The purpose of this document is to establish the information security policy framework for Cellect Energy provider organisations accessing their information, information systems or resources, in order to protect their confidentiality, integrity and availability. To this end, supplier organisations are responsible for informing their employees and subcontractors providing services to Cellect Energy.
All activities carried out for Cellect Energy by supplier organisations accessing its information, information systems or resources. General guidelines are applicable to any provider organisation, regardless of the type of service provided. Specific guidelines´ are applicable only to those provider organisations whose services provided correspond to the type of service indicated in each case, as indicated at the beginning of that section.
3.1 Service provision
Supplier organisations may only perform for Cellect Energy those activities covered under the corresponding service provision contract. The provider organisation shall periodically provide Cellect Energy with the list of persons, profiles, functions, and responsibilities associated with the service provided, and shall promptly inform Cellect Energy of any change (registration, cancellation, substitution or change of functions or responsibilities) that may occur in this list. In accordance with the provisions of the clauses associated with the contract for the provision of services, all external persons performing work for Cellect Energy must comply with the safety standards set out in this document. In case of non-compliance with any of these obligations, Cellect Energy reserves the right to veto the person who has committed the infraction, as well as the adoption of the sanctioning measures considered pertinent in relation to the provider organisation. The provider organisation shall ensure that all its personnel have the appropriate training for the performance of the service provided. Any exchange of information between Cellect Energy and the provider organization shall be understood to have taken place within the framework established by the relevant service provision contract, so that such information may not be used outside this framework or for other purposes. Cellect´s IT & Systems department centralizes the global efforts to protect Cellect Energy´s assets.
Generically, assets include:
3.2 Confidentiality of information
External persons with access to Cellect Energy information should consider that such information is protected by default. Only information to which access has been obtained through the means of public dissemination of information provided for this purpose by Cellect Energy may be considered as unprotected information. The disclosure, modification, destruction, or misuse of information, whatever its medium, shall be prevented. Maximum confidentiality shall be maintained indefinitely and no protected information shall be released to the outside world unless duly authorised. The number of paper reports containing protected information shall be minimised and they shall be kept in a secure place out of reach of third parties. In the event that, for reasons directly related to the job, the employee of the provider organisation comes into possession of protected information contained in any type of support, it must be understood that such possession is strictly temporary, with an obligation of secrecy and without this conferring any right of possession, ownership or copy of said information. Likewise, the employee must return the aforementioned media immediately upon completion of the tasks that have given rise to the temporary use of the same and, in any case, upon termination of the relationship with Cellect Energy of his or her company. All these obligations shall continue after the termination of the outsiders´ activities for Cellect Energy. Failure to comply with these obligations may constitute an offence of disclosure of secrets.
In order to ensure the security of personal data, persons within the provider organisation shall observe the following rules of conduct in addition to the above-mentioned considerations:
3.3 Intellectual property
Compliance with legal restrictions on the use of material protected by copyright law shall be ensured. Users may only use material authorized by Cellect Energy for the performance of their duties. The use of unlicensed software on Cellect Energy information systems is strictly prohibited. Likewise, the use, reproduction, transfer, transformation or public communication of any type of work or invention protected by intellectual property is prohibited without due written authorisation. Cellect Energy shall only authorize the use of material produced by itself, or material authorized or supplied to it by its owner, in accordance with the agreed terms and conditions and the provisions of the regulations in force.
3.4 Exchange of information
No person shall conceal or manipulate his or her identity under any circumstances. The distribution of information, whether in electronic or physical format, will be carried out by means of the resources determined in the service provision contract for such purpose and for the exclusive purpose of facilitating the functions associated with such contract. Cellect Energy reserves, depending on the identified risk, the implementation of control, registration and audit measures on these dissemination resources. In relation to the exchange of information within the framework of the service provision contract, the following activities shall be considered as unauthorised:
-Transmission or reception of copyrighted material in violation of the Copyright Act.
-Transmission or receipt of any kind of pornographic material, sexually explicit material, racially discriminatory statements and any other statement or message that could be classified as offensive or illegal.
