External information security policy
1 PurposeThe purpose of this document is to establish the information security policy framework for Cellect Energy provider organisations accessing their information, information systems or resources, in order to protect their confidentiality, integrity and availability. To this end, supplier organisations are responsible for informing their employees and subcontractors providing services to Cellect Energy.
2 ScopeAll activities carried out for Cellect Energy by supplier organisations accessing its information, information systems or resources. General guidelines are applicable to any provider organisation, regardless of the type of service provided. Specific guidelines´ are applicable only to those provider organisations whose services provided correspond to the type of service indicated in each case, as indicated at the beginning of that section.
3 General guidelines3.1 Service provisionSupplier organisations may only perform for Cellect Energy those activities covered under the corresponding service provision contract. The provider organisation shall periodically provide Cellect Energy with the list of persons, profiles, functions, and responsibilities associated with the service provided, and shall promptly inform Cellect Energy of any change (registration, cancellation, substitution or change of functions or responsibilities) that may occur in this list. In accordance with the provisions of the clauses associated with the contract for the provision of services, all external persons performing work for Cellect Energy must comply with the safety standards set out in this document. In case of non-compliance with any of these obligations, Cellect Energy reserves the right to veto the person who has committed the infraction, as well as the adoption of the sanctioning measures considered pertinent in relation to the provider organisation. The provider organisation shall ensure that all its personnel have the appropriate training for the performance of the service provided. Any exchange of information between Cellect Energy and the provider organization shall be understood to have taken place within the framework established by the relevant service provision contract, so that such information may not be used outside this framework or for other purposes. Cellect´s IT & Systems department centralizes the global efforts to protect Cellect Energy´s assets.Generically, assets include:- Protected information, i.e., identifying natural and/or legal persons, and information concerning the configuration of information systems and communications networks.
- Those associated with processing protected information (software, hardware, communications networks, data carriers, auxiliary equipment, and installations).
3.2 Confidentiality of informationExternal persons with access to Cellect Energy information should consider that such information is protected by default. Only information to which access has been obtained through the means of public dissemination of information provided for this purpose by Cellect Energy may be considered as unprotected information. The disclosure, modification, destruction, or misuse of information, whatever its medium, shall be prevented. Maximum confidentiality shall be maintained indefinitely and no protected information shall be released to the outside world unless duly authorised. The number of paper reports containing protected information shall be minimised and they shall be kept in a secure place out of reach of third parties. In the event that, for reasons directly related to the job, the employee of the provider organisation comes into possession of protected information contained in any type of support, it must be understood that such possession is strictly temporary, with an obligation of secrecy and without this conferring any right of possession, ownership or copy of said information. Likewise, the employee must return the aforementioned media immediately upon completion of the tasks that have given rise to the temporary use of the same and, in any case, upon termination of the relationship with Cellect Energy of his or her company. All these obligations shall continue after the termination of the outsiders´ activities for Cellect Energy. Failure to comply with these obligations may constitute an offence of disclosure of secrets.In order to ensure the security of personal data, persons within the provider organisation shall observe the following rules of conduct in addition to the above-mentioned considerations:- They may only create files when necessary for the performance of their work. These temporary files shall never be saved on the local disk drives of users´ PC workstations and shall be destroyed when they are no longer useful for the purpose for which they were created.
- No personal data shall be stored on the local disk drives of user PC workstations.
- The output of media and documents (including the sending of e-mails), outside the premises where such information is located may only be authorized by Cellect Energy and shall be carried out in accordance with the defined procedure.
- The media and documents shall be capable of identifying the type of information they contain and shall be inventoried and stored in a place to which access is restricted to authorized persons.
- The transmission of specially protected personal data (e.g., health) through telecommunications networks (e.g., electronic mail) shall be carried out by encrypting such data or using any other mechanism that guarantees that the information cannot be intelligible or manipulated by third parties.
