Information Security Policy

APPROVAL AND ENTRY INTO FORCE

Text approved by the General Management of Circular-Lab. This Information Security Policy is effective from said date and time until it is replaced by a new version.

INTRODUCTION

Circular-Lab relies on ICT (Information and Communication Technologies) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, or confidentiality of the information processed or the services provided.

The objective of information security is to guarantee information quality and the continuous provision of services by acting preventively, monitoring daily activity, and reacting swiftly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy is required that adapts to changing environmental conditions to ensure the continuous provision of services. This implies that the minimum security measures required by the National Security Framework (ENS) must be applied, as well as maintaining continuous monitoring of service delivery levels, tracking and analyzing reported vulnerabilities, and preparing an effective response to incidents to guarantee the continuity of the services provided.

Circular-Lab must ensure that ICT security is an integral part of every stage of the system life cycle, from its conception to its decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and contracting conditions for projects where personal data is processed, ICT services are acquired, or services affecting information systems are provided.

Circular-Lab must be prepared to prevent, detect, react to, and recover from incidents, in accordance with Article 8 of Royal Decree 311/2022, of May 4, which regulates the National Security Framework (hereinafter ENS).

SCOPE

Information systems that support:

  • Consulting, design, development, integration, implementation, maintenance, and support processes for healthcare management software applications.

MISSION

Our mission is to accelerate digital transformation in health, connecting the main actors of the healthcare ecosystem through technological solutions that enable faster, more precise decision-making based on real data.

We aim to improve patients’ lives by facilitating access to advanced diagnostics, personalized treatments, and tools that optimize the efficiency of the healthcare system.

REGULATORY FRAMEWORK

The following regulations are taken as the basic reference in terms of Information Security:

  • Royal Decree 311/2022, of May 3, which regulates the National Security Framework (ENS).
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Law 6/2020, of November 11, regulating certain aspects of electronic trust services.
  • Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (European eIDAS Regulation).
  • Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law.
  • Law 23/2006, of July 7, modifying the revised text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12.
  • Law 2/2019, of March 1, modifying the revised text of the Intellectual Property Law, approved by Royal Legislative Decree.
  • Law 34/2002, of July 11, on services of the information society and electronic commerce (LSSI).
  • Law 9/2014, of May 9, on Telecommunications (Partially repealed).
  • Law 11/2022, of June 28, General Telecommunications Law.
  • Resolution of October 13, 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security Framework.
  • Resolution of March 27, 2018, of the Secretary of State for Public Function, approving the Technical Security Instruction for the Audit of Information Systems Security.
  • Resolution of April 13, 2018, of the Secretary of State for Public Function, approving the Technical Security Instruction for Security Incident Notification.
  • Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2). 

BASIC PRINCIPLES

Strategic Scope

Information security must have the commitment and support of all levels of the entity and must be coordinated and integrated with the rest of the strategic initiatives in a coherent manner.

Security as an Integral Process

Security shall be understood as an integral process consisting of all technical, human, material, and organizational elements related to ICT systems, striving to avoid any isolated actions or ad-hoc treatments. Information security must be considered part of normal operations, being present and applied from the initial design of the ICT systems.

Risk-Based Security Management

Risk analysis and management shall be an essential part of the security process. Risk management will allow for the maintenance of a controlled environment, minimizing risks to acceptable levels. The reduction of these levels will be achieved through the deployment of security measures, establishing a balance between the nature of the data and its processing, the impact and probability of the risks to which they are exposed, and the effectiveness and cost of the security measures. When assessing risk in relation to data security, the risks arising from the processing of personal data must be taken into account.

Prevention, Detection, Response, and Preservation

Prevention

Circular-Lab must avoid, or at least prevent as far as possible, information or services from being harmed by security incidents. To this end, it will implement the minimum security measures determined by the ENS, as well as any additional controls identified through an assessment of threats and risks. These controls will be clearly defined and documented.

