Security Policy
Last Review: June 3rd, 2024
Mission and Objectives
The mission of Genomcore S.L. (hereinafter, the “Company”) is to provide advanced personalized health services and bio-health data management, ensuring the protection and confidentiality of our clients’ personal and genetic data. The Company is committed to continuous innovation and the implementation of cutting-edge technologies to ensure the quality and safety of its services.
The Company recognizes the importance of identifying and minimizing the risks to which its information assets are subject, developing and implementing an Information Security Management System (ISMS) that allows the application and monitoring of controls to prevent the loss, disclosure, modification and unauthorized use of information, both in local systems and in the cloud, thus helping to reduce operating and financial costs, ensuring compliance with legal, contractual, regulatory and business requirements. These controls aim to ensure the security of information by preserving its confidentiality, integrity, traceability, availability and authenticity, especially when dealing with personal and sensitive data.
This policy is communicated to interested parties in order to involve them in the continuous improvement of the system.
Legal and regulatory framework
The Company conducts its activities in compliance with a rigorous legal and regulatory framework that includes, but is not limited to:
International Standards: UNE ISO/IEC 27001, UNE-EN ISO/IEC 27017, UNE-EN ISO/IEC 27018.
National Regulations: Royal Decree 311/2022 – National Security Scheme.
Data Protection Legislation: General Data Protection Regulation (GDPR), Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).
Other Relevant Regulations: Specific health sector regulations and any other regulatory framework applicable to the management of personal and genetic data, including digital environments.
Security roles and functions
Management of the Company
The Company’s Management, and on its behalf the Chief Executive Officer (CEO), undertakes to:
Periodically establish objectives on the management of Information Security, the use and provision of Cloud Services, the management of Personal Data, as well as the necessary actions for its development.
Establish the risk analysis system, assessing the impact and threats, including those specific to cloud services and personal data management.
Implement the necessary actions to reduce the identified risks that are considered unacceptable, according to the criteria established by the Safety Committee.
Implement the necessary controls and their corresponding monitoring methods.
Comply with legal, regulatory and contractual security requirements assumed by the Company, especially with regard to the management and privacy of personal and genetic data of our customers.
To guarantee to each client that their information will be processed in accordance with the fundamental requirements of confidentiality, integrity and availability of a bio-health information management system.
Promote awareness and ensure training in information security to all own personnel, as well as to external collaborators involved in the use or management of information systems.
When workers fail to comply with safety policies, apply disciplinary measures in accordance with the workers’ agreement, within the applicable legal framework and sized to the impact they have on the organization.
Implement a secure development policy that contemplates change management, software security requirements and code quality, both internal and external.
Provide the necessary resources to guarantee the continuity of the Company’s business.
In addition, these are responsibilities of the Company’s management:
Strategic coordination of all information security actions
Inclusion of security policies in the company’s strategy
The provision of resources to technical managers
Ensure compliance with current regulations and legislation.
Transmit and facilitate the implementation of cross-departmental security policies.
Annually review the ISMS and the final acceptance of the different security policies.
Act as Information Officer on an interim basis in the absence of the IHR.
Chief Technology Officer (CTO)
The Company’s management appoints the CTO to be responsible for the following tasks:
Define the requirements and scope of technological developments.
Incorporate an information security dimension to the company’s technological developments.
Establish and monitor indicators related to the correct functioning of information systems.
Transfer the defined security measures to the team responsible for technological development.
Communicate to the Security Manager any incident in the field of Information Security arising from system monitoring or software development processes.
Implement a Secure Development policy and assess Software Quality.
Audit the due diligence of technical personnel regarding system security.
Information Security Officer (ISO)
The Company’s management appoints the RSI to be responsible for the following tasks:
To implement this Security Policy, as well as to provide advice and guidance for its implementation.
Manage Incidents reported in the ISMS
Convene and direct the meetings of the Safety Committee.
Receive and manage communications with customers or users regarding information security.
Coordinate the ISMS audit on a periodic basis.
Audit the CTO’s due diligence regarding system security.
Chief Information Security Officer (CISO)
The Company’s management appoints the CISO to be responsible for the following tasks:
Define and supervise the correct application of the Security Policies in the different areas of the company.
Ensuring Confidentiality, Traceability, Authenticity, Integrity and Availability of Information Assets and Services
Coordinate technical actions in a transversal way to other departments.
