The aim of this document is to lay down the University of Deusto's Information Security Policy, which ensures the secure handling of information while providing the continued provision of services so that it is in place to prevent, identify, respond to, and recover from security incidents. To this end, it must have the necessary security measures in place to maintain an acceptable level of risk, and to continuously monitor service delivery levels, analyse reported vulnerabilities, and prepare an effective response to incidents.
The University of Deusto's information services must perform their functions and safeguard the information in accordance with its functional requirements, without interruptions or uncontrolled changes, and without the information being made available to unauthorised persons. Accordingly, the capacity of the University of Deusto's networks and information systems must be sufficient to withstand, with the required level of confidence, accidents or illicit or malicious actions that may jeopardise access, availability, authenticity, confidentiality, traceability and conservation of the data stored or transmitted, as well as the services used in electronic media.
The University of Deusto must ensure that ICT security is an integral part of every stage of the life cycle of information systems, from their conception to their decommissioning, including development or acquisition decisions and operational activities. The security requirements and funding needs arising from each stage should be identified and included in the planning, in the request for tenders, and in the tender documents for ICT projects.
The Information Security Committee shall draw up an annual report in order to comply with the provisions of this Information Security Policy and thus meet the level of security required by the University, specifying the security measures which, in accordance with the principle of risk management, have been approved by the Committee. These measures must be implemented as required during the following financial year, as well as those measures which should be included to promote the security strategy designed by the Committee.
SCOPE OF APPLICATION
Pursuant to this Information Security Policy and its implementing regulations, a set of security measures will be defined that will be applied, as determined in these regulations, to all the University of Deusto's services, systems and other ICT resources that support its processes and affect the different information assets supported by them.
The University of Deusto's ICT resources are intended to support teaching, research and the management tasks required for the smooth running of the University.
The University of Deusto's ICT resources include all central and departmental systems, workstations, desktop computers, printers and other peripherals and output devices, location systems, internal and external networks, multi-user systems and communications services (telematic transmission of voice, image, data or documents) and storage systems owned by the University of Deusto.
Within this framework, those computers or personal devices individually purchased and not listed in the University’s equipment inventory are not considered "University of Deusto’s ICT resources", even though they may occasionally be used for research work.
Therefore, these elements, as well as any actions on them or security risks of such elements, fall outside this scope. However, in the event that the corporate network is accessed by these personal computers or devices, they shall be subject to the obligations established in this Information Security Policy and the rules and instructions contained therein.
This policy shall also apply to all those persons, institutions, entities or units and services, whether internal or external, that make use of the University of Deusto’s ICT resources, whether through direct or indirect connection to them, remote connection or through external equipment, expressly including services provided through the Internet. Such persons shall hereinafter be referred to as "users".
BASIC SECURITY PRINCIPLES
The Information Security Policy of the University of Deusto, as well as the regulations implementing it, is based on basic protection principles whose aim is to ensure that an organisation can fulfil its objectives using information systems.
These basic principles, which should be taken into account whenever information security decisions are taken, are as follows:
a) Comprehensive security.
Security must be understood as an integral process involving each and every human, technical, material and organisational element related to the system.
Accordingly, appropriate measures shall be taken to ensure that all persons involved in the process are aware of this Security Policy and perform their duties in accordance with it. All those involved in the security process shall take coordinated action in the implementation and control of security measures. This coordination will be extended to all Deusto's initiatives and actions.
b) Risk management.
Risk analysis and management is an essential part of the security process. Risk levels should be kept within minimum acceptable levels, by deploying appropriate and continuously updated security measures so that the nature of the data and the processing carried out, the risks to which they are exposed and the implemented security measures are balanced and proportionate.
c) System and data disaster prevention and recovery.
System security shall cover prevention, detection and recovery to ensure that threats to the system do not occur or do not seriously affect the data handled by the information systems or the services they provide.
- Prevention measures shall include, inter alia, deterrence and exposure reduction.
- Detention measures will be accompanied by reactive measures to ensure that security incidents are addressed in a timely manner.
- Recovery measures should allow for the restoration of information and services in a way that they can cope with situations where a security incident renders the usual means useless.
The system shall ensure the preservation of data and information in electronic form, and keep services available throughout the life cycle of digital information.
d) Lines of defence.
The system must have a protection strategy consisting of multiple layers of security, arranged in such a way that, if one layer fails due to an unavoidable incident, it allows time for an adequate reaction, reduces the likelihood of the system as a whole being compromised, and minimises the ultimate impact on the system.
The lines of defence must consist of measures of an organisational, physical and logical nature.
(e) Regular reassessment.
The security measures adopted by the University of Deusto will be regularly reassessed and updated to adapt their effectiveness to the constant evolution of risks and protection systems.
The approach to security resulting from the application of these principles also responds to the requirements of Article 32(1)(b) of the General Data Protection Regulation, according to which security is intended to ensure confidentiality, integrity, availability and resilience of processing systems and services at all times.
LEADERSHIP AND COMMITMENT
The University of Deusto’s management team has shown their leadership and commitment to the basic principles of information security through the implementation of the Information Security Management System (ISMS):
- Ensuring that the University of Deusto's Information Security Management Policy, Security Policy and Information Security Regulations, as well as its objectives have been established and are compatible with the strategic management of the institution;
- Ensuring that the necessary resources for the ISMS are available;
- Conveying the importance of effectively managing the system and meeting its requirements;
- Ensuring that the ISMS achieves its intended results;
- Leading and supporting people to contribute to the effectiveness of the ISMS;
- Promoting continuous improvement; and
- Supporting other relevant management functions to demonstrate leadership applicable to their areas of responsibility.