3.3 Intellectual propertyCompliance with legal restrictions on the use of material protected by copyright law shall be ensured. Users may only use material authorized by Cellect Energy for the performance of their duties. The use of unlicensed software on Cellect Energy information systems is strictly prohibited. Likewise, the use, reproduction, transfer, transformation or public communication of any type of work or invention protected by intellectual property is prohibited without due written authorisation. Cellect Energy shall only authorize the use of material produced by itself, or material authorized or supplied to it by its owner, in accordance with the agreed terms and conditions and the provisions of the regulations in force.
3.4 Exchange of informationNo person shall conceal or manipulate his or her identity under any circumstances. The distribution of information, whether in electronic or physical format, will be carried out by means of the resources determined in the service provision contract for such purpose and for the exclusive purpose of facilitating the functions associated with such contract. Cellect Energy reserves, depending on the identified risk, the implementation of control, registration and audit measures on these dissemination resources. In relation to the exchange of information within the framework of the service provision contract, the following activities shall be considered as unauthorised:
-Transmission or reception of copyrighted material in violation of the Copyright Act.
-Transmission or receipt of any kind of pornographic material, sexually explicit material, racially discriminatory statements and any other statement or message that could be classified as offensive or illegal.
-Transfer of protected information to unauthorised third parties. Transmission or reception of non-business related applications.
-Participation in Internet activities such as newsgroups, games or other activities not directly related to the provision of the service. All activities that may damage the image and reputation of Cellect Energy are prohibited on the Internet and elsewhere.
3.5 Appropriate use of resourcesThe provider organisation undertakes to periodically inform Cellect Energy of the assets with which it provides the service. The provider organisation undertakes to use the resources made available for the provision of the service in accordance with the conditions for which they were designed and implemented. The resources that Cellect Energy makes available to external parties, regardless of their type (IT, data, software, networks, communication systems, etc.), are available exclusively to fulfil the obligations and purpose of the operation for which they were provided. Cellect Energy reserves the right to implement control and audit mechanisms to verify the appropriate use of these resources. All equipment of the supplier organisation connected to the Cellect Energy production network shall be of approved makes and models. The supplier organisation shall make such equipment available to Cellect Energy to co-ordinate the installation of the approved software and configure it appropriately. Any file introduced in the Cellect Energy network or in any equipment connected to it through automated media, Internet, electronic mail or any other means, must comply with the requirements established in these rules and, in particular, those referring to intellectual property, personal data protection and malware control. All assets shall be returned to Cellect Energy without undue delay after the end of the contract. All personal computers on which Cellect Energy has installed software shall be taken to Cellect Energy to have the hard disk formatted at the end of the service. It is expressly prohibited:- The use of resources provided by Cellect Energy for activities unrelated to the service´s purpose.
- The connection to the Cellect Energy production network of equipment and/or applications that are not specified as part of the software or standards of the company´s own IT resources.
- Introducing obscene, threatening, immoral, or offensive content into Cellect Energy information systems or corporate network.
- Voluntarily introducing into the corporate network of Cellect Energy any type of malware (virus, worms, Trojans, spyware, ransomware, ...), logical device, physical device, or any other type of sequence of commands that cause or are likely to cause any type of alteration or damage to computer resources. All persons accessing the Cellect Energy network shall be obliged to use up-to-date anti-malware software.
- Obtain without explicit authorization rights or access other than those assigned to them by Cellect Energy.
- Accessing restricted areas of Cellect Energy information systems without explicit authorization.
- Distort or falsify the log records of Cellect Energy´s information systems.
- Decrypting without explicit authorization the encryption keys, systems, or algorithms and any other security elements involved in Cellect Energy telematic processes.
- Possess, develop, or run programs that could interfere with the work of other users or damage or alter the computer resources of Cellect Energy.
- Destroying, altering, disabling, or otherwise damaging electronic data, programs, or documents containing protected information (these acts may constitute a criminal offense).
- Store protected information on the local disk drives of the user PC workstations.