-Transfer of protected information to unauthorised third parties. Transmission or reception of non-business related applications.
-Participation in Internet activities such as newsgroups, games or other activities not directly related to the provision of the service. All activities that may damage the image and reputation of Cellect Energy are prohibited on the Internet and elsewhere.
3.5 Appropriate use of resources
The provider organisation undertakes to periodically inform Cellect Energy of the assets with which it provides the service. The provider organisation undertakes to use the resources made available for the provision of the service in accordance with the conditions for which they were designed and implemented. The resources that Cellect Energy makes available to external parties, regardless of their type (IT, data, software, networks, communication systems, etc.), are available exclusively to fulfil the obligations and purpose of the operation for which they were provided. Cellect Energy reserves the right to implement control and audit mechanisms to verify the appropriate use of these resources. All equipment of the supplier organisation connected to the Cellect Energy production network shall be of approved makes and models. The supplier organisation shall make such equipment available to Cellect Energy to co-ordinate the installation of the approved software and configure it appropriately. Any file introduced in the Cellect Energy network or in any equipment connected to it through automated media, Internet, electronic mail or any other means, must comply with the requirements established in these rules and, in particular, those referring to intellectual property, personal data protection and malware control. All assets shall be returned to Cellect Energy without undue delay after the end of the contract. All personal computers on which Cellect Energy has installed software shall be taken to Cellect Energy to have the hard disk formatted at the end of the service. It is expressly prohibited:
3.6 User responsibilities
Service provider organisations shall ensure that all persons performing work for Cellect Energy respect the following basic principles within their activity:
Anyone with access to protected information should follow the following guidelines regarding password management:
Anyone with access to protected information must ensure that equipment is protected when it is to be left unattended. Anyone with access to protected information should adhere to at least the following clean desk rules, in order to protect paper documents, computer media and portable storage devices and to reduce the risks of unauthorised access, loss and damage to information, both during and outside normal working hours:
All persons accessing protected information must follow the following rules of conduct:
3.7 User team
Service provider organizations shall ensure that all user personal computer equipment used to access protected information complies with the following standards:
Particular care shall be taken to ensure the security of all mobile user equipment containing or otherwise accessible to protected information:
3.8 Management of hardware equipment
Service provider organisations shall ensure that all equipment provided by Cellect Energy for the provision of services, regardless of its type, is properly managed. To this end, they shall comply with the following standards:
4.1 Scope of application
All supplying organizations shall comply, in addition to the general rules, with the specific rules set out in this section that apply to them in each case, depending on the characteristics of the service provided to Cellect Energy. The types of service envisaged are as follows.
Depending on each of the three categories into which each service falls, the provider organisation must comply, in addition to the general safety standards, with the specific standards set out in the sections indicated in the following table:
|Cellect Headquarters||Remote||Cellect´s Infrastructure||Provider organisation||Privileged||Normal||No access|
|selection of persons||NO||NO||NO||NO||YES||NO||NO|
|communication of incidents||YES||YES||YES||NO||YES||YES||NO|
|traceability of the use of the systems||NO||NO||NO||YES||YES||NO||NO|
|identity and access control and management||NO||NO||NO||YES||NO||NO||NO|
|technical change management||NO||NO||NO||NO||YES||NO||NO|
|security in development||NO||NO||NO||NO||YES||YES||NO|
4.2 Selection of persons
The provider organisation shall verify the professional background of the persons assigned to the service, guaranteeing Cellect Energy that they have not been sanctioned in the past for professional malpractice nor have they been involved in incidents related to the confidentiality of the information processed that have led to any type of sanction. The provider organisation shall guarantee Cellect Energy the possibility of immediate removal from the persons assigned to the service of any person in relation to whom Cellect Energy wishes to exercise the right of veto, in accordance with the conditions set out in section 3.1.
