Política de seguridad

Visión general

SALES LAYER TECH S.L. including all its subsidiaries (Sales Layer, Ltd. and Sales Layer, Inc.), hereinafter, referred to as SALES LAYER, COMPANY or ORGANIZATION, depends on ICT (Information and Communications Technology) systems to achieve its objectives. These systems must be managed with diligence, taking the appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

To defend against these threats, a strategy that adapts to changes in environmental conditions is required to ensure the continuous provision of services. This implies that the company must apply the minimum security measures required by regulations, standards and other stakeholders, in addition to others derived from the risk analysis, as well as carry out continuous monitoring of the levels of service provision, monitor and analyze the reported vulnerabilities, and prepare an effective response to the incidents to guarantee the continuity of the services provided.

The different departments must ensure that ICT security is an integral part of each stage of the system's life cycle, from conception to decommissioning, through development or acquisition decisions and operational activities. Security requirements and financing needs must be identified and included in planning, request for proposals, and bidding documents for ICT projects.

Departments must be prepared to prevent, detect, react and recover from incidents, in accordance with security regulations.

Prevención

The company must avoid, or at least prevent as much as possible, information or services from being harmed by security incidents. For this, the departments must implement the minimum security measures determined by regulations, standards and other stakeholders, as well as any additional control identified through an evaluation of threats and risks. These controls and security roles and responsibilities of all personnel, should be clearly defined and documented.

  • Autorice los sistemas antes de ponerlos en funcionamiento.
  • Evaluar periódicamente la seguridad, incluidas las evaluaciones de los cambios de configuración realizados de forma rutinaria.
  • Solicitar la revisión periódica por terceros para obtener una evaluación independiente.

Detección

Given that services can be quickly degraded due to incidents, ranging from a simple slowdown to a stoppage, services must continuously monitor the operation to detect anomalies in the levels of service provision and act accordingly as established in control over the review of information security policies.

Monitoring is especially relevant when lines of defense are established. Detection, analysis and reporting mechanisms will be established regularly for those who are responsible to detect when there are significant deviations from the parameters that have been pre-established as normal.

Respuesta

La organización debe:

  • Establecer mecanismos para responder eficazmente a los incidentes de seguridad.
  • Designar un punto de contacto para las comunicaciones relativas a incidencias detectadas en terceros a los que presta servicios.
  • Establecer protocolos para el intercambio de información relacionada con el incidente. Esto incluye las comunicaciones, en ambas direcciones, con el centro de respuesta a incidentes de seguridad (INCIBE-CERT).

Recovery

To ensure the availability of essential services, the security and technology departments formulate continuity plans for ICT systems. These plans should be an integral component of their overall business continuity strategy and disaster recovery plan.

Visión general

  • ISMS (SGSI in Spanish): These are the acronym for the Information Security Management System (regulated by the UNE-ISO/IEC 27001 Standard), which is a set of interrelated or interacting elements (organizational structure, policies, activity planning, responsibilities, processes , procedures and resources) used by an organization to establish and achieve information security policy and objectives, based on a risk management and continuous improvement approach.
  • ICT (TIC in Spanish): It stands for Information and Communication Technologies. This concept refers to the theories, tools and techniques used in the treatment and transmission of information: computing, internet and telecommunications.
  • Stakeholder: A person or group that has an interest in the performance or success of the organization.
  • Confidentiality: Property of the information not to be made available or disclosed to unauthorized persons and/or companies.
  • Integrity: Property or characteristic that the information asset has not been altered in an unauthorized manner.
  • Availability: Property of the information to be accessible and usable at the time required by the authorized person and/or company.
  • Asset: In relation to information security, it refers to any information or element related to its treatment (systems, supports, buildings, people...) that has value for the organization.
  • Risk: The possibility that a particular threat could exploit a vulnerability to cause loss or damage to an information asset. It is usually considered as a combination of the probability of an event and its consequences.
  • Threat: Potential cause of an unwanted incident, which can cause damage to a system or the organization.
  • Risk analysis: Process to understand the nature of the risk and determine the level of risk.
  • Risk treatment: Process of modifying the risk, through the implementation of controls.

Alcance

Esta política se aplica a todos los procesos empresariales de SALES LAYER TECH S.L, incluidas todas sus filiales (SALES LAYER, Ltd. y SALES LAYER, Inc.), así como a los empleados, contratistas y terceros que tengan acceso a los sistemas de información de la empresa. Se refiere a toda la información, independientemente de la forma o el formato, que se crea o utiliza en apoyo de las actividades empresariales.