3.6 User responsibilitiesService provider organisations shall ensure that all persons performing work for Cellect Energy respect the following basic principles within their activity:- Each person with access to Cellect Energy information is responsible for the activity carried out by his or her user ID and all that derives from it. Therefore, each person must maintain control of the authentication systems associated with their user identifier, ensuring that the user only knows the associated password and must not be disclosed to others under any circumstances.
- Users shall not use any identifier belonging to another user, even if they have the owner´s authorisation.
- Users are aware of and apply existing requirements and procedures regarding the information handled.
Anyone with access to protected information should follow the following guidelines regarding password management:- Select quality passwords, i.e. passwords that are difficult for other users to guess.
- Ask for the password to be changed whenever there is a possible indication of knowledge by other users.
- Change passwords at least once every 90 days and avoid reusing old passwords.
- Change default and temporary passwords on first login.
- Avoid including passwords in automated login processes (e.g. those stored in browsers).
- Report any security incidents related to your passwords, such as loss, theft or indications of loss of confidentiality.
Anyone with access to protected information must ensure that equipment is protected when it is to be left unattended. Anyone with access to protected information should adhere to at least the following clean desk rules, in order to protect paper documents, computer media and portable storage devices and to reduce the risks of unauthorised access, loss and damage to information, both during and outside normal working hours:- Lock up paper documents and IT equipment when not used, especially outside working hours.
- Block user sessions or shut down the PC when left unattended.
- Protect both the points for receiving and sending information (postal mail, scanner and fax machines) and the duplication equipment (photocopier, fax and scanner). The reproduction or sending of information with this type of device is the responsibility of the user.
- Remove, without undue delay, any protected information once printed.
- Destroy protected information once it is no longer needed.
- Persons with access to Cellect Energy systems and/or information shall never, without written authorization, conduct tests to detect and/or exploit a suspected security weakness or incident.
- No person with access to Cellect Energy systems and/or information shall, without express written authorization, attempt by any means to breach the security system and authorizations. The capture of network traffic by users is prohibited, except for auditing tasks authorized in writing.
All persons accessing protected information must follow the following rules of conduct:- Protect protected information from unauthorized disclosure, modification, destruction, or misuse, whether accidental or not.
- Protect all information systems and telecommunications networks against unauthorized access or use, disruption of operations, destruction, misuse, or theft.
- Having the necessary authorization to obtain access to information systems and/or information.
3.7 User teamService provider organizations shall ensure that all user personal computer equipment used to access protected information complies with the following standards:- In the event of inactivity by the user, the equipment shall be automatically blocked within a maximum period of 15 minutes.
- No user equipment shall have any tools that could breach security systems and authorizations.
- User equipment shall be maintained according to the manufacturer´s specifications.
- All user equipment shall be adequately protected against malware:
- Anti-malware software should be installed on all personal computers to reduce the operational risk associated with viruses or other malicious software.
- Be kept up to date with the latest security updates available.
- Anti-malware software should always be enabled and up to date.
Particular care shall be taken to ensure the security of all mobile user equipment containing or otherwise accessible to protected information:- Verifying that they do not include more information than is strictly necessary.
- Ensuring that access controls are applied to such information.
- Minimizing access to this information in the presence of persons not involved in the service provided.
- Transporting equipment in cases, cases, or similar equipment incorporating appropriate protection against environmental agents.
3.8 Management of hardware equipmentService provider organisations shall ensure that all equipment provided by Cellect Energy for the provision of services, regardless of its type, is properly managed. To this end, they shall comply with the following standards:- The provider organisation shall maintain an updated list of equipment provided by Cellect Energy and persons using such assets, or associated responsible persons in case the assets are not for single person use. This list may be requested by Cellect Energy.
- Whenever a provider organisation wishes to reassign any Cellect Energy equipment that has contained protected information, it must temporarily return it so that the necessary secure deletion procedures can be carried out prior to reassignment.