To guarantee compliance with this policy, departments must:

  • Authorize systems before they enter into operation.
  • Regularly evaluate security, including assessments of configuration changes performed on a routine basis.
  • Request periodic reviews by third parties in order to obtain an independent evaluation.

Detection

Since services can degrade rapidly due to incidents—ranging from a simple slowdown to a complete halt—operations must be monitored continuously to detect anomalies in service delivery levels and act accordingly, as established in Article 9 of the ENS.

Monitoring is particularly relevant when establishing lines of defense in accordance with Article 9 of the ENS. Detection, analysis, and reporting mechanisms will be established to reach the responsible parties both on a regular basis and whenever a significant deviation occurs from the parameters pre-established as normal.

Response

Circular-Lab:

  • Establishes mechanisms to respond effectively to security incidents.
  • Designates points of contact for communications regarding incidents detected in other departments or other organizations.
  • Establishes protocols for the exchange of information related to the incident. This includes two-way communications with Computer Emergency Response Teams (CERT).

Recovery

To guarantee the availability of critical services, the various areas of Circular-Lab must develop, whenever necessary, ICT system continuity plans as part of their general service continuity plan for recovery activities.

Preservation

The managed information must remain accessible and usable for as long as necessary to comply with legal, administrative, or contractual obligations. This principle ensures that information is neither lost nor degraded and that it can be recovered under appropriate conditions of quality, integrity, and authenticity.

Operational continuity and the traceability of the organization’s actions must be ensured, allowing for effective responses to audits, claims, or reviews.

Existence of Lines of Defense

The information system will employ a protection strategy consisting of different layers. In this way, if one layer is compromised, it allows for an appropriate response to incidents that could not be avoided, reducing the probability of the system being compromised as a whole and minimizing the final impact.

Lines of defense will consist of organizational, physical, and logical measures.

Continuous Surveillance and Periodic Re-evaluation

Circular-Lab will carry out continuous surveillance to allow for the detection of anomalous activities or behaviors and their timely response.

The permanent evaluation of the security status of assets allows Circular-Lab to measure their evolution, detecting vulnerabilities and identifying configuration deficiencies.

Circular-Lab will periodically re-evaluate and update security measures, adapting their effectiveness to the evolution of risks and protection systems, which may lead to a total rethinking of security if necessary.

Security by Default and by Design

Systems must be designed and configured to guarantee security by default. Systems shall provide the minimum functionality necessary to provide the service for which they were designed.

Differentiation of Responsibilities

Circular-Lab will take the differentiation of responsibilities into account within its information system whenever possible. The details of the powers of each responsible party, the coordination mechanisms, and conflict resolution will be detailed throughout this security policy.

Security Organization

The implementation of the Security Policy at Circular-Lab requires all members of the organization to understand their obligations and responsibilities based on their specific roles. As part of the Information Security Policy, each specific role—assigned to particular users—must understand the implications of their actions and their assigned responsibilities. These roles are identified and detailed in this section and are grouped as follows:

  1. The Information Security Committee
  2. Service Owners
  3. Information Owners
  4. Information Security Officer (ISO)
  5. System Owners
  6. Data Protection Officer (DPO)

The following sections specify the functions assigned to each of these roles.

Information Security Committee

Information Security is an organizational responsibility shared with General Management. Consequently, the General Management of Circular-Lab promotes the formation of an Information Security Committee to establish a defined structure and provide tangible support for security initiatives.

This Committee is composed of the Service Owner, the Information Owner, the Information Security Officer, and the System Owner, with the Security Officer acting as Secretary.

The functions of the Information Security Committee are as follows:

  • Review and approval of the Information Security Policy and the primary responsibilities;
  • Defining and driving the information security strategy and planning, proposing the allocation of the necessary budget and resources.
  • Supervision and control of significant changes in the exposure of information assets to major threats, as well as the development and implementation of controls and measures aimed at ensuring the security of those assets;
  • Approval of major initiatives to improve Information Security.
  • Supervision and monitoring of aspects such as:
    • Major Information Security incidents;
    • Development and updating of continuity plans;
    • Compliance with and dissemination of Security Policies.

