Skip to Main Content
  • Home
  • Security Policy

Security Policy

Approval and Entry into Force

Text approved by CHAKRAY Management.

This Information Security Policy is effective from said date and time until it is replaced by a new version.

Introduction

CHAKRAY relies on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed with diligence, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, or confidentiality of the processed information or the services provided.

The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, supervising daily activity, and responding promptly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy that adapts to changes in environmental conditions is required to ensure the continuous provision of services. This implies that the minimum security measures required by the National Security Framework must be applied, as well as continuous monitoring of service delivery levels, tracking and analyzing reported vulnerabilities, and preparing an effective response to incidents to ensure the continuity of services provided.

CHAKRAY must ensure that ICT security is an integral part of each stage of the system lifecycle, from its conception to its retirement, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, in requests for proposals, and in contracting conditions for projects where personal data is processed, ICT services are acquired, or services affecting information systems are provided.

CHAKRAY must be prepared to prevent, detect, react to, and recover from incidents, in accordance with Article 8 of Royal Decree 311/2022, of May 3, which regulates the National Security Framework (hereinafter ENS).

Scope

This Security Policy shall be mandatory for all members of CHAKRAY who support the activities of providing the following services:

  • Technology consulting, design, development, integration, support, and maintenance of technology integration solutions, digital transformation, and API management, provided from its offices and remote environments.

Mission

At CHAKRAY, our mission is to empower organizations to reach their full digital potential through intelligent, open, and customer-centric integration solutions.

We firmly believe that integration is not simply a technical necessity, but a strategic capability that drives agility, innovation, and transformation. That is why we work with open technologies and standards that foster collaboration, scalability, and accessibility.

Our approach is based on:

  • Putting the customer at the center of everything we do. Decisions are made from the teams closest to the customer, ensuring solutions aligned with their real needs.
  • Creating exceptional experiences. We focus not only on results, but on how we achieve them, ensuring that the process is as valuable as the final product.
  • Fostering talent. We want to be the place where integration professionals choose to work, offering them the conditions to grow, innovate, and make a difference.

At CHAKRAY, we do not just connect systems. We connect people, ideas, and opportunities to build a more agile and collaborative digital future.

Regulatory Framework

The Management of CHAKRAY ensures compliance with the requirements of applicable legislation and regulations regarding information security.

The following regulations are taken as a basic reference for Information Security:

  • UNE-ISO/IEC 27001:2023, Information security, cybersecurity, and privacy protection. Information security management systems. Requirements.
  • UNE-EN ISO/IEC 27002:2023, Information security, cybersecurity, and privacy protection. Information security controls.
  • Royal Decree 311/2022, of May 3, regulating the National Security Framework.
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Law 6/2020, of November 11, regulating certain aspects of electronic trust services.
  • Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law.
  • Royal Decree-Law 2/2018, of April 13, amending the consolidated text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12, and incorporating into Spanish law Directive 2014/26/EU of the European Parliament and of the Council, of February 26, 2014, and Directive (EU) 2017/1564 of the European Parliament and of the Council, of September 13, 2017.
  • Law 34/2002, of July 11, on information society services and electronic commerce (LSSI).
  • Law 9/2014, of May 9, on Telecommunications.
  • Regulation (EU) 910/2014 of the European Parliament and of the Council of July 23, 2014, on electronic identification and trust services for electronic transactions in the internal market (European eIDAS Regulation).
  • Resolution of October 13, 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction for compliance with the National Security Framework.
  • Resolution of March 27, 2018, of the Secretary of State for Public Function, approving the Technical Security Instruction for Information Systems Security Auditing.
  • Resolution of April 13, 2018, of the Secretary of State for Public Function, approving the Technical Security Instruction for Security Incident Notification.

Basic Principles

The basic principles are the fundamental security guidelines that must always be kept in mind in any activity related to the use of information assets. The following are established:

Strategic Scope

Information security must have the commitment and support of all levels of the organization and must be coordinated and integrated coherently with the rest of the strategic initiatives.

Security as an Integral Process

Security at CHAKRAY will be understood as an integral process comprising all technical, human, material, and organizational elements related to ICT systems, avoiding any occasional action or circumstantial treatment. CHAKRAY considers information security as part of regular operations, being present and applied from the initial design of ICT systems.