- In case a provider organisation wants to remove any of the received Cellect Energy equipment from the list of Cellect Energy equipment, it must always return it, so that Cellect Energy can treat the removal appropriately.
- In the event that a provider organisation ceases to provide the service, it must return to Cellect Energy the entire list of equipment received, as stipulated in the relevant service provision contracts. Only in the case of paper documents and computer media may the provider organisation securely dispose of them, in which case it must notify Cellect Energy of such disposal.
4 Specific guidelines4.1 Scope of applicationAll supplying organizations shall comply, in addition to the general rules, with the specific rules set out in this section that apply to them in each case, depending on the characteristics of the service provided to Cellect Energy. The types of service envisaged are as follows.- Place of performance of the service:
- Cellect´s headquarters: The service is provided by the provider organisation mainly from Cellect´s own headquarters.
- Remote: The provider organisation provides the service mainly from its own premises, although occasional activities may be carried out on-site.
- Ownership of the ICT infrastructures used:
- Cellect infrastructure
- Providing organisation
- Level of access to Cellect Energy systems:
- With privileged access: The service provided requires privileged access to Cellect Energy´s information systems, with the ability to administer those systems and/or the production data they process.
- With user level access: The service provided requires the use of Cellect Energy´s information systems, so that the persons providing the service have user accounts that allow them to access some of these systems with regular privileges.
- No access: The service provided does not require the use of Cellect Energy´s information systems, so the persons providing the service do not have user accounts on those systems.
Depending on each of the three categories into which each service falls, the provider organisation must comply, in addition to the general safety standards, with the specific standards set out in the sections indicated in the following table: | LOCATION | | | | INFRAESTRUCTURA | | | ACCESS | |
---|
| Cellect Headquarters | Remote | | Cellect´s Infrastructure | Provider organisation | Privileged | | Normal | No access |
---|
selection of persons | NO | NO | | NO | NO | YES | | NO | NO |
Security audit | NO | NO | | NO | NO | YES | | NO | NO |
communication of incidents | YES | YES | | YES | NO | YES | | YES | NO |
physical security | NO | YES | | NO | NO | NO | | NO | NO |
asset management | NO | NO | | NO | YES | NO | | NO | NO |
security architecture | NO | NO | | NO | YES | YES | | YES | NO |
security systems | NO | NO | | NO | YES | NO | | NO | NO |
network security | NO | NO | | NO | YES | NO | | NO | NO |
traceability of the use of the systems | NO | NO | | NO | YES | YES | | NO | NO |
identity and access control and management | NO | NO | | NO | YES | NO | | NO | NO |
change management | NO | NO | | NO | YES | YES | | YES | NO |
technical change management | NO | NO | | NO | NO | YES | | NO | NO |
security in development | NO | NO | | NO | NO | YES | | YES | NO |
contingency management | NO | NO | | NO | YES | NO | | NO | NO |
4.2 Selection of personsThe provider organisation shall verify the professional background of the persons assigned to the service, guaranteeing Cellect Energy that they have not been sanctioned in the past for professional malpractice nor have they been involved in incidents related to the confidentiality of the information processed that have led to any type of sanction. The provider organisation shall guarantee Cellect Energy the possibility of immediate removal from the persons assigned to the service of any person in relation to whom Cellect Energy wishes to exercise the right of veto, in accordance with the conditions set out in section 3.1.
4.3 Security auditThe supplier organisation shall allow Cellect Energy to carry out the requested safety audits, cooperate with the audit team and provide all evidence and records requested. The scope and depth of each audit will be expressly established by Cellect Energy in each case. The audits shall be carried out according to a schedule to be agreed in each case with the service provider organisation. Cellect Energy reserves the right to conduct additional extraordinary audits, provided that there are specific grounds for doing so.