Information Owner

  • Has the authority to establish the security requirements for the managed information. If this information includes personal data, the requirements derived from the corresponding data protection legislation must also be taken into account.
  • Determines the security levels of the information by conducting impact assessments regarding incidents that could affect information security, as well as any subsequent modifications that may be necessary.

Service Owner

  • Has the authority to establish the security requirements for the services provided.
  • Determines the security levels of the service by conducting impact assessments regarding incidents that could affect it, as well as any subsequent modifications that may be necessary.

Information Security Officer (ISO)

Responsible for the definition, coordination, implementation, and verification of compliance with information security requirements defined in accordance with the strategic objectives of General Management.

The Security Officer will serve as the Point of Contact (PoC) for information security matters and will have the following functions:

Determining the security category of the system, based on the assessments provided by the Information and Service Owners.

Formalizing and approving the Statement of Applicability, which will include the measures selected from Annex II of the ENS, including compensatory measures or complementary monitoring.

Analyzing Audit reports related to systems within their area of competence, and presenting conclusions to the System Owner and, if applicable, the Information Security Committee.

Explicitly approving changes that involve high risk, prior to their implementation.

Acting as the Point of Contact (PoC), channeling communications regarding information security and incident management for the scope of the service with the service recipients.

Leading the Security Committee meetings, informing, proposing, and coordinating its activities and decisions.

Coordinating and controlling information security and data protection measures within Circular-Lab.

Supervising implementation, maintaining, controlling, and verifying compliance with:

  • The information security strategy defined by the Security Committee.
  • The rules and procedures contained in the Circular-Lab Information Security Policy and its development regulations.

Supervising (as ultimately responsible) the IT security incidents occurring within Circular-Lab.

Disseminating the rules and procedures contained in the Circular-Lab Information Security Policy and its development regulations, as well as the functions and obligations of all Circular-Lab personnel regarding information security.

Supervising and collaborating on internal or external Audits necessary to verify the degree of compliance with the Security Policy, development regulations, and applicable laws such as the GDPR.

Advising the different operational areas of Circular-Lab on information security matters.

System Owner

The System Owner is ultimately responsible for ensuring the execution of measures to secure the assets and services of the Information Systems that support Circular-Lab’s activities, in accordance with the company’s strategic objectives.

The functions of the Information System Owner are as follows:

  • Develop the specific methods for implementing security within the system and supervise its daily operation, with the authority to delegate tasks to administrators or operators under their responsibility.
  • Select and establish the functions and obligations of the IT Technical Managers responsible for personifying the security management of Circular-Lab’s assets, in line with the defined security strategy.
  • Adopt appropriate corrective measures derived from Audit reports. In the case of systems categorized as HIGH, based on the audit opinion and considering the potential severity of the deficiencies found, the System Owner may temporarily suspend information processing, service provision, or the total operation of the system until it is properly corrected or mitigated.
  • Guarantee the update of the inventory of Circular-Lab’s Information Systems assets.
  • Ensure an adequate level of IT security for each inventoried asset, coordinating the correct development, implementation, adaptation, and operation of controls and measures intended to guarantee the required level of protection.
  • Guarantee that the implementation of new systems and changes to existing ones comply with the security requirements established by Circular-Lab.
  • Establish monitoring processes and controls for the security status to enable the detection of incidents and coordinate their investigation and resolution.
  • Maintain and update the guidelines and security policies of the Information Systems and associated regulations.

The System Owner shall perform these duties paying due attention to the risks associated with processing operations, taking into account the nature, scope, context, and purposes of the processing.

Data Protection Officer (DPO)

In accordance with the provisions of Article 39 of the GDPR, the functions of the Data Protection Officer are as follows:

  • To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions.
  • To monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
  • To provide advice where requested as regards the data protection impact assessment and monitor its performance.
  • To cooperate with the supervisory authority.
  • To act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, on any other matter.

