Security Policy
Last Review: June 3rd, 2024
Mission and Objectives
The mission of Genomcore S.L. (hereinafter, the “Company”) is to provide advanced personalized health services and bio-health data management, guaranteeing the protection and confidentiality of our clients’ personal and genetic data. The Company is committed to continuous innovation and the implementation of cutting-edge technologies to ensure the quality and safety of its services.
The Company recognizes the importance of identifying and minimizing the risks to which its information assets are subject, developing and implementing an Information Security Management System (ISMS) that allows the application and monitoring of controls to prevent the loss, disclosure, modification and unauthorized use of information, both in local systems and in the cloud, thus helping to reduce operating and financial costs, ensuring compliance with legal, contractual, regulatory and business requirements. These controls aim to ensure the security of information by preserving its confidentiality, integrity, traceability, availability and authenticity, especially when dealing with personal and sensitive data.
This policy is communicated to stakeholders in order to involve them in the continuous improvement of the system.
Legal and regulatory framework
The Company carries out its activities in compliance with a rigorous legal and regulatory framework that includes, but is not limited to:
- International Standards: UNE ISO/IEC 27001:2023, UNE-EN ISO/IEC 27017:2021, UNE-EN ISO/IEC 27018:2020.
- National Regulations: Royal Decree 311/2022 – National Security Scheme.
- Data Protection and Information Services Legislation:
- General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) – Organic Law 3/2018, of December 5.
- LSSI – Law 34/2002, of July 11, 2002, on information society services and electronic commerce.
- Other Relevant Regulations: Specific health sector regulations and any other regulatory framework applicable to the management of personal and genetic data, including digital environments.
- Law 14/2007, of July 3, 2007, on Biomedical Research.
- Law 41/2002, of November 14, 2002, which regulates patient autonomy and the rights and obligations regarding clinical information and documentation.
Although these are the main applicable regulations, the complete register of reference regulations is available to interested parties upon specific request.
Security roles and functions
Company Management
The Company Management, and on its behalf the Chief Executive Officer (CEO), is committed to:
- Periodically establish objectives on the management of Information Security, the use and provision of Cloud Services, the management of Personal Data, as well as the actions necessary for their development.
- Establish the systematic risk analysis, assessing the impact and threats, including those specific to Cloud Services and Personal Data management.
- Implement the necessary actions to reduce the identified risks that are considered unacceptable, according to the criteria established by the Security Committee.
- Implement the necessary controls and their corresponding monitoring methods.
- Comply with the legal, regulatory and contractual security requirements assumed by the Company, especially with regard to the management and privacy of our customers’ personal and genetic data.
- To guarantee to each client that their information will be processed in accordance with the fundamental requirements of confidentiality, integrity and availability of a bio-health information management system.
- Promote awareness and ensure training in information security to all our own personnel, as well as to external collaborators involved in the use or management of information systems.
- When workers do not comply with security policies, apply disciplinary measures in accordance with the workers’ agreement, within the applicable legal framework and sized to the impact they have on the organization.
- Implement a secure development policy that includes change management, software security requirements and code quality, both internal and external.
- Provide the necessary resources to ensure the continuity of the Company’s business.
Additionally, the following are responsibilities of the Company’s Management:
- The strategic coordination of all information security actions.
- The inclusion of security policies in the company’s strategy.
- The provision of resources to the technical managers
- To ensure compliance with the regulations and legislation in force.
- Transmitting and facilitating the implementation of security policies at a transversal level between departments.
- Annually review the ISMS and the final acceptance of the different security policies.
- Act as Interim Chief Information Officer in the absence of the RSI.
Chief Technology Officer (CTO) / Service Manager
The CTO is appointed by the Company Management to be responsible for the following tasks:
- Define the requirements and scope of technological developments.
- Incorporate an information security dimension to the company’s technological developments.
- Establish and monitor indicators related to the correct functioning of the information systems.
- To transfer the defined security measures to the team responsible for technological development.
- Communicate to the Security Manager any incident in the field of Information Security arising from system monitoring or software development processes.
- Implement a Secure Development policy and evaluate Software Quality.
- Audit the due diligence of technical staff regarding system security.
Information Security Officer (ISO)
The Company’s Management appoints the RSI as responsible for the following tasks:
- Implementing the present Security Policy, as well as providing advice and guidance for its implementation.
- Manage the Incidents reported in the ISMS.
- Convene and lead the Security Committee Meetings.
- Receive and manage communications with clients or users related to information security.
- Coordinate periodic ISMS audits
- Audit the CTO’s due diligence regarding system security.
Chief Information Security Officer (CISO)/Information Security Officer
The Company Management appoints the CISO as responsible for the following tasks:
- Define and supervise the correct application of the Security Policies in the different areas of the company.
- Ensuring Confidentiality, Traceability, Authenticity, Integrity and Availability of Information Services and Assets.
- Coordinate the technical actions transversally to other departments.
- Define and supervise the processes of integration or transfer of data with third parties.
- Define and supervise the projects of information exploitation, own or from third parties.
- Monitor and communicate to the technical teams any changes in the services of cloud providers.
- Act as Information Manager
System Administrator (SA) / Systems Manager
The CISO appoints the AS as responsible for the following tasks:
- Configure Identity and Permission Management Tools.