4.4 Reporting of incidentsWhen you detect any information security incident, you must notify us immediately via the e-mail address it@cellectenergy.com. Any user may use this mailbox to report any events, suggestions, vulnerabilities, etc. that may be related to information security and the guidelines contemplated in these rules of which they are aware. Any incident detected that affects or may affect the security of personal data (e.g. loss of lists and/or computer media, suspicion of improper use of authorized access by other persons, recovery of data from backup copies, etc.) must be notified through the aforementioned mailbox. This mailbox centralises the collection, analysis and management of the incidents received. If access to the mailbox is not available, the communication channels established within the service itself should be used, so that the Cellect Energy interlocutor is the one to communicate the security incident.
4.5 Physical securityThe venue shall be locked and shall have some form of access control system. There shall be some form of visitor control, at least in areas of public access and/or loading and unloading. The site shall at least have adequate fire detection and fire extinguishing systems and shall be constructed in such a way as to be sufficiently resistant to flooding.If any backup is maintained, the systems hosting and/or processing such information shall be located in a specially protected area, which includes at least the following security measures:- The specially protected area shall have an access control system independent of that of the headquarters.
- Access to specially protected areas by outsiders shall be limited. Such access shall be granted only when necessary and authorised, and always under the supervision of authorised persons.
- A record shall be kept of all access by outsiders.
- Outsiders may not remain or carry out work in the specially protected areas without supervision.
- The consumption of food or drink in these specially protected areas shall be prohibited.
- Systems located in these areas shall have some form of power failure protection.
4.6 Asset managementThe provider organisation shall have an up-to-date asset register in which the assets used for the provision of the service can be identified. All assets used for the provision of the service shall have a responsible person, who shall ensure that such assets incorporate the minimum-security measures established by the provider organisation, which shall at least be those specified in this regulation. The Provider Organisation shall notify Cellect Energy of the decommissioning of assets used for the provision of the service. If the asset contains other Cellect Energy property (hardware, software or other assets), it must be handed over to Cellect Energy prior to the decommissioning in order for Cellect Energy to proceed with the removal of the assets owned by Cellect Energy. Whenever an asset contains protected information, the provider organization shall carry out asset retirement by ensuring the secure disposal of such information, either by applying secure deletion functions or by physically destroying the asset, so that the information contained therein cannot be recovered.
4.7 Security architectureWhenever the service provider organization carries out the development and/or testing of applications for Cellect Energy or with protected information, the environments in which such activities are carried out shall be isolated from each other and also isolated from production environments in which protected information is housed or processed. All access to information systems hosting or processing protected information shall be protected at least by a firewall, which limits the ability to connect to them. Information systems housing or processing particularly sensitive information shall be isolated from other information systems.
4.8 System SecurityInformation systems that host or process protected information shall record the most significant events surrounding their operation. These activity logs shall be covered by the provider organization´s backup policy. The clocks of the provider organization´s systems that process or host protected information shall be synchronized with each other and with the official time. The service provider organization shall ensure that the capacity of information systems storing or processing protected information is adequately managed, avoiding potential downtime or malfunctioning of such systems due to resource saturation.Information systems hosting or processing protected information shall be adequately protected against malicious software by applying the following precautions:- Systems will be kept up to date with the latest security updates available, in development, test, and production environments.
- Anti-malware software should be installed and used on all servers and personal computers to reduce the risk associated with malicious software.
- Anti-malware software should always be enabled and up to date.
The provider organisation shall establish a backup policy to ensure the safeguarding of any data or information relevant to the service provided, on a weekly basis. Whenever e-mail is used in connection with the service provided, the provider organisation shall respect the following premises:- The transmission via e-mail of protected information shall not be permitted unless the electronic communication is encrypted and the transmission is authorised in writing.
- The transmission via e-mail of information containing specially protected personal data (e.g. health) is not permitted, unless the electronic communication is encrypted and the transmission is authorised in writing.
Whenever Cellect Energy e-mail is used for the provision of the service, at least the following principles must be respected:- E-mail will be considered as another work tool provided for the exclusive purpose of the contracted service. This consideration will empower Cellect Energy to implement control systems aimed at ensuring the protection and proper use of this resource. This power shall, however, be exercised in a manner that safeguards the dignity of individuals and their right to privacy.
