHIS complies with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights.
  • Law 34/2002 of 11 July 2002 on information society services and electronic commerce.
  • The National Security Authority for the protection of Classified Information.
  • UNE-EN ISO/IEC 27001, information technology, security techniques, information security management systems and requirements. It contains recommended best practices in information security for developing, implementing and maintaining Information Security Management Systems (ISMS) specifications.

Organisation of
Information Security

For Information Security to function correctly, it is necessary to create and set up the team that executes some of the key processes of this management system. We define the team, its members, responsibilities and the way it operates in procedure ST-PRO-494.
 
This committee is responsible for coordinating all Sothis’ security functions, ensuring compliance with applicable legal, regulatory and industry standards. It is also responsible for ensuring that security activities are aligned with the organisation’s objectives.

Roles and Responsibilities:

Within the framework of compliance with the ENS and ISO27001, and in order to form the structure of security officers, the following key roles have been determined:

Head of Service

Represented by the heads of each of the operational teams.

Head of Systems

Responsible for the systems and communications infrastructure.

Head of Installations

Represented by the organisation’s Director of the Facilities and Environment Area.

Head of Information Security

Responsible for establishing and maintaining the SG Information Security, standards, directives and procedures, represented by the Director of the Corporate Information Systems Area.

Head of Information

Represented by members of the management team as the senior information security officers.

Internal auditors, monitoring, reviewing and auditing the security of the systems shall be performed by qualified, dedicated and trained staff at all stages of their lifecycle. Set out in process ST-PRO-650.

Sothis has coordination and conflict resolution mechanisms in place,

with the Management Team being responsible for management and decision-making in relation thereto. The details of the attributions, roles and their respective functions, as well as the processes are set out in the Roles and Responsibilities document ST-SIS-237.

¡Gracias!

Tu formulario se ha enviado correctamente-