This Information Security Policy is formalised in order to comply with the legal provisions set forth in Royal Decree 311/2022, of 3 May, which regulates the National Security Framework (hereinafter, ENS – Esquema Nacional de Seguridad) in the field of Electronic Administration, and constitutes the cornerstone for the Information Security Governance and Management Framework formalised in Consorcio de Compensación de Seguros E.P.E (hereinafter, CCS).

The purpose of the ENS is to create the necessary conditions of trust in the use of electronic media, through the identification and implementation of measures that guarantee the security of electronic systems, data, communications and services, enabling citizens and Public Administrations to exercise their rights and fulfil their duties through these media.

Article 12 of the ENS establishes the obligation to have a Security Policy in place, specifying the basic principles and minimum requirements that it must meet.

This Information Security Policy follows the guidelines, instructions and recommendations set out in the CCN-STIC-805 guide issued by the National Cryptologic Centre (CCN in its Spanish acronym), a centre attached to the National Intelligence Centre.

The CCS uses ICT (Information and Communications Technology) systems to achieve the strategic objectives that have been formalised by the governing bodies (hereinafter, the Management). Consequently, these systems must be managed diligently, taking appropriate security measures to protect information from accidental or deliberate damage.

Information constitutes, for practically all the services provided by CCS, the essential thread for their execution with guarantees of efficiency and quality, thereby achieving compliance with the formally established strategic objectives.

The main dimensions of information security that must be guaranteed in the provision of any service are:

• Confidentiality: Ensures that information is only accessible to authorised persons, entities or processes.
• Integrity: Ensures that information is only generated, modified and deleted by authorised persons, entities or processes.
• Availability: Ensures that information is accessible when authorised persons, entities or processes need it.

Additionally, there are other security dimensions, such as authentication of the parties, traceability, and non-repudiation, which must also be guaranteed when the security value of the information in the context of the service being provided so requires.

This means that the organisation and its staff must apply the minimum security measures required by the ENS, as well as continuously monitor service provision levels, monitor reported vulnerabilities, and prepare an effective response to incidents to ensure the security dimensions outlined above.

CCS must ensure that security is an integral part of every stage of the ICT systems life cycle, from conception to decommissioning, including development or procurement decisions and operational activities.

The Information Security Policy is based on the adoption of clear and well-defined principles that ensure compliance with strategic guidelines, legal requirements, and contractual requirements formalised with third parties. It is therefore the main instrument on which CCS relies for the secure use of information and communications technologies.

The regulations (standards, procedures and security instructions) emanating from the CCS Information Security Policy will become part of it once they have been disclosed, and will be mandatory for all employees and third parties who make use of information owned by CCS.

Employees shall be responsible for the security of the CCS information they process in the performance of their duties, and shall be required to know, understand and comply with the guidelines and rules relating to information security, ensuring the correct application of the protection measures in place.

Employees' access to information shall be limited to what is strictly necessary for the proper performance of their formally assigned duties, thereby ensuring compliance with the least privilege policy.

The Information Security Policy is established as the high-level document that formalises the various security guidelines adopted by CCS, which will be developed in greater detail in the corresponding security regulations (standards, procedures and security instructions) drawn up for this purpose.

Under this premise, therefore, the Information Security Policy has the following main objectives:

• To comply with the applicable legal regulations in the field of information security.
• To contribute to the fulfilment of the formalised mission and strategic objectives.
• Align information security with the requirements demanded by the services provided through the formalisation and execution of the process of analysis and assessment of the risks to which the different information assets are exposed, achieving the definition of a strategy for the mitigation of risks related to the information security environment.
• Ensure adequate protection of the various information assets according to their degree of sensitivity and criticality (security value of information assets according to the various dimensions considered).
• Facilitate the sizing of the resources necessary for the correct implementation of the technical and organisational security measures set out in the security regulations documented for this purpose.
• Promote the use of good practices in information security, as well as create a culture of security within the organisational structure.
• Promote the definition, implementation and maintenance of a Business Continuity Plan.
• Establish mechanisms for review, monitoring, auditing and continuous improvement in order to maintain the appropriate levels of security required by the services provided.