4.3 Security audit
The supplier organisation shall allow Cellect Energy to carry out the requested safety audits, cooperate with the audit team and provide all evidence and records requested. The scope and depth of each audit will be expressly established by Cellect Energy in each case. The audits shall be carried out according to a schedule to be agreed in each case with the service provider organisation. Cellect Energy reserves the right to conduct additional extraordinary audits, provided that there are specific grounds for doing so.
4.4 Reporting of incidents
When you detect any information security incident, you must notify us immediately via the e-mail address email@example.com. Any user may use this mailbox to report any events, suggestions, vulnerabilities, etc. that may be related to information security and the guidelines contemplated in these rules of which they are aware. Any incident detected that affects or may affect the security of personal data (e.g. loss of lists and/or computer media, suspicion of improper use of authorized access by other persons, recovery of data from backup copies, etc.) must be notified through the aforementioned mailbox. This mailbox centralises the collection, analysis and management of the incidents received. If access to the mailbox is not available, the communication channels established within the service itself should be used, so that the Cellect Energy interlocutor is the one to communicate the security incident.
4.5 Physical security
The venue shall be locked and shall have some form of access control system. There shall be some form of visitor control, at least in areas of public access and/or loading and unloading. The site shall at least have adequate fire detection and fire extinguishing systems and shall be constructed in such a way as to be sufficiently resistant to flooding.
If any backup is maintained, the systems hosting and/or processing such information shall be located in a specially protected area, which includes at least the following security measures:
4.6 Asset management
The provider organisation shall have an up-to-date asset register in which the assets used for the provision of the service can be identified. All assets used for the provision of the service shall have a responsible person, who shall ensure that such assets incorporate the minimum-security measures established by the provider organisation, which shall at least be those specified in this regulation. The Provider Organisation shall notify Cellect Energy of the decommissioning of assets used for the provision of the service. If the asset contains other Cellect Energy property (hardware, software or other assets), it must be handed over to Cellect Energy prior to the decommissioning in order for Cellect Energy to proceed with the removal of the assets owned by Cellect Energy. Whenever an asset contains protected information, the provider organization shall carry out asset retirement by ensuring the secure disposal of such information, either by applying secure deletion functions or by physically destroying the asset, so that the information contained therein cannot be recovered.
4.7 Security architecture
Whenever the service provider organization carries out the development and/or testing of applications for Cellect Energy or with protected information, the environments in which such activities are carried out shall be isolated from each other and also isolated from production environments in which protected information is housed or processed. All access to information systems hosting or processing protected information shall be protected at least by a firewall, which limits the ability to connect to them. Information systems housing or processing particularly sensitive information shall be isolated from other information systems.
4.8 System Security
Information systems that host or process protected information shall record the most significant events surrounding their operation. These activity logs shall be covered by the provider organization´s backup policy. The clocks of the provider organization´s systems that process or host protected information shall be synchronized with each other and with the official time. The service provider organization shall ensure that the capacity of information systems storing or processing protected information is adequately managed, avoiding potential downtime or malfunctioning of such systems due to resource saturation.
Information systems hosting or processing protected information shall be adequately protected against malicious software by applying the following precautions:
The provider organisation shall establish a backup policy to ensure the safeguarding of any data or information relevant to the service provided, on a weekly basis. Whenever e-mail is used in connection with the service provided, the provider organisation shall respect the following premises:
Whenever Cellect Energy e-mail is used for the provision of the service, at least the following principles must be respected:
Access to information systems housing or processing protected information must always be authenticated, at least by using a person identifier and an associated password. Information systems that house or process protected information shall have access control systems that limit access to such information to service personnel only. Access sessions to information systems hosting or processing protected information shall be automatically blocked after a certain period of inactivity of the users.
Whenever using software provided by Cellect Energy, the following rules must be observed:
4.9 Network Security
Networks over which protected information flows must be adequately managed and controlled, ensuring that there are no uncontrolled accesses or connections whose risks are not appropriately managed by the provider organization.
The services available on the networks through which the protected information circulates should be limited as far as possible.
Networks allowing access to Cellect Energy ICT infrastructure shall be appropriately secured, and the following requirements shall be met:
Access to networks through which protected information circulates shall be limited.