- Management of the Endpoint Devices (Endpoints)
- Monitoring of security relevant SIEM events
- User support on Information Security issues
Data Protection Officer (DPD)
The Company Management appoints the DPD as responsible for the following tasks:
- Ensure compliance with the applicable regulations on Personal Data Protection in the different processes of the company.
- Receive and manage communications with customers or users regarding the management of personal data.
- Communication with the authorities in case of personal data breaches.
Information Users
Information Users, including customers, suppliers, employees and other stakeholders, have a duty and responsibility to comply with established security policies, report security incidents, and protect information in accordance with the Company’s guidelines, as outlined in the applicable Terms and Conditions. The Company will carry out training and awareness tasks, but the individual responsibility and collaboration of each user is indispensable for a correct execution of this Policy.
Security Committee
The Security Committee is established as an overall information security management body at the company level. The Head of Information Security acts as secretary of this committee, being responsible for defining the necessary measures and implementations agreed by the Committee. The Security Committee will meet, in general, on a monthly basis, except for the months of August and December, although meetings may be scheduled or cancelled depending on the workload. In any case, a minimum of 10 meetings of the Committee shall be held during a calendar year.
A Standing Committee of 4 people is established. The Committee Meetings will be attended by at least 2 people, one of whom must be the Information Security Manager, who will inform the rest of the members of the Agenda and the relevant information for the meeting. A permanent committee is established that will be convened at each meeting, and non-permanent members that will be convened if the Agenda requires it:
Standing members:
- Chief Executive Officer
- Chief Information Security Officer / Information Security Manager
- Chief Technology Officer
- Systems Administrator
Non-permanent members:
- Data Protection Officer
- Chief Product Officer
The main functions of the Security Committee are:
- Identification, review and approval of risks
- Review and approval of company security policies and protocols.
- Approval of corrective measures to mitigate these risks.
- Review of incidents
- Proposing improvements
- Distribution and communication of information related to information security.
- Design and implementation of security training plans for the company’s employees.
Conflict resolution
The eventual resolution of conflicts will be resolved according to the organizational hierarchy, being ultimately the responsibility of the organization’s management.
Security principles and objectives
The Information Security Policy is supported by a set of specific policies, records, controls and procedures that guide the correct handling, custody and protection of information and are based on the control objectives of the international standards ISO 27001, ISO 27017, ISO 27018, as well as those controls applicable according to Royal Decree 311/2022 – National Security Scheme. The development, maintenance and continuous improvement of the ISMS will be based on the results of a process of continuous evaluation of the risks that act on the Company’s information assets and that are grouped around the following work blocks:
- Protection of files and databases, either locally or in the cloud.
- Protection of private information including passwords, certificates and cryptographic keys.
- Protection of the source code repositories of the company’s products and services, as well as their quality.
- Protection of the IT infrastructure supporting the organization, including facilities, buildings and rooms.
- Protection of virtual resources in the cloud, including their life cycle management and required access controls.
- Protection of resources and services located in the cloud through specialized service providers.
- Protection of networks and communication channels used internally or publicly, locally and in the cloud.
- Protection of the company’s passive assets and the data of the users of its services, locally and in the cloud.
- The vetting, regulation and compliance of service providers, whether physical or cloud services.
- Training and continuous supervision of employees and collaborators with access to information systems.
- The communication of relevant facts, including security breaches, from customers of on-premises and cloud services.
- Supporting the investigation of relevant events, including security breaches, to customers, authorities and affected parties.
- Ensuring business continuity through contingency plans and redundancy at multiple levels.
- Compliance with legal and regulatory standards.
Other Information Security Policies
The Company extends this Security Policy through specific sub-policies, listed as follows
- Application Security Policy
- Credentials Policy
- Code Control and Secure Development Policy
- Security Incident and Event Management Policy
- Continuity Management Policy
- Work Center Security Policy
- Data Center Security Policy
- Personnel Security Policy
- Technology Service Providers Policy
- User Account Policy (Clients)
- User Account Policy (Employees)
- Cryptography and Secret Communications Policy
- IT Systems Administration Policy (Servers)
- Backup Policy
- Remote Access and Teleworking Policy
- Personal Equipment and Removable Media Policy
Where applicable, the above sub-policies are available to interested parties upon request and prior confidentiality agreement.
Processing of Personal Data
The Company implements a Register of Processing Activities, as well as an Impact Assessment related to Personal Data. These documents are available to interested parties upon request and prior confidentiality agreement, as long as their access is relevant and justified for the interested party.
In addition, users may consult the details regarding the processing of Personal Data, both in the Role of the Company as Data Controller and as Data Processor in the General Conditions of the service.
Point of Contact
Interested parties may contact the Security Officer, or on his or her behalf another permanent member of the Security Committee, by e-mail at security@genomcore.com.
Application and modification
This policy applies to all Company personnel, as well as to collaborators and suppliers with responsibility for company assets, in order to maintain confidentiality, traceability, authenticity, integrity and ensure the availability of information. All users shall have the obligation to report information security incidents using the guidelines established by the Company through the channels established for this purpose or, in general, through the Point of Contact.
This Information Security Policy may be reviewed and modified as provided by the Security Committee in accordance with the review needs established from time to time.