The Data Protection Officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

 

Designation Procedures

The following responsibilities are designated through a formal act:

  • Service Owner
  • Information Owner
  • Security Officer
  • System Owner
  • Data Protection Officer

Appointments shall be reviewed every 2 years or whenever a position becomes vacant. The Information Security Officer shall be appointed by the General Management upon the proposal of the Security Committee.

Conflict Resolution

In the event of a conflict between the different responsible parties that make up the organizational structure, it shall be resolved by their hierarchical superior with the mediation of the Security Officer. If an agreement cannot be reached, the matter shall be escalated to the General Management for resolution. In the resolution of these disputes, the requirements derived from personal data protection shall always be taken into account.

Revision of the Information Security Policy

It shall be the mission of the Security Committee to conduct an annual review of this Information Security Policy and to propose its revision or maintenance. The Policy shall be approved by General Management and disseminated to ensure all affected parties are aware of it.

Personal Data

Circular-Lab processes personal data.

All Circular-Lab information systems shall comply with the security levels required by current legislation regarding Personal Data Protection, as identified in Section 5 (Regulatory Framework) of this Information Security Policy.

Risk Management

For all systems subject to this Information Security Policy, an assessment of the risks to which they are exposed must be conducted periodically. This analysis shall be repeated:

  • Regularly, at least once a year.
  • Whenever there is a change in the managed information.
  • Whenever there is a change in the services provided.
  • Whenever a serious security incident occurs.
  • Whenever serious vulnerabilities are reported.

To harmonize risk analyses, the Security Committee shall establish a reference valuation for the different types of managed information and services provided. The Security Committee will streamline the availability of resources to meet the security needs of the various systems, promoting horizontal investments.

Development of the Information Security Policy

Esta Política de Seguridad de seguridad se desarrollará aplicando los siguientes requisitos mínimos:

This Security Policy shall be developed by applying the following minimum requirements:

  • Organization and implementation of the security process, in accordance with the organizational framework defined in Section 7 of this Policy.
  • Risk analysis and management, as provided for in procedure PS02 Planning.
  • Personnel management, as provided for in procedure PS09 Personnel Management.
  • Professionalism, as provided for in procedure PS09 Personnel Management.
  • Authorization and access control, as provided for in procedure PS03 Access Control.
  • Protection of facilities, as provided for in procedure PS08 Protection of Facilities.
  • Acquisition of products, as provided for in procedure PS02 Planning.
  • Least privilege, as provided for in procedures PS03 Access Control and PS04 Operations.
  • System integrity and updates, as provided for in procedure PS10 Equipment Protection.
  • Protection of information in storage and in transit, as provided for in procedure PS14 Information Protection.
  • Prevention against other interconnected information systems, as provided for in procedure PS11 Communications Protection.
  • Activity logging, as provided for in procedure PS04 Operations.
  • Security incidents, as provided for in procedure PS04 Operations.
  • Business continuity, as provided for in procedure PS06 Service Continuity.
  • Continuous improvement of the security process, as provided for in procedure PS06 Service Continuity.

Documentation Structure

The guidelines for the structure, management, and access to security documentation within Circular-Lab’s Information Security Management System (ISMS) are defined in the procedure «PS00 System Management.»

A regulatory framework for information security has been established and structured into different levels, ensuring that the principles and objectives set out in the institution’s security policy are specifically developed:

  • First Level: The current Information Security Policy, which must be approved by Circular-Lab’s General Management upon the proposal of the Security Committee.
  • Second Level: Information security regulations approved by Circular-Lab’s General Management. These establish the rules for the acceptable use of information systems.
  • Third Level: Information security procedures, which detail the correct way to perform specific processes to ensure that security and information are protected at all times. These procedures must be approved by the Security Committee.
  • Fourth Level: Security standards, technical instructions, best practices, recommendations, guides, training courses, presentations, etc. These documents must be approved by the Security Committee.

The documents that make up the ISMS are available in digital format to all personnel who require them for the performance of their job-related functions. Documentation will be available for consultation only, with no possibility of modification.