Risk-Based Security Management

At CHAKRAY, risk analysis and management is an essential part of the security process. Risk management will allow CHAKRAY to maintain a controlled environment, minimizing risks to acceptable levels. The reduction of these levels will be carried out through the deployment of security measures, establishing a balance between the nature of the data and processing, the impact and probability of the risks to which they are exposed, and the effectiveness and cost of security measures. When assessing risk in relation to data security, the risks arising from the processing of personal data must be taken into account.

Prevention, Detection, Response, and Conservation

Prevention

CHAKRAY must avoid, or at least prevent as much as possible, information or services from being harmed by security incidents. To this end, it will implement the minimum security measures determined by the ENS, as well as any additional controls identified through threat and risk assessment. These controls will be clearly defined and documented.

To ensure compliance with the policy, departments must:

  • Authorize systems before they enter into operation.
  • Regularly evaluate security, including assessments of configuration changes made routinely.
  • Request periodic review by third parties to obtain an independent assessment.

Detection

CHAKRAY establishes operational controls for its information systems with the objective of detecting anomalies in service provision and acting accordingly as provided in Article 10 of the ENS (continuous surveillance and periodic reassessment). When a significant deviation from pre-established normal parameters occurs (as indicated in Article 9 of the ENS, Existence of lines of defense), the necessary detection, analysis, and reporting mechanisms will be established to reach those responsible regularly.

Response

CHAKRAY:

  • Establishes mechanisms to respond effectively to security incidents.
  • Designates points of contact for communications regarding incidents detected in other departments or other organizations.
  • Establishes protocols for the exchange of information related to the incident. This includes communications, in both directions, with Computer Emergency Response Teams (CERT).

Conservation

Managed information must be kept accessible and usable for as long as necessary to comply with legal, administrative, or contractual obligations. This principle ensures that information is not lost or degraded, and that it can be recovered in adequate conditions of quality, integrity, and authenticity.

Operational continuity and traceability of the organization’s actions must be ensured, allowing response to audits, claims, or reviews.

Existence of Lines of Defense

The information system of CHAKRAY will have a protection strategy consisting of different layers, so that when one of the layers is compromised, it allows for appropriate action against incidents that could not be avoided, reducing the probability of the system being compromised as a whole, minimizing the final impact on it.

Lines of defense will exist consisting of organizational, physical, and logical measures.

Continuous Surveillance and Periodic Reassessment

CHAKRAY will carry out continuous surveillance that allows the detection of anomalous activities or behaviors and their timely response.

The permanent evaluation of asset security status allows CHAKRAY to measure its evolution, detecting vulnerabilities and identifying configuration deficiencies.

CHAKRAY will periodically reassess and update security measures, adapting their effectiveness to the evolution of risks and protection systems, potentially leading to a rethinking of security, if necessary.

Security by Default and by Design

Systems must be designed and configured to ensure security by default. Systems will provide the minimum functionality necessary to deliver the service for which they were designed.

Differentiation of Responsibilities

CHAKRAY will take into account the differentiation of responsibilities in its information system, whenever possible. The detail of each responsible party’s attributions, coordination mechanisms, and conflict resolution will be detailed throughout this security policy.

Minimum Requirements

This Information Security Policy complements CHAKRAY‘s security policies on the protection of personal data.

This Security Policy will be developed applying the following minimum requirements:

  • Organization and implementation of the security process, in accordance with the organizational framework defined in section 8 of this Policy.
  • Risk analysis and management, in accordance with procedure PS01 Planning.
  • Personnel management, in accordance with procedure PS09 Personnel Management.
  • Professionalism, in accordance with procedure PS09 Personnel Management.
  • Access authorization and control, in accordance with procedure PS03 Access Control.
  • Facilities protection, in accordance with procedure PS08 Facilities Protection.
  • Product acquisition, in accordance with procedure PS05 External Resources and Cloud Services.
  • Security by default, in accordance with procedure PS04 Operations.
  • System integrity and updates, in accordance with procedure PS04 Operations.
  • Protection of stored and in-transit information, in accordance with procedures PS14 Information Protection and PS11 Communications Protection.
  • Prevention regarding other interconnected information systems, in accordance with procedure PS05 External Resources and Cloud Services.
  • Activity logging, in accordance with procedure PS04 Operations.
  • Security incidents, in accordance with procedure PS04 Operations.
  • Business continuity, in accordance with procedure PS06 Service Continuity.
  • Continuous improvement of the security process, in accordance with procedure PG04 Continuous Improvement.