CCS shall apply this Information Security Policy to all information and communications systems affected by the scope of application of the ENS.

The formalisation of the Information Security Policy, as well as the security regulations derived from it, shall take into account and incorporate the following legal regulations applicable to the main activity of CCS:

• Royal Decree 311/2022, of 3 May, regulating the National Security Scheme in the field of Electronic Administration.
• Royal Decree 4/2010, of 8 January, regulating the National Interoperability Scheme in the field of Electronic Administration, with regard to the technical and organisational security measures to be implemented.
• Law 39/2015, of 1 October, on Common Administrative Procedure for Public Administrations.
• Law 40/2015, of 1 October, on the Legal Regime for the Public Sector.
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, GDPR – General Data Protection Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter Law 3/2018).
• Law 9/2017, of 8 November, on Public Sector Contracts, transposing into Spanish law Directives 2014/23/EU and 2014/24/EU of the European Parliament and of the Council of 26 February 2014.
• Royal Decree-Law 14/2019, of 31 October, adopting urgent measures for reasons of public safety in the areas of digital administration, public sector procurement and telecommunications.
• Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (hereinafter, LSSICE).
• Law 6/2020, of 11 November, regulating certain aspects of electronic trust services, which adapts Spanish law to Regulation (EU) 910/2014 (also known as eIDAS).
• Consolidated Text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of 12 April 1996. This regulation has been amended by several laws, including Law 21/2014, which transposes the content of European directives into Spanish legislation, and Law 2/2019, which incorporates Directive 2014/26/EU and Directive (EU) 2017/1564.
• Order PCI/487/2019, of 26 April, publishing the 2019 National Cybersecurity Strategy, approved by the National Security Council.

And other related provisions and implementing provisions of those mentioned above.

In order to ensure compliance with the security objectives identified above, the Information Security Policy formalises the application of certain security principles.

5.1. SECURITY AS A COMPREHENSIVE PROCESS

Security is understood as a comprehensive process comprising all human, material, technical, legal and organisational elements related to the information systems used to support the provision of services. In this regard, therefore, all security activities will be carried out from this perspective, avoiding any isolated actions or ad hoc measures.

The utmost attention will be paid to raising awareness among those involved in the provision of services and among those in positions of responsibility, with the aim of preventing lack of awareness, lack of organisation and coordination, or inadequate instructions from becoming sources of risk to information security.

5.2. RISK-BASED SECURITY MANAGEMENT

Risk analysis and management is an essential part of the security process and should be a continuous and constantly updated activity.

Risk management will enable the maintenance of a controlled information environment, minimising risks to acceptable levels.

Risk reduction to such levels will be achieved through the application of security measures that are balanced and proportionate to the nature of the information processed, the services to be provided and the risks to which the various information assets used are exposed.

5.3. PREVENTION, DETECTION AND RESPONSE

Information security must include actions relating to prevention, detection and response, in order to minimise existing vulnerabilities and ensure that threats do not materialise or, if they do, do not seriously affect the information or services provided.

Prevention measures, which may include components aimed at deterrence or reducing the area of exposure, must reduce the likelihood of threats materialising.

Detection measures shall be aimed at early warning of any scenario in which threats materialise.

Response measures, which shall be managed in a timely manner, shall be aimed at restoring information and services that may have been affected by a security incident.

5.4. EXISTENCE OF LINES OF DEFENCE

It must be ensured that the protection strategy consists of multiple layers of security, arranged in such a way that, when one of the layers is compromised, it is possible to react appropriately to incidents that could not be prevented, reducing the likelihood of them spreading.

The lines of defence must consist of organisational, physical and logical measures.

5.5. CONTINUOUS MONITORING AND PERIODIC REASSESSMENT

Continuous monitoring will enable the detection of anomalous activities or behaviour and a timely response.

Ongoing assessment of the security status of information assets will enable their evolution to be measured, detecting vulnerabilities and identifying configuration deficiencies.