- The Cellect Energy e-mail system shall not be used to send fraudulent, obscene, threatening or otherwise similar communications.
- Users shall not create, send or forward advertising or pyramid messages (messages that are spread to multiple users).
Access to information systems housing or processing protected information must always be authenticated, at least by using a person identifier and an associated password. Information systems that house or process protected information shall have access control systems that limit access to such information to service personnel only. Access sessions to information systems hosting or processing protected information shall be automatically blocked after a certain period of inactivity of the users.Whenever using software provided by Cellect Energy, the following rules must be observed:- All persons accessing Cellect Energy information systems must use only the software versions provided and in accordance with its rules of use.
- All persons are prohibited from installing illegal copies of any software.
- The use of software not validated by Cellect Energy is prohibited.
- It is also forbidden to uninstall any of the software installed by Cellect Energy.
4.9 Network SecurityNetworks over which protected information flows must be adequately managed and controlled, ensuring that there are no uncontrolled accesses or connections whose risks are not appropriately managed by the provider organization.The services available on the networks through which the protected information circulates should be limited as far as possible.Networks allowing access to Cellect Energy ICT infrastructure shall be appropriately secured, and the following requirements shall be met:- Access of remote users to the Cellect Energy network shall be subject to compliance with identification and pre-authentication, and access validation procedures.
- These connections shall be time-limited and through the use of virtual private networks or dedicated lines.
- No communications equipment (cards, modems, etc.) that would allow alternative uncontrolled connections shall be allowed on these connections.
Access to networks through which protected information circulates shall be limited.
All equipment connected to networks over which protected information flows shall be appropriately identified to identify network traffic.
Teleworking, considered as access to the corporate network from outside, is regulated by the application of the following regulations:- The use of equipment not controlled by Cellect Energy for teleworking activities is not permitted.
- Criteria for authorization of teleworking will be established on the basis of the needs of the job.
- The necessary measures shall be put in place for secure connection to the corporate network.
- Security monitoring and auditing systems will be put in place for established connections.
- The revocation of access rights and the return of equipment after the end of the period of need for the equipment shall be controlled.
Whenever the Internet access provided by Cellect Energy is used, the following rules must be observed in addition:- The Internet is a work tool. All activities on the Internet should be related to work tasks and activities. Users should not search for or visit sites that do not support Cellect Energy´s business purpose or the performance of their daily work.
- Internet access from the corporate network shall be restricted by means of control devices incorporated in the corporate network. The use of other means of connection must be previously validated and shall be subject to the above considerations on the use of the Internet.
- Users shall not use the name, symbol, logo or similar symbols of Cellect Energy in any Internet element (e-mail, web pages, etc.) not justified by strictly work-related activities.
- The transfer of data to or from the Internet shall only be permitted when related to business activities. Transfer of files not related to these activities (e.g. downloading of software, multimedia files, ...) shall be prohibited.
4.10 Traceability of use of the systemsPrivileged access shall be logged and these logs shall be retained in accordance with the Organisation´s backup regulations. The activity of the systems used to perform such privileged access shall be logged, and such logs shall be retained in accordance with the Organisation´s backup regulations. Errors and failures in systems activity shall be analyzed and remedial action shall be taken.
4.11 Identity and access control and managementAll users with access to an information system shall have a single access authorization consisting of a user ID and password. Users shall be responsible for all activity related to the use of their authorized access. Users shall not use any authorized access of another user, even if they have the owner´s authorization. Under no circumstances should users disclose their identifier and/or password to any other person, nor should they keep it in writing in plain view or within the reach of third parties. The minimum length of the password must be 6 characters and must not contain the name, surname, or identifier of the user in it. It must be changed every 45 days and must not repeat at least the previous 8 passwords.They must also be complex and difficult to guess, and therefore consist of a combination of at least 3 of these 4 options in the first 8 characters:- Uppercase
- Lowercase
- Numbers
- Special characters
It is recommended to use the following guidelines for password selection:
- Do not use familiar words, or words that can be associated with oneself, e.g. one´s name.