Security Organization

The implementation of the Security Policy at CHAKRAY requires that all members of the organization understand their obligations and responsibilities based on the position held. As part of the Information Security Policy, each specific role, personalized in specific users, must understand the implications of their actions and the responsibilities attributed to them, which are identified and detailed in this section, and grouped as follows:

  1. Information Security Committee
  2. Service Managers
  3. Information Managers
  4. Information Security Manager
  5. System Manager

The following sections specify the functions attributed to each of these roles.

Information Security Committee

Information Security is an organizational responsibility shared with the General Management. Consequently, the General Management of CHAKRAY promotes the composition of an Information Security Committee, in order to establish a defined life and palpable support for security initiatives.

The Information Security Committee coordinates information security at CHAKRAY. Said Committee is composed of each of the figures previously mentioned.

Said Committee is composed of the Service Manager, the Information Manager, the Information Security Manager, and the System Manager, with the Security Manager acting as Secretary.

The functions of the Information Security Committee are as follows:

  • Review and proposal of the Information Security Policy, for approval by Management.
  • Review and proposal of Information Security Standards for approval by Management.
  • Regularly report on the state of information security to Management.
  • Promote continuous improvement of the information security management system.
  • Develop the organization’s evolution strategy regarding information security.
  • Coordinate the efforts of different areas in information security matters, to ensure that efforts are consistent, aligned with the decided strategy, and avoiding duplications.
  • Define and promote information security strategy and planning, proposing budget allocation and necessary resources.
  • Supervision and control of significant changes in the exposure of information assets to main threats, as well as the development and implementation of controls and measures to guarantee the Security of said assets.
  • Approval of main initiatives to improve Information Security.
  • Promote mechanisms to ensure awareness, education, and training in security matters for all personnel.
  • Coordinate and promote necessary actions related to legal and regulatory compliance on information security matters.
  • Resolve conflicts of responsibility that may arise between different responsible parties, escalating those cases in which it does not have sufficient authority to decide.

Information Manager

  • Has the authority to establish security requirements for managed information. If this information includes personal data, the requirements derived from the corresponding data protection legislation must also be taken into account.
  • Determines the security levels of information, performing impact assessments of an incident that would affect information security, as well as subsequent necessary modifications.
  • Is the Risk Owner of essential information assets.

Service Manager

  • Has the authority to establish security requirements for provided services.
  • Determines the security levels of the service, performing impact assessments of an incident that would affect it, as well as subsequent necessary modifications.
  • Is the Risk Owner of essential service assets.

Information Security Manager

Responsible for the definition, coordination, implementation, and verification of compliance with information security requirements defined in accordance with the strategic objectives of the General Management.

The Security Manager will be the Point of Contact (PoC) in information security matters and will have the following functions:

  • Determination of the system’s security category, based on the assessments of the Information and Service Managers.
  • Formalize and approve the Statement of Applicability, which will include measures selected from Annex II of the ENS, including compensatory or complementary surveillance measures.
  • Analyze Audit reports referring to systems within their competence, and present their conclusions to the System Manager and, where applicable, to the Information Security Committee.
  • Explicitly approve changes that involve high risk, prior to their implementation.
  • Is the Owner of all CHAKRAY assets regarding ISO 27001 standard. In the asset inventory, an Asset Manager may be specified, to whom the Asset Owner delegates decision-making regarding said asset.
  • Chair Security Committee meetings, informing, proposing, and coordinating their activities and decisions.
  • Coordinate and control information security and data protection measures at CHAKRAY.
  • Supervise implementation, maintain, control, and verify compliance with:
    • The information security strategy defined by the Security Committee.
    • The rules and procedures contained in CHAKRAY‘s Information Security Policy and development standards.
  • Supervise (as ultimate responsible) computer security incidents occurring at CHAKRAY.
  • Disseminate at CHAKRAY the rules and procedures contained in CHAKRAY‘s Information Security Policy and development standards, as well as CHAKRAY‘s functions and obligations regarding information security.
  • Supervise and collaborate in the internal or external audits necessary to verify the degree of compliance with the Security Policy, development standards, and applicable laws such as GDPR.
  • Advise on information security matters to CHAKRAY‘s different operational areas.

System Manager

Is ultimately responsible for ensuring the execution of measures to secure assets and services of Information Systems supporting CHAKRAY‘s activity, in accordance with CHAKRAY‘s strategic objectives.