Information Classification

To classify information, Circular-Lab shall adhere to the legal provisions established by the laws and international treaties to which Spain is a party, as well as the applicable regulations regarding classified matters.

Both the individual responsible for each piece of information handled by the system and the information classification criteria—which determine the required security level—are established in procedure PS14 Information Protection. 

Personnel Obligations

All members of Circular-Lab are obligated to know and comply with this Information Security Policy and the Security Regulations. It is the responsibility of the Security Committee to provide the necessary means to ensure this information reaches the affected parties.

Circular-Lab members will receive information security training at least once a year. A continuous awareness program will be established to serve all members of Circular-Lab, particularly new hires.

Persons with responsibility for the use, operation, or administration of ICT systems shall receive training for the secure handling of such systems to the extent necessary to perform their work. Training shall be mandatory before assuming any responsibility, whether it is an initial assignment or a change in job position or responsibilities.

Security Objectives

The Management of CIRCULAR-LAB shall establish objectives and goals focused on the evaluation of performance in terms of information security, as well as on continuous improvement in its activities, as regulated within the Information Security Management System (ISMS) that develops this policy.

Continuous Improvement of the Information Security System

CIRCULAR-LAB guarantees a continuous analysis of all relevant processes, establishing pertinent improvements in each case based on the results obtained and the established objectives.

The Management of CIRCULAR-LAB is committed to the fulfillment of continuous improvement within the Information Security Management System that develops this policy.

Third Parties, Service Providers, and Solution Providers

When Circular-Lab provides services to other entities or handles their information, they will be made aware of this Information Security Policy, without prejudice to respecting the obligations of data protection regulations if acting as a data processor in the provision of said services. Channels for reporting and coordination with the respective Security Committees and action procedures for responding to security incidents will be established. Additionally, the Security Officer (or their delegate) will serve as the Point of Contact (PoC).

When Circular-Lab utilizes third-party services or transfers information to third parties, they will be made aware of this Security Policy and the Security Regulations pertaining to those services or information, without prejudice to compliance with other data protection obligations. In the contracting of service providers or the acquisition of products, the contractor’s obligation to comply with the ENS will be taken into account.

These third parties shall be subject to the obligations established in said regulations and may develop their own operating procedures to satisfy them, such that Circular-Lab may supervise them or request evidence of compliance, including second or third-party audits. Specific procedures for reporting and resolving incidents will be established, which must be channeled through the PoC of the third parties involved and, additionally, through the Data Protection Officer when personal data is affected. Third parties shall guarantee that their personnel are adequately aware of security matters, at least to the same level as established in this Policy or as specifically required in the contract.

If any aspect of the Policy cannot be satisfied by a third party as required in the preceding paragraphs, the Security Officer will issue a report specifying the risks incurred and how to treat them. Approval of this report by the owners of the affected information and services will be required before the start of the contracting or, as the case may be, the award. The report will be forwarded to the entity’s representative, who must authorize the continuation of the third-party contracting process, assuming the detected risks.

When the entity acquires, develops, or implements an Artificial Intelligence system, in addition to complying with current regulations on the subject, it must have a report from the Security Officer, who will consult the Information and Service Owners and, when necessary, the System Owner. The Data Protection Officer must also issue their opinion.

Security Incident Management

Circular-Lab will maintain a procedure for the agile management of security events and incidents that pose a threat to information and services. This procedure will be integrated with others related to security incidents from other sector-specific regulations—such as personal data protection or any other affecting the organization—to coordinate responses from various perspectives. It will ensure communication with the different supervisory bodies without undue delay and, when necessary, with State Law Enforcement Agencies or the courts.

Non-compliance

Failure to comply with this Information Security Policy may lead to the initiation of appropriate disciplinary measures, without prejudice to any corresponding legal responsibilities.

Review of the Information Security Policy

This policy will be reviewed annually and whenever significant changes occur within the CIRCULAR-LAB Information Security Management System.

Scroll al inicio