The University of Deusto's Management Team agrees that the development of the organisation's activities and the achievement of its strategic objectives require that the established levels of confidentiality, availability, integrity, authentication and traceability of its information assets be ensured at all times. It also requires demonstrating its ability to provide its own solutions and services in a consistent manner, as well as to efficiently manage the information security and cybersecurity services it offers to its customers.
To this end, the ISMS has been developed and implemented, establishing the reference framework for the secure handling of the organisation's assets and ensuring customer confidence and satisfaction through the integration of an efficient service delivery methodology.
The University of Deusto's commitment to information security management is as follows:
- Highlight the Management team’s commitment to the ISMS, to information security management, both its own and that of its customers.
- Ensure that ISMS requirements are integrated into the organisation's business processes.
- Ensure that information security objectives are established, and that they are compatible with the organisation's context and strategic management.
- Define, develop and implement the measures necessary to promote the use of the process approach and risk-based thinking to ensure compliance with the company's approved risk levels at all times.
- Comply with the legislation in force at all times, in addition to the particular standards and specifications applicable to the services provided by the organisations and aimed at customer satisfaction.
- Create an integrated information systems management environment, both internally, for all staff, and externally to customers and suppliers.
- Engage, lead and support staff to contribute to the effectiveness of the ISMS, ensure the availability of the necessary resources for the ISMS, and support other relevant management roles in the way they implement the management system in their areas of responsibility.
- Treat information security management as a continuous improvement process.
- Maintain the trust and satisfaction of the University of Deusto's stakeholders, especially students.
The University of Deusto has established a structure to ensure that all stages of the information protection lifecycle are carried out appropriately and that responsibilities for their implementation are properly assigned. The aim is to promote the
consistent application of this policy and to effectively accommodate frequent technological and organisational changes.
To this end, the following general Committees and Roles are defined in relation to their participation in the management and supervision of information security:
- Information Security Committee.
- Information Security Manager.
The University of Deusto carries out processing operations that use personal data.
Deusto's Register of Processing Activities lists the processing operations affected and the relevant data controllers.
All the information systems at the University of Deusto shall comply with the security levels required by the regulations for the nature and purpose of the personal data. As indicated above, the measures adopted pursuant to this security policy, as well as the risk analyses and impact assessments carried out in compliance with the obligations deriving from the General Data Protection Regulation, shall be coordinated with the Security Manager and the Committee.
All the members of the University of Deusto shall understand and comply with this Information Security Policy and the Security Regulations derived from it. Furthermore, the Information Security Committee shall be responsible for making the necessary means available to ensure that the information reaches those affected.
All the University's staff should be aware of the need to ensure the security of information systems, and that they are a key player in maintaining and improving security.
A continuous awareness-raising programme will be set up to reach out to all Deusto members, particularly new recruits. Those responsible for the use, operation or administration of ICT systems shall be trained in the safe operation of the systems insofar as they need it to perform their work. Training shall be mandatory before taking up a position, whether it is a first assignment or a change of position or work responsibilities.
RESPONSIBILITIES OF USERS IN THE EVENT OF NON-COMPLIANCE WITH THE INFORMATION SECURITY POLICY
The Information Security Committee shall assess whether there is any kind of non-compliance by the
University of Deusto users with the obligations set out in the Information Security Policy or in the regulations and instructions for its implementation.
In the event of non-compliance, preventive and corrective measures are foreseen to
safeguard and protect the networks and information systems, without prejudice to any disciplinary action that may be taken.
If a breach of the Deusto Information Security Policy is found to have occurred, the Safety Committee shall urge, through the established channels, that any disciplinary responsibilities that may arise be resolved.
The procedure and sanctions to be applied shall be those provided for in the legislation on the disciplinary regime for staff employed by the University.
RELATIONSHIP WITH THIRD PARTIES
When the University of Deusto provides services to other organisations or handles information provided by them, the person responsible for this relationship will inform them of this security policy and the rules and instructions derived from it. In this regard, communication and coordination channels shall be established between the respective Information Security Committees, and procedures shall be laid down to respond to security incidents.
Likewise, whenever Deusto uses third-party services or transfers information to third parties, the
person responsible for this relationship shall also inform them of this security policy and of the security regulations and instructions that apply to said services or information. Such third party shall be subject to the obligations and security measures set out in such regulations and instructions and may develop its own operational procedures to comply with it.
Specific procedures shall be established for the prevention, detection, reporting and resolution of
incidents. It shall be ensured that third-party personnel are adequately trained in
security awareness, at least to the same level as set out in this Security Policy.
In particular, third parties must ensure compliance with security policies based on auditable standards and be subject to third-party controls and reviews that certify compliance with these policies. Likewise, an audit or certificate of destruction and erasure shall be provided to ensure that the third party cancels and deletes the data owned by Deusto at the end of the contractual period.
Where any aspect of this security policy cannot be satisfied by a third party, a report from the Information Security Officer specifying the risks involved and how they will be addressed shall be required. Approval of this report by the Information Security Committee shall be required before proceeding further.
This Information Security Policy is issued in accordance with the provisions of the following
laws and royal decrees:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.
- Royal Legislative Decree 1/1996, of 12 April 1996, approving the revised text of the Intellectual Property Law (IPL), regularising, clarifying and harmonising the applicable statutory provisions.
- Law 34/2002, of 11 July, on Information Society and E-commerce Services (LSSICE, in Spanish).
- All those rules, of a general or internal nature, which are applicable to the University within the framework of this Security Policy.
- Workers' Statute.
APPROVAL AND ENTRY INTO FORCE
Text approved by the Security Committee in Bilbao on 04 May 2023.
This Information Security Policy is effective from that date until it is
replaced by a new policy.
Provisions of equal or lower rank that oppose the provisions of this Information Security Policy are hereby repealed.