Security measures will be periodically reassessed and updated, adapting their effectiveness to the evolution of risks and protection systems, and may lead to a rethinking of security, if necessary.

5.6. DIFFERENTIATION OF RESPONSIBILITIES

Responsibility for information security will be differentiated from responsibility for the operation of information systems.

The development of the Information Security Policy must enable compliance with certain security requirements.

6.1. ORGANISATION AND IMPLEMENTATION OF THE SECURITY PROCESS

Security must involve all members of the organisation.

6.2. RISK MANAGEMENT

The risk management process shall consist of risk analysis and treatment activities, ensuring the application of the principle of proportionality.

6.3. PERSONNEL MANAGEMENT

Personnel, whether internal or external, must be trained and informed of their duties, obligations and responsibilities in relation to security.

Their actions, which must be supervised to verify that established procedures are being followed, shall apply the approved security standards and operating procedures in the performance of their duties.

The meaning and scope of the secure use of information assets shall be specified and set out in specific security standards.

6.4. PROFESSIONALISM

Information security will be handled, reviewed, and audited by qualified, dedicated, and trained personnel throughout all phases of the information systems lifecycle: planning, design, acquisition, construction, deployment, operation, maintenance, incident management, and decommissioning.

Third-party entities providing security services must have qualified professionals, as well as appropriate levels of management and maturity in the services provided.

The training and experience requirements necessary for staff to perform their jobs will be determined.

6.5. AUTHORISATION AND ACCESS CONTROL

Controlled access to information systems must be limited to duly authorised users, processes, devices or other information systems, and exclusively to permitted functions.

6.6. PROTECTION OF FACILITIES

Information systems and their associated communications infrastructure must remain in controlled areas and have adequate and proportionate access mechanisms in place based on risk analysis.

6.7. LEAST PRIVILEGE

Information systems must be designed and configured to grant the minimum privileges necessary for their proper performance, which implies incorporating the following aspects:

1. Information systems shall provide the functionality essential to achieve the functional or contractual objectives.
2. The operation, administration and activity logging functions shall be the minimum necessary, and it shall be ensured that they are only performed by authorised persons, from authorised locations or equipment, and restrictions on working hours and authorised access points may be required where appropriate.
3. Functions that are unnecessary or inappropriate for the intended purpose shall be removed or deactivated through configuration control. The ordinary use of information systems must be simple and secure, so that unsafe use requires a conscious act on the part of the user.

6.8. PURCHASE/CONTRACTING OF SECURITY PRODUCTS AND SERVICES

When acquiring security products or contracting security services for information and communication technologies to be used in information systems within the scope of application of the ENS, those with certified security functionality related to the purpose of their acquisition shall be used, in proportion to the category of the system and the level of security determined.

The Certification Body of the National Scheme for the Evaluation and Certification of Information Technology Security of the National Cryptologic Centre (hereinafter, CCN), established under the provisions of Article 2.2.c) of Royal Decree 421/2004, of 12 March, which regulates the National Cryptologic Centre, taking into account the national and international evaluation criteria and methodologies recognised by this body and depending on the intended use of the specific product or service within its remit, shall determine the following aspects:

1. The functional requirements for safety and certification assurance.
2. Other additional safety certifications required by law.
3. Exceptionally, the criteria to be followed in cases where there are no certified products or services.

The contracting of security services shall be subject to the provisions of the preceding paragraphs and the requirement of professionalism.

6.9. SYSTEM INTEGRITY AND UPDATING

The inclusion of any physical or logical element in the information asset register, or its modification, shall require prior formal authorisation.

Ongoing assessment and monitoring will enable the security status of information systems to be adapted in response to configuration deficiencies, identified vulnerabilities and updates affecting them, as well as the early detection of any incidents that may occur.

6.10. PROTECTION OF STORED AND IN TRANSIT INFORMATION

Special attention shall be paid to information stored or in transit via portable or mobile equipment or devices, peripheral devices, information media and communications over open networks, which shall be analysed in particular to ensure adequate protection.