All equipment connected to networks over which protected information flows shall be appropriately identified to identify network traffic.
Teleworking, considered as access to the corporate network from outside, is regulated by the application of the following regulations:
Whenever the Internet access provided by Cellect Energy is used, the following rules must be observed in addition:
4.10 Traceability of use of the systems
Privileged access shall be logged and these logs shall be retained in accordance with the Organisation´s backup regulations. The activity of the systems used to perform such privileged access shall be logged, and such logs shall be retained in accordance with the Organisation´s backup regulations. Errors and failures in systems activity shall be analyzed and remedial action shall be taken.
4.11 Identity and access control and management
All users with access to an information system shall have a single access authorization consisting of a user ID and password. Users shall be responsible for all activity related to the use of their authorized access. Users shall not use any authorized access of another user, even if they have the owner´s authorization. Under no circumstances should users disclose their identifier and/or password to any other person, nor should they keep it in writing in plain view or within the reach of third parties. The minimum length of the password must be 6 characters and must not contain the name, surname, or identifier of the user in it. It must be changed every 45 days and must not repeat at least the previous 8 passwords.
They must also be complex and difficult to guess, and therefore consist of a combination of at least 3 of these 4 options in the first 8 characters:
It is recommended to use the following guidelines for password selection:
The provider organisation shall ensure that it is regularly ascertained that only duly authorised persons have access to the protected information.
In those cases where Cellect Energy information systems are also accessed, the following regulations must also be considered:
If a user suspects that his/her authorized access (user ID and password) is being used by another person, he/she should change his/her password and notify the incident to the e-mail address Cellect Energy.
4.12 Change management
All changes to the ICT infrastructure must be controlled and authorised, ensuring that no uncontrolled components are part of it. All new components introduced into the provider organization´s ICT infrastructure used for the provision of the service should be verified to ensure that they function properly and fulfill the purposes for which they were introduced.
4.13 Technical change management
All changes that are made shall be carried out in accordance with a formally established and documented procedure, which ensures that the appropriate steps for making the change are followed. The change management procedure shall ensure that changes to the ICT infrastructure are minimized and limited to those that are strictly necessary. All changes should be tested before deployment in the production environment to ensure that there are no unintended or undesirable side effects on the operation and security of the ICT infrastructure. The provider organizations shall scan and mitigate technical vulnerabilities in the infrastructures used for the provision of the service, informing Cellect Energy of all those associated with critical components.
4.14 Security in development
The entire outsourced software development process will be controlled and supervised by Cellect Energy. Identification, authentication, access control, auditing and integrity mechanisms will be incorporated throughout the software design, development, deployment and operation lifecycle. The software specifications shall expressly contain the safety requirements to be covered in each case. The software to be developed should incorporate input validations to verify that the data is correct and appropriate and to prevent the introduction of executable code. The internal processes developed by the applications shall incorporate all necessary validations to ensure that no corruption of information occurs. Whenever necessary, authentication and integrity control functions should be incorporated in the communications between the different components of the applications. The output information provided by applications should be limited, ensuring that only relevant and necessary information is provided. Access to the source code of the applications shall be limited to service personnel. In the test environment, real data shall only be used if they have been appropriately decoupled or if it can be ensured that the security measures applied are equivalent to those in the production environment. During the testing of the applications, it will be verified that there are no uncontrolled information gaps, and that only the intended information is provided through the established channels. Only software that has been expressly approved shall be transferred to the production environment. In relation to web services, the management of the Owasp Top 10 will be considered.
4.15 Contingency management
The service shall have a plan that allows for its provision even in case of contingencies. The above plan shall be developed based on the events capable of causing service disruptions and their likelihood of occurrence. The provider organization shall be able to demonstrate the feasibility of the existing contingency plan.
4.16 Monitoring and control
In order to ensure the correct use of the aforementioned resources through the formal and technical mechanisms deemed appropriate, Cellect Energy will check, either periodically or when for specific security or service reasons it is convenient.
Approved by: Leon Gosh