Is the Risk Owner of all assets, except for essential assets (Services and Information).

The functions of the Information System Manager are as follows:

  • Develop the specific way to implement security in the system and supervise its daily operation, being able to delegate to administrators or operators under their responsibility.
  • Select and establish functions and obligations for IT technicians responsible for personifying security management of CHAKRAY assets, in accordance with the defined security strategy.
  • Guarantee the updating of CHAKRAY‘s Information Systems asset inventory.
  • Ensure that the appropriate level of IT security exists for each inventoried asset, coordinating the correct development, implementation, adaptation, and operation of controls and measures to guarantee the required protection level.
  • Guarantee that the implementation of new systems and changes to existing ones comply with security requirements established at CHAKRAY.
  • Establish security state monitoring processes and controls that allow detection of incidents and coordinate their investigation and resolution.
  • Maintain and update Information Systems security guidelines and policies and associated standards.

Asset Owner

The asset owner, understood as the responsible party for said asset, will have the following responsibilities:

  • Define whether the asset is affected by applicable Data Protection regulations and apply, where appropriate, the corresponding procedures.
  • Ensure that the software used is licensed.
  • Define who can have access to information, how, and when, in accordance with information classification and the function to be performed.
  • Ensure that the asset has adequate maintenance.
  • Ensure that personnel immediately report any security breach or misuse of information or systems. The asset owner must in turn inform the Security Manager to handle the incident.
  • Ensure that staff have adequate training, know and understand the Security Policy, and put security guidelines into practice.
  • Ensure that media and equipment containing information are disposed of as established.
  • Implement necessary security measures in their area to prevent fraud, theft, or service interruption.
  • Maintain updated documentation of all critical functions to ensure continuity of operations in case someone is unavailable.
  • Inform the Security Manager when personnel changes occur that affect access to information or systems (change of function or department, leaving the company) so that access permissions are appropriately modified.
  • Where applicable, ensure that personnel and contractors have confidentiality clauses in their contracts and are aware of their responsibilities.

Risk Owner

The risk owner, associated with one or more information assets, will have the following responsibilities:

  • Participate in the development of risk analysis and assessment performed at least annually.
  • Verify conformity with acceptable risk levels and collaborate in their approval (those affecting them), as well as the management of risks associated with information assets and risks for which they are responsible.
  • Ensure that personnel immediately report any security breach or misuse of information or systems. The risk owner must in turn inform the Security Manager to handle the incident.
  • Inform the Security Manager when personnel, organizational, or other information asset changes occur that may involve a review or update of risk analysis, or assigned access permissions.

Designation Procedures

The following responsibilities are designated through formal minutes:

  • Service Manager
  • Information Manager
  • Security Manager
  • System Manager

Appointments will be reviewed every 2 years or when any of the positions becomes vacant.

The Information Security Manager will be appointed by Management at the proposal of the Security Committee.

Conflict Resolution

In case of conflict between the different responsible parties and/or between different CHAKRAY services, it will be resolved by their hierarchical superior with the mediation of the Security Manager. In default of the above, the decision of the Security Committee will prevail, escalating to Management those cases in which it does not have sufficient authority to decide.

In resolving these disputes, the requirements derived from personal data protection will always be taken into account.

Personal Data

CHAKRAY processes personal data.

All CHAKRAY information systems will comply with the security levels required by current regulations on Personal Data Protection, identified in section 5. Regulatory Framework, of this Information Security Policy.

Any internal or external user who, by virtue of their professional activity, may have access to personal data, is obliged to keep such data secret, a duty that will be maintained indefinitely, even beyond the employment or professional relationship with CHAKRAY.

Security Objectives

The Management of CHAKRAY will establish objectives and goals focused on evaluating performance in information security matters, as well as continuous improvement in its activities, regulated in the Information Security Management System developed by this policy.

Continuous Improvement of the Information Security System

CHAKRAY guarantees a continuous analysis of all relevant processes, establishing pertinent improvements in each case, based on the results obtained and the established objectives.

The Management of CHAKRAY is committed to continuous improvement of the Information Security Management System developed by this policy.

Risk Management

For all systems subject to this Information Security Policy, a periodic assessment of the risks to which they are exposed must be performed. This analysis will be repeated:

  • Regularly, at least once a year
  • When the managed information changes
  • When the services provided change
  • When a serious security incident occurs
  • When serious vulnerabilities are reported

For the harmonization of risk analyses, the Security Committee will establish a reference valuation for the different types of managed information and the different services provided. The Security Committee will promote the availability of resources to address the security needs of different systems, promoting horizontal investments.