6.11. PREVENTION IN RELATION TO OTHER INTERCONNECTED INFORMATION SYSTEMS

The perimeter of information systems shall be protected, especially if connected to public networks, reinforcing the tasks of prevention, detection and response to security incidents. In any case, the risks arising from the interconnection of information systems with other systems shall be analysed and their connection points shall be monitored.

6.12. ACTIVITY LOG AND MALICIOUS CODE DETECTION

User activity shall be logged, retaining only the information strictly necessary to monitor, analyse, investigate and document improper or unauthorised activities, allowing the person acting to be identified at all times. All of this shall be carried out in compliance with the applicable legal provisions in this area of activity.

With the purpose of preserving the security of information systems, ensuring strict compliance with applicable legal regulations, incoming and outgoing communications may be analysed, solely for information security purposes, so as to prevent unauthorised access to networks and information systems, stop denial-of-service attacks, and prevent the pernicious distribution of malicious code, as well as other damage.

In order to correct or, where appropriate, demand accountability, each user accessing the information system must be uniquely identified so that it is known at all times who has been granted access rights, what type of rights they are, and who has performed a particular activity.

6.13. SECURITY INCIDENTS

Procedures for managing security incidents shall be in place, as well as channels of communication with stakeholders and a record of actions taken. This record shall be used for the continuous improvement of information system security.

6.14. BUSINESS CONTINUITY

Information systems shall have backups, and the necessary mechanisms shall be established to ensure continuity of operations in the event of loss of the usual means.

6.15. ONGOING IMPROVEMENT

The comprehensive information security process implemented shall be continuously updated and improved.

The systems covered by this Information Security Policy are subject to risk analysis and assessment in order to identify the threats to which they are exposed, assess the impact associated with the materialisation of such threats, and determine the risk situations that could arise.

The result of this risk analysis and assessment will enable the identification and proposal of appropriate security measures as a strategy for mitigating such risks.

This risk analysis addresses the following main characteristics:

• It is based on the application of risk management standards and methodologies recognised as good practice at national and international level.
• It establishes a benchmark for the information and services provided, so that consistent results are obtained in the execution of activities inherent to risk analysis.
• It is carried out annually, or when the following scenarios arise:
  • Substantial modification of the information managed, the services provided, or the systems that support the provision of such services.
  • Identification of new attack vectors, threats or vulnerabilities associated with the system.
  • Presence of a serious security incident.

The Information Security Committee will lead the periodic execution of the risk analysis, planning the technical, human, and economic resources necessary for this purpose.

The security regulations established by CCS are structured into the following hierarchically related levels:

1. Level I: Information Security Policy
2. Level II: Information Security Standards
3. Level III: Information Security Procedures
4. Level IV: Specific Information Security Instructions

This hierarchical structure allows the lower levels to be efficiently adapted to changes in CCS operating environment.

CCS personnel shall be required to be familiar with and comply with the Information Security Policy, as well as all security standards, procedures and instructions that may affect the performance of their duties.

The security regulations shall be available to all users and, in particular, to those who use, operate or administer the information and communications systems covered by the scope.

The security organisation at CCS is established by identifying and defining the different functions and responsibilities considered in this matter, as well as implementing the organisational structure composed of:

1. Information Security Committee.
2. Security Manager.
3. Systems Manager.
4. Information Manager.
5. Service Manager.
6. Data Protection Officer.

9.1. INFORMATION SECURITY COMMITTEE

This acts as the highest body for control, supervision, and harmonisation in matters of information security. The Information Security Committee shall belong to the governing bodies of the organisation.

9.1.1. COMPOSITION

The Information Security Committee is made up of the following permanent members:

• Chairperson
• Secretary
• Committee members

Depending on the agenda proposed by the Security Manager, the call for the Information Security Committee may request the attendance of some of the identified Service Managers or the Data Protection Officer, if necessary, for timely decision-making.