Define and supervise data integration or transfer processes with third parties.
Define and supervise information exploitation projects, whether our own or those of third parties.
Monitor and communicate to technical teams any changes to cloud provider services.
Acting as Information Officer
System Administrator (AS)
The CISO appoints the AS as responsible for the following tasks:
Configuring Identity and Permission Management Tools
Management of Endpoint Devices (Endpoints)
Monitoring of safety relevant SIEM events
User service in the field of Information Security
Data Protection Officer (DPD)
The Company’s Management appoints the DPD as responsible for the following tasks:
Ensure compliance with the applicable regulations on Personal Data Protection in the different processes of the company.
Receive and manage communications with customers or users regarding the management of personal data.
Communication with authorities in case of personal data breaches
Information Users. Employees and Customers.
Information Users, including customers, suppliers, employees, and other stakeholders, have the duty and responsibility to comply with established security policies, report security incidents, and protect information in accordance with the Company’s guidelines as indicated in the applicable Terms and Conditions. The Company will carry out training and awareness tasks, but the individual responsibility and collaboration of each user is indispensable for the proper execution of this Policy.
Security Committee
The Security Committee is established as an overall information security management body at company level. The Information Security Officer acts as the secretary of the committee and is responsible for defining the necessary measures and implementations agreed by the committee. The Security Committee will meet, in general, on a monthly basis, except for the months of August and December, although meetings may be scheduled or cancelled depending on the workload. In any case, a minimum of 10 meetings of the Committee shall be held during a calendar year.
A Standing Committee of 4 people is established. The Committee Meetings will be attended by at least 2 people, one of whom must be the Information Security Manager, who will inform the rest of the members of the Agenda and the relevant information for the meeting. A permanent committee is established, which will be summoned at each meeting, and non-permanent members will be summoned if the Agenda requires it:
Permanent members:
Chief Executive Officer
Chief Information Security Officer / Information Security Officer
Chief Technology Officer
Systems Administrator
Non-permanent members:
Data Protection Officer
Chief Product Officer
The main functions of the Security Committee are:
Risk identification, review and approval
Review and approval of company security policies and protocols.
Approval of corrective measures to mitigate these risks.
Incident review
Proposed improvements
Distribution and communication of information security-related information
Design and implementation of safety training plans for the company’s employees.
Interested parties may contact the Safety Committee by e-mail at security@genomcore.com.
Safety principles and objectives
The Information Security Policy is supported by a set of specific policies, records, controls and procedures that guide the correct handling, custody and protection of information and are based on the control objectives of the international standards ISO 27001, ISO 27017, ISO 27018, as well as those controls applicable according to Royal Decree 311/2022 – National Security Scheme. The development, maintenance and continuous improvement of the ISMS will be based on the results of a process of continuous evaluation of the risks that act on the Company’s information assets and that are grouped around the following work blocks:
Protection of files and databases, either locally or in the cloud.
Protection of private information including passwords, certificates and cryptographic keys.
Protection of the source code repositories of the company’s products and services, as well as their quality.
Protection of the IT infrastructure supporting the organization, including facilities, buildings and rooms.
Protection of virtual resources in the cloud, including lifecycle management and required access controls.
Protection of resources and services located in the cloud through specialized service providers.
Protection of networks and communication channels used internally or publicly, locally and in the cloud.
Protection of the company’s passive assets and the data of the users of its services, locally and in the cloud.
Investigation, regulation and compliance of service providers, whether physical or cloud services.
Training and continuous supervision of employees and collaborators with access to information systems.
Communication of relevant facts, including security breaches, from customers of on-premises and cloud services.
Supporting the investigation of relevant events, including security breaches, to customers, authorities and affected parties.
Ensure business continuity through contingency plans and redundancy at multiple levels.
Compliance with legal and regulatory standards.
Application and modification
This policy applies to all Company personnel, as well as to collaborators and suppliers with responsibility for Company assets, in order to maintain confidentiality, traceability, authenticity, integrity and ensure the availability of information. All users are obliged to report information security incidents using the guidelines established by the Company through the channels established for this purpose or, in general, through the e-mail security@genomcore.com.
This Information Security Policy may be reviewed and modified as provided by the Security Committee in accordance with the review needs established from time to time.