- The password should not refer to any recognisable concept, object or idea. Therefore, the use of significant dates, days of the week, months of the year, names of people, telephone numbers, etc. should be avoided.
- The password should be virtually impossible to guess. But at the same time, it should be easily remembered by the user. A good example is to use the acronym of a phrase or expression.
The provider organisation shall ensure that it is regularly ascertained that only duly authorised persons have access to the protected information.
In those cases where Cellect Energy information systems are also accessed, the following regulations must also be considered:- No user will receive an access identifier to Cellect Energy systems until he/she agrees in writing to the security regulations in force.
- Users shall have authorised access only to such data and resources as they require for the performance of their functions.
- In case the system does not request it automatically, the user shall change the assigned temporary password the first time he/she makes a valid access to the system.
- In the event that the system does not automatically request it, the user must change his/her password at least once every 90 days.
- Temporary authorized accesses shall be set up for a short period of time. After expiry of this period, they shall be deactivated from the systems.
- In relation to personal data, only authorized people may grant, alter or cancel authorised access to data and resources, in accordance with the criteria established by the person responsible for the file.
If a user suspects that his/her authorized access (user ID and password) is being used by another person, he/she should change his/her password and notify the incident to the e-mail address Cellect Energy.
4.12 Change managementAll changes to the ICT infrastructure must be controlled and authorised, ensuring that no uncontrolled components are part of it. All new components introduced into the provider organization´s ICT infrastructure used for the provision of the service should be verified to ensure that they function properly and fulfill the purposes for which they were introduced.
4.13 Technical change managementAll changes that are made shall be carried out in accordance with a formally established and documented procedure, which ensures that the appropriate steps for making the change are followed. The change management procedure shall ensure that changes to the ICT infrastructure are minimized and limited to those that are strictly necessary. All changes should be tested before deployment in the production environment to ensure that there are no unintended or undesirable side effects on the operation and security of the ICT infrastructure. The provider organizations shall scan and mitigate technical vulnerabilities in the infrastructures used for the provision of the service, informing Cellect Energy of all those associated with critical components.
4.14 Security in developmentThe entire outsourced software development process will be controlled and supervised by Cellect Energy. Identification, authentication, access control, auditing and integrity mechanisms will be incorporated throughout the software design, development, deployment and operation lifecycle. The software specifications shall expressly contain the safety requirements to be covered in each case. The software to be developed should incorporate input validations to verify that the data is correct and appropriate and to prevent the introduction of executable code. The internal processes developed by the applications shall incorporate all necessary validations to ensure that no corruption of information occurs. Whenever necessary, authentication and integrity control functions should be incorporated in the communications between the different components of the applications. The output information provided by applications should be limited, ensuring that only relevant and necessary information is provided. Access to the source code of the applications shall be limited to service personnel. In the test environment, real data shall only be used if they have been appropriately decoupled or if it can be ensured that the security measures applied are equivalent to those in the production environment. During the testing of the applications, it will be verified that there are no uncontrolled information gaps, and that only the intended information is provided through the established channels. Only software that has been expressly approved shall be transferred to the production environment. In relation to web services, the management of the Owasp Top 10 will be considered.
4.15 Contingency managementThe service shall have a plan that allows for its provision even in case of contingencies. The above plan shall be developed based on the events capable of causing service disruptions and their likelihood of occurrence. The provider organization shall be able to demonstrate the feasibility of the existing contingency plan.
4.16 Monitoring and controlIn order to ensure the correct use of the aforementioned resources through the formal and technical mechanisms deemed appropriate, Cellect Energy will check, either periodically or when for specific security or service reasons it is convenient.Approved by: Leon Gosh31.05.2023