The Information Security Committee is not a technical committee; however, it will regularly gather relevant information from its own or external technical staff for decision-making or for issuing a specific opinion. This advice will be determined on a case-by-case basis and may take different forms:

• Relying on external advice.
• Forming specialised internal, external or mixed working groups.
• Attending seminars or other types of training or experience-sharing environments.

9.1.2. FUNCTIONS

The functions of the Information Security Committee would be as follows:

• Address the concerns of management and service managers.
• Regularly report on the status of information security to management.
• Promote the ongoing improvement of the Security Governance and Management Model.
• Promote the execution of periodic audits to verify compliance with security obligations.
• Coordinate the efforts of the different areas in terms of information security to ensure their alignment with the formalised security objectives.
• Resolve conflicts of interest that may arise between different managers and/or between different organisational units, escalating to senior management those cases in which they do not have sufficient authority to decide.
• Develop, regularly review and approve the Information Security Policy.
• Approve the information security standards developed by the Security Manager.
• Develop and approve training and qualification requirements for identified roles from an information security perspective.
• Approve plans for the ongoing improvement of information security. In particular, ensure the coordination of different plans that may arise in different areas.
• Carry out timely follow-up in relation to the formalised risk mitigation strategy.
• Monitor the performance of security incident management processes and recommend possible actions to that effect. In particular, ensure the coordination of different areas in the management of information security incidents.
• Ensure that information security is taken into account in all ICT projects from their initial specification to their implementation (security guarantees by design).

9.2. ROLES AND RESPONSIBILITIES

The assignment of roles and responsibilities in relation to security is duly aligned with the functional competencies formalised within the context of CCS organisational structure.

9.2.1. SERVICE MANAGER

The Service Manager role assumes the following main responsibilities:

• Act as the owner of the risks to which the service is exposed.
• Determine and maintain up-to-date service security levels, assessing the impacts of incidents affecting information security in accordance with the provisions of the ENS.

To carry out this activity, they may act in coordination with the Security Manager and the Systems Manager.

• Ensure service security levels.
• Perform service security risk analysis with the participation of the Security Manager, as well as select the necessary technical and organisational measures as a mitigation strategy for the identified risk scenarios.
• Follow up, monitor and control the identified risk scenarios.

The Service Manager shall submit the results of the tasks carried out within the scope of their responsibilities to the Security Manager at least once a year or at the latter's request, reporting the results in a format suitable for the integration of the information.

The Service Manager shall have been appointed within the context of the executive management responsible for implementing the appropriate processes to achieve the strategic objectives defined by the governing bodies.

9.2.2. SECURITY MANAGER

The Security Manager has the following main responsibilities:

• Participate in the development of the Information Security Policy for review and approval by the Information Security Committee.
• Develop and approve security procedures and instructions.
• Ensure the up-to-date maintenance of the regulatory framework for security and associated records.
• Formalise and disseminate the security regulations arising from the Information Security Policy.
• Promote training and awareness in information security within their area of responsibility.
• Develop staff training and awareness plans on security, which are approved by the Information Security Committee.
• Monitor the correct fulfilment of the formalised security objectives.
• Compile the security requirements of the Service Managers.
• Formally determine the category of information systems based on the security levels identified by the Service Managers.
• Collaborate with the Service Managers in performing the risk analysis.
• Prepare the Statement of Applicability as a result of the risk analysis.
• Prepare the Risk Treatment Plan for consideration and approval by the Information Security Committee.
• Approve the guidelines proposed by the Systems Manager to consider security throughout the entire lifecycle of assets (security by default principle).
• Collaborate with the Data Protection Officer in identifying the necessary security measures for personal data protection.
• Lead the meetings of the Information Security Committee.
• Periodically provide the Information Security Committee with a report on security actions, relevant incidents that have occurred, and the state of security (in particular, the level of residual risk to which the various identified services are exposed).
• Present the identified security needs and proposals to the Information Security Committee and to the Management, as a risk mitigation strategy.

Appropriate segregation of duties shall be ensured between the Security Manager and any other function related to the provision of services.

