National Security Scheme Policy

Home
National Security Scheme Policy

Current version:

30 January, 2026

Objective:

ITERA, as a company dedicated to IT consulting and training services, software marketing and cloud services, assumes its commitment to information security, committing itself to its proper management, in order to offer all its stakeholders the greatest guarantees around information security.
the security of the information used. For all of the above, the Management establishes the following information security objectives:

● Provide a framework to increase resilience to provide an effective response.

● Ensure the rapid and efficient recovery of services, in the face of any physical disaster or contingency that may occur and that would put the continuity of operations at risk

● Prevent information security incidents to the extent technically and economically feasible, as well as mitigate information security risks generated by our activities.

● Guarantee the confidentiality, integrity, availability, authenticity and traceability of the Information.

This policy is complemented by the rest of the policies, procedures and documents in force to develop our Integrated Management System (IMS).

Scope

It applies to the iterants of the BU of Spain.

References

Royal Decree 311/2022, of 3 May, regulating the Scheme National Security	Development of the National Scheme of Security
Regulatory requirements	Set of applicable laws and regulations in all the BUs and, specifically, the National Security Scheme
Comprehensive Management System Policy for Iterants (SGI)	Establishes the principles, commitments and responsibilities of the Itera’s Integrated Management (IMS), aligned with strategic objectