Free shipping on orders over 65€.
Search
Close this search box.

Information Security Policy

INDICE

1. INTRODUCTION 2. SCOPE 3. OBJECTIVE 4. COMMITMENT OF MANAGEMENT 5. LEGAL FRAMEWORK 6. PRINCIPLES AND GUIDELINES

6.1 Mission and Objectives

6.2 Prevention

6.3 Detection

6.4 Response

6.5 Recovery

7. SECURITY ORGANIZATION 8. DISSEMINATION, UPDATE, AND REVIEW OF THE POLICY 9. STRUCTURE OF DOCUMENTATION 10. PERSONAL DATA 11. RISK MANAGEMENT 12. NON-COMPLIANCES 13. THIRD PARTIES 14. TRAINING AND AWARENESS 15. TELEWORK 17. BACKGROUND CHECKS 18. MANAGEMENT RESPONSIBILITIES 19. APPROVAL AND ENTRY INTO FORCE 1. INTRODUCTION VIÑA COSTEIRA, hereafter referred to as the Organization, manages a significant amount of sensitive information that is crucial to its performance, sustainability, security, and ability to maintain business operations. This information asset includes:
  • Information related to production and management necessary for the Organization’s activity.
  • Intellectual property, consisting of all information, knowledge, and know-how within the Organization.
  • Information about its partners and third parties, which could harm their brand image, or result in legal actions if altered or disclosed.
  • Employee-related information, which, if disclosed, would violate privacy.
This document aims to outline the Organization’s Information Security Policy to protect its information assets against various threats such as fraud, espionage, accidents, human errors, etc., to maintain the trust of our partners and comply with applicable legal frameworks and regulations. This policy serves as the cornerstone of the Organization’s Information Security Management System (ISMS) program, aiming to ensure the protection of information assets within the ISMS scope. The document establishes the framework for information security, ensuring availability, authenticity, integrity, confidentiality, and traceability of information. The senior management of the Organization is committed to providing the necessary resources and actions to implement this policy. The policy is accessible to all employees via the intranet, notice boards, etc., and is available to any interested parties upon request through senior management. 2. SCOPE This policy applies to all departments of the Organization and all personnel. The Organization’s security role structure is defined at both the corporate and operational levels, within the organizational model. The functional scope of this policy covers all information assets, including:
  • Information: Any data stored electronically or on paper belonging to the Organization, employees, suppliers, or partners.
  • Materials: All physical elements that support processes (laptops, servers, printers, storage devices, etc.).
  • Software: All programs or executables that contribute to data operations (operating systems, monitoring software, office suites, executables, etc.).
  • Network: Communication devices used to interconnect computers or remote elements in an information system (routers, firewalls, communication lines, etc.).
  • Personnel: All individuals involved in the information system (internal personnel, subcontractors, collaborators, etc.).
  • Locations: Any locations the Organization uses, including facilities and the necessary physical requirements.
  • Organizational Structure: All elements forming the Organization and its functions (organizational model, business processes, etc.).
The ISMS extends to the services of GRAPE PRODUCTION, WINE MAKING, BOTTLING, AND MARKETING. 3. OBJECTIVE The primary objective of this policy is to ensure the availability, integrity, confidentiality, authenticity, traceability, and value of information, services, and related technologies and information assets within the Organization. The generic objectives established by the Organization include:
  • Ensuring the protection of partner information throughout its lifecycle.
  • Facilitating continuous improvement of security processes, procedures, products, and services.
  • Meeting legal and other partner-specific requirements related to information security.
  • Ensuring business continuity through contingency plans for critical services.
  • Ensuring adequate resources for security and assigning roles and responsibilities.
  • Raising awareness and training personnel about the importance of the ISMS and its contribution to business goals.
  4. COMMITMENT OF MANAGEMENT This policy outlines the management’s commitments regarding information security, specifically to ensure a high level of security for our partners. Management guarantees:
  • Protection of partner information against unauthorized changes, loss, or disclosure.
  • High security in services provided to partners.
  • Compliance with the ISMS to minimize risks for partners.
  • Promotion of a security culture throughout the Organization.
  • Incident management to minimize impacts on the Organization and partners.
  5. LEGAL FRAMEWORK The Organization adheres to the following relevant laws and regulations:
  • EU Regulation 2016/679 regarding data protection and the free movement of data.
  • Organic Law 3/2018 on Personal Data Protection and Digital Rights.
  • Royal Decree 311/2022 on the National Security Framework.
  • Royal Decree 203/2021 on electronic procedures in the public sector.
  • Other relevant Spanish laws regarding intellectual property, electronic access to public services, and administrative procedures.