Documentation Structuring

The guidelines for structuring, managing, and accessing CHAKRAY‘s ISMS security documentation are defined in the procedure “PG01 Documentation Control.”

A regulatory framework for information security has been established, structured at different levels, so that the principles and objectives set forth in the institution’s security policy have specific development:

  • First level: this Information Security Policy, which must be approved by CHAKRAY Management at the proposal of the Security Committee.
  • Second level: information security standards approved by CHAKRAY Management. These will establish acceptable use rules for information systems.
  • Third level: information security procedures, which will detail the correct way to perform certain processes to protect security and information at all times. These procedures must be approved by the Security Committee.
  • Fourth level: security standards, technical instructions, best practices, recommendations, guides, training courses, presentations, etc. These documents must be approved by the Security Committee.

The documents comprising the ISMS are available in digital format to all personnel who need them for the performance of functions related to their position. They will be available for consultation, without the possibility of modification.

Information Classification

To classify CHAKRAY information, attention will be paid to what is legally established by the laws and international treaties of which Spain is a member and their applicable regulations when dealing with classified matters.

Both the responsible party for each piece of information handled by the system and the information classification criteria, which will determine the required security level, are established in procedure PS14 Information Protection.

Personnel Obligations

All members of CHAKRAY have the obligation to know and comply with this Information Security Policy and Security Standards, with the Security Committee being responsible for providing the necessary means for information to reach those affected.

Members of CHAKRAY will receive training in information security matters at least once a year. A continuous awareness program will be established to address all members of CHAKRAY, particularly new hires.

People with responsibility in the use, operation, or administration of ICT systems will receive training for secure system handling to the extent they need it to perform their work. Training will be mandatory before assuming a responsibility, whether it is their first assignment or a change of position or responsibilities.

Third Parties, Service Providers, and Solution Providers

When CHAKRAY provides services to other entities or handles information from others, they will be made aware of this Information Security Policy, without prejudice to respecting data protection regulatory obligations if acting as data processor in the provision of said services, and channels will be established for reporting and coordination of respective Security Committees and action procedures for responding to security incidents. Additionally, the Security Manager (or delegated person) will be the Point of Contact (POC).

When CHAKRAY uses third-party services or transfers information to third parties, they will be made aware of this Security Policy and Security Standards pertaining to said services or information, without prejudice to compliance with other data protection obligations. In contracting service providers or acquiring products, the contractor’s obligation to comply with the ENS will be taken into account.

Such third parties will be subject to the obligations established in said regulations, being able to develop their own operational procedures to satisfy them, so that CHAKRAY can supervise them or request evidence of compliance, including second or third-party audits. Specific incident reporting and resolution procedures will be established that must be channeled through the POC of the third parties involved and, additionally, when personal data is affected, through the Data Protection Officer. Third parties will guarantee that their personnel are adequately aware of security matters, at least at the same level established in this Policy or specifically required in the contract.

When any aspect of the Policy cannot be satisfied by a third party as required in the previous paragraphs, the Security Manager will issue a report specifying the risks incurred and how to treat them. Approval of this report by those responsible for the affected information and services will be required before the start of contracting or, where applicable, the award. The report will be forwarded to the entity’s representative who must authorize continuation with the third-party contracting process, assuming the detected risks.

When the entity acquires, develops, or implements an Artificial Intelligence system, in addition to complying with current regulations on the matter, it must have the report of the Security Manager, who will consult the Information and Service Manager and, when necessary, the System Manager, and the Data Protection Officer must also issue their opinion.

Security Incident Management

CHAKRAY will have a procedure for the agile management of security events and incidents that pose a threat to information and services. This procedure will be integrated with others related to security incidents from other sectoral regulations such as personal data protection or others affecting the organization to coordinate response from different approaches and communicate to different control bodies without undue delay and, when necessary, to Law Enforcement or courts.

Non-Compliance

Non-compliance with this Information Security Policy may result in the initiation of appropriate disciplinary measures, without prejudice to corresponding legal responsibilities.

Information Security Policy Review

This policy will be reviewed annually and in the event of significant changes in CHAKRAY‘s Information Security Management System.

Talk to our experts

Contact our team and discover the cutting-edge technologies that will empower your business

Get in touch