Misión, compromiso y liderazgo

The mission is to enable marketing teams globally to create superior shopping experiences in both business-to-business and direct-to-consumer channels, while simultaneously ensuring the security and protection of information across all operations.

The top management is committed to provide the necessary resources for the establishment, implementation, maintenance and continuous improvement of the Information Security Management System (ISMS). To this end:

  • Ensures that information security is aligned with business strategy.
  • Ensures that security is part of all internal processes of the company.
  • Communicates to the organization the importance of implementing and maintaining the ISMS to ensure the security of the organization and stakeholders.
  • Ensures that the ISMS achieves the established objectives and promotes continuous improvement.
  • Reviews and approves this policy
  • The creation of an information security committee composed of leaders from various areas within the organization together with the security manager, who is responsible for overseeing and directing security initiatives.

Normative references

SALES LAYER is subject, by way of example and not limitation, to the following laws, standards and regulations:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which repeals Directive 95/46/EC (General Data Protection Regulation)
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights
  • Law 34/2002, of July 11, on services of the information society and electronic commerce
  • Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law
  • Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism
  • The Data Protection Act 2018
  • ISO/IEC 27001 Standard on Information Security Management Systems
  • The California Consumer Privacy Act of 2018 (CCPA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)
  • Computer Fraud and Abuse Act (CFAA)
  • REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC

Objetivos de seguridad del SGSI

Esta política demuestra el compromiso de la alta dirección y tiene los siguientes objetivos:

  • Ensure compliance with applicable laws, regulations and standards, including ISO 27001.
  • Cumplir los requisitos de seguridad de las partes interesadas.
  • Adopt the principle of security by default, privacy by design and security by design.
  • Manage the information security of all suppliers and third parties who have access to our information, ensuring they adhere to our security standards.
  • Preservar la confidencialidad, integridad y disponibilidad de la información en todos los activos de la empresa.
  • Create a strong security culture throughout the organization by encouraging secure behaviors and making security everyone’s responsibility.
  • Implement and maintain a security awareness program that enables employees to be aware of the risks the organization is exposed to, with regular updates and training activities every year.
  • Proporcionar liderazgo a la alta dirección para garantizar que los objetivos de seguridad se establecen y se alinean con la estrategia empresarial.
  • Asignar responsabilidades generales y específicas de seguridad de la información para funciones definidas.
  • Garantizar la realización de un análisis de riesgos al menos una vez al año o cuando surjan nuevas amenazas emergentes , elaborar un plan de tratamiento, aplicar todos los controles necesarios y supervisar los riesgos.
  • Establish and maintain procedures for the prevention, detection, response and recovery of information in the event of a security incident.
  • Establecer un sistema de mejora continua para abordar cualquier desviación, nuevo riesgo o cambio en los requisitos normativos o de seguridad de la información.
  • Revisar periódicamente la documentación del SGSI para adaptarla a nuevos requisitos o riesgos de seguridad.

Gestión de riesgos

SALES LAYER sabe que la gestión de riesgos es un componente crítico de sus operaciones y que garantiza la protección de los datos de sus recursos y de las partes interesadas. SALES LAYER ha definido un procedimiento de gestión de riesgos con el objetivo de garantizar que el Sistema de Gestión de la Seguridad de la Información pueda alcanzar los resultados esperados, prevenir y reducir los efectos no deseados y lograr una mejora continua.

Este análisis se repetirá:

  • Regularmente, al menos una vez al año.
  • Cuando la información tratada y/o los servicios prestados cambien significativamente, incluyendo nuevos riesgos.
  • Cuando se produce un incidente grave de seguridad o se detectan vulnerabilidades graves.
  • When exist new projects or implementations of new or emerging technologies

SALES LAYER identifies all threats to which assets are exposed, the impact they may have if they materialize, the likelihood of recurrence and asset vulnerability. Based on this data, the organization performs an analysis of the potential risk and generates a Risk Treatment Plan to take action on its mitigation, acceptance, elimination or transfer.

The results of the risk management process are constantly documented, monitored and reviewed by the Security Committee.

Desarrollo de la política de seguridad de la información

The Security Officer is responsible for reviewing and updating this Security Policy at least annually. The Policy will be approved by the CEO of SALES LAYER and disseminated for the knowledge of all the stakeholders.This Policy will be developed through security regulations that address specific aspects. The security regulations will be available to all members of the organization who need to know them, particularly those who use, operate or manage the information and communications systems.

Valencia, Apr 15, 2024

Álvaro Verdoy
CEO SALES LAYER

Transforma tus datos de producto en inteligencia de producto