  6. PRINCIPIOS Y DIRECTRICES The Organization relies, among other things, on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed with diligence, taking the necessary measures to protect them against accidental or deliberate damage that could affect the availability, integrity, confidentiality, or traceability of the information processed or the services provided. The objective of information security is to guarantee the quality of the information and the continuous provision of services, by acting preventively, monitoring daily activity, and responding promptly to incidents.
6.1 Mission and Objectives
In the Organization, we develop at least the following objectives:
  • Use of corporate ICT resources, such as email, internet access, computing and communication equipment.
  • Management of inventoried information assets, categorized and associated with a responsible party.
  • Implement mechanisms to ensure that anyone who accesses or may access information assets understands their responsibilities, thus reducing the risk associated with improper use of these assets.
  • Physical security, ensuring that information assets are located in secure areas, protected by physical access controls appropriate to their level of criticality. Systems and information assets within these areas must be sufficiently protected against physical or environmental threats.
  • Security in the management of communications and operations, ensuring that information transmitted through communication networks is adequately protected based on its sensitivity and criticality level, using mechanisms that guarantee its security.
  • Access control, limiting access to information assets by users, processes, and information systems by implementing identification, authentication, and authorization mechanisms according to the criticality of each asset.
  • Acquisition, development, and maintenance of information systems while considering information security aspects at all stages of the lifecycle of these systems.
  • Management of security incidents by implementing appropriate mechanisms for proper identification, recording, and resolution of security incidents.
  • Continuity management by implementing appropriate mechanisms to ensure the availability of information systems and maintaining business process continuity.
  6.2 Prevention To defend against threats, the different departments of the Organization must implement the minimum security measures and ensure that ICT security is an integral part of each stage of the service lifecycle. Departments must be prepared to prevent, detect, respond to, and recover from incidents. To ensure compliance with this policy, the different departments of the Organization must:
  • Authorize systems before they are operational.
  • Request periodic reviews by third parties to obtain an independent assessment.
  • When there are specific security requirements for any service, senior management will communicate them to the IT department for analysis and implementation.
  6.3 Detection Since services can degrade quickly due to incidents, ranging from simple slowdowns to complete service outages, it is essential to continuously monitor operations to detect anomalies in service delivery and take appropriate action. Detection, analysis, and reporting mechanisms will be established to inform the responsible parties regularly and whenever a significant deviation from the predefined normal parameters occurs.   6.4 Response The Organization and all its departments must:
  • Establish mechanisms to respond effectively to security incidents.
  • Designate a point of contact for communications regarding incidents detected in other departments or external organizations.
  • Establish protocols for exchanging information related to the incident, ensuring timely and accurate sharing of relevant data for effective resolution.
  6.5 Recovery To ensure the availability of critical services, the Organization must develop a continuity plan for its ICT systems as part of its overall business continuity plan and recovery activities. 7. SECURITY ORGANIZATION The implementation of this Security Policy requires that all members of the Organization understand their duties and responsibilities according to their position. As part of this Policy, the main roles are identified and detailed as follows: Security Manager and Systems Manager.
  • The Senior Management will be in charge of approving this policy and will be responsible for the authorization of its modifications, as well as all the documented information of the entity’s ISMS.
  • The Security Manager will be the one to take the appropriate decisions to meet the requirements of information security and services. He/she shall have the following functions:
    • Overseeing compliance with this Policy, its rules and derived procedures.
    • Advise on security matters to the members of the Security Committee as required.
    • Notify all personnel of changes to this policy.
    • Coordinate the actions of implementation, maintenance and improvement of the Organization’s ISMS and its audits, together with the Systems Manager.
  • The Systems Manager, who will be in charge of managing the technical and security requirements of the information systems.
  • All the Organization’s personnel, both internal and external, will be responsible for complying with the present Information Security Policy within their work area, as well as for applying all the documented information of the controls and security measures of the Organization’s ISMS in their work activities that affect their performance in information security.