The Security Manager shall be appointed within the context of the governing bodies.

9.2.3. SYSTEMS MANAGER

The Systems Manager has the following main responsibilities:

• Develop operate and maintain information systems throughout their lifecycle in accordance with formalised specifications, verifying their correct operation.
• Ensure that specific security measures are properly integrated into the overall security framework.
• Agree to suspend the provision of a particular service if informed of serious security deficiencies that could affect the fulfilment of the established requirements. This decision must be agreed with the Head of the affected Service and the Security Manager before being implemented.
• Monitor the implementation of security measures that apply to IT providers during the development, installation and testing stages of the systems.
• Determine the authorised hardware and software configuration to be applied to the systems.
• Define the responsibilities of the different functions involved in the maintenance, operation, implementation and supervision of the systems.
• Develop security procedures in conjunction with the Security Manager.
• Establish contingency plans, conducting regular drills to familiarise staff with such plans.
• Approve changes affecting the security of system operation.
• Approve any substantial modification to the configuration of any element of the systems.
• Monitor the security status of the systems and report it periodically or in the event of relevant security incidents to the Security Manager.

9.2.4. USERS

Users assume the following main responsibilities:

• To be familiar with and comply with the Information Security Policy, as well as the security regulations derived from it and applicable to the performance of their duties.
• To collaborate in notifying the Security Manager of any incident detected relating to information security.
• To assist in notifying the Data Protection Officer of any breach detected relating to personal data security.
• To use information assets for the established purpose.
• To comply with the information confidentiality agreements arising from the formalisation of their employment relationship with the organisation.

All CCS staff are required to be familiar with and comply with this Information Security Policy and the regulations derived from it. The Information Security Committee is responsible for providing the necessary means to ensure that the information reaches those affected.

All staff will participate in ongoing security awareness training. An ongoing programme of awareness-raising activities will be established to cater to all staff, particularly new recruits.

Staff must use the security incident reporting procedure enabled for this purpose if they detect a possible incident.

Individuals responsible for the operation or administration of systems will receive timely training in their secure management.

When CCS requires the participation of third parties for the provision of a service, it shall inform them of the relevant security regulations within the context of such collaboration. These third parties shall be subject to the obligations established in those regulations and, formally, to the security requirements identified for the scope of the outsourced services.

Specific procedures for reporting and resolving incidents that may arise during the provision of the service shall be formalised.

When any aspect of the security regulations cannot be satisfied by a third party, the authorisation of the Security Manager shall be required, after identifying the risks involved and how to deal with them, and it shall not be possible to formalise the contract prior to obtaining such authorisation.

CCS has a Privacy Management System to which only authorised persons have access, comprising the policies and procedures necessary to comply with the requirements of the GDPR, Law 3/2018, and other applicable regulations.

CCS processes personal data for different purposes, which are identified in the Record of Processing Activities published on the website www.consorseguros.es.

All CCS information systems shall comply with the security levels required by the regulations for the nature and purpose of the personal data collected in the aforementioned Privacy Management System.

CCS, advised by the Data Protection Officer, will carry out a periodic risk analysis in relation to privacy in accordance with the terms established in Article 24 of the GDPR, as well as the relevant impact assessments in accordance with the provisions of Article 35 of the GDPR.

In any case, the measures to be implemented as a result of the risk analysis and, where applicable, the impact assessments carried out, shall prevail if they are more stringent than those provided for in the ENS.

The Information Security Policy will be reviewed annually by the Security Manager or whenever there is a significant change (security management approach, operational circumstances, legal changes, changes in the technical environment, recommendations made by supervisory authorities, trends related to threats and vulnerabilities, etc.) that requires it.

In the event that a new version of the Information Security Policy is obtained, formal approval from the Information Security Committee will be required prior to its disclosure.

Text approved by the Information Security Committee on 22 December 2025.

This Information Security Policy is effective from the day following its date of approval and until it is replaced by a new policy.

Its entry into force implies the repeal of any other policy that existed for such purposes.