  8. DISSEMINATION, UPDATING AND REVIEW OF THE POLICY Senior Management shall be responsible for the annual review of this Information Security Policy and for proposing its revision or maintenance. The Policy will be approved by the Senior Management of the Organization and will be disseminated so that all affected parties are aware of it. This Policy will be developed by means of security regulations that address specific aspects. The security regulations shall be available to all members of the Organization who need to know them, particularly to those who use, operate or administer the information and communications systems. 9. STRUCTURE OF THE DOCUMENTATION The person in charge of the custody and dissemination of the approved version of the generated documentation will be the person in charge of the Security Manager. The documentation on which this policy is based will be composed of a set of rules, procedures, good practices and guides that will help users in the development of their tasks. 10. PERSONAL DATA Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the Spanish legislation in force, Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, defines the conditions under which the processing of personal data can be done. It grants the persons affected by the processing the right to access and correct the data recorded in their account. The Organization will only collect personal data when they are adequate, relevant and not excessive, and these are in relation to the scope and purposes for which they have been obtained. Likewise, it will adopt the technical and organizational measures necessary to comply with the Data Protection regulations. These measures will be included in the policies, regulations and procedures that emanate from this security policy. 11. RISK MANAGEMENT All systems subject to this Policy shall perform a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated:
  • Regularly, at least once a year.
  • When the information handled changes.
  • When the services provided change.
  • When a serious security incident occurs.
  • When serious vulnerabilities are reported.
For the harmonization of risk analysis, the Organization will establish a reference valuation for the different types of information handled. Risk management will be documented in a Risk Analysis and Management Plan. 12. NON-COMPLIANCE The Organization may take appropriate measures against any person who contravenes this Security Policy and who results in a threat to the business and/or maintenance of the activity or in a violation of legal regulations and/or contractual agreements to which the Organization is bound. The level and degree of the measures will depend on the nature, intentionality and scope of the violation. In the case of both labor and non-labor relations, the Organization reserves the right to take legal action, regardless of the termination of the contractual relationship, depending on the damage caused to the company. 13. THIRD PARTIES When the Organization uses third party services or transfers information to third parties, they will be made aware of this Policy and the Security Regulations that apply to such services or information. Said third party shall be subject to the obligations set forth in said regulations, and may develop its own operating procedures to comply with them. If necessary, specific incident reporting and resolution procedures shall be established. It shall be ensured that third party personnel are adequately security-aware, at least to the same level as that set forth in this Policy. 14. TRAINING AND AWARENESS An annual security training and awareness action will be carried out. The objective of the training and awareness action is twofold:
  • To keep the personnel most directly related to the handling of information and the systems that deal with it informed about existing security procedures, risks, protection measures, protection plans, etc.
  • To make the personnel, in general, aware of the importance of security and of the basic procedures for handling and exchanging information.
  15. TELEWORKING This policy and its associated procedures, rules and regulations shall be applicable to, and therefore mandatory for, all personnel of the Organization who are teleworking. 17. BACKGROUND INVESTIGATION Background checks on all job candidates must be conducted in accordance with applicable laws, regulations and codes of ethics and must be commensurate with the needs of the business and the classification of the information being accessed and the perceived risks. 18. MANAGEMENT RESPONSIBILITIES Management shall require employees and contractors to implement information security in accordance with the Organization’s established policies and procedures. 19. APPROVAL AND ENTRY INTO FORCE This Information Security Policy shall be approved by Senior Management by signature and shall be disseminated to its stakeholders. Likewise, the Top Management will provide the necessary resources for the effective application of this policy, and for its proper development, both in the implementation activities and in its subsequent maintenance and improvement of the entire ISMS of the Organization. VIÑA COSTEIRA
Costeira-logo-sin-romb.cleaned-2
  • General: (+34) 988 477 210
    Enoturism: (+34) 648 237 385
    Pazo de Toubes restaurant: (+34) 988 10 00 51
  • informacion@costeira.es
  • Valdepereira, S/N, 32415
    Ribadavia, Ourense,

Buy

Company

Social

IFS_Logo_2016_RGB
Calidad_Turistica-logo-A4BA0CC1EC-seeklogo.com
SGS_ISO-IEC 27001_TPL
Galicia-calidade-logo

We are delighted that you are visiting us. Remember that you can only access our content if you are over 18 years old.

¿Eres mayor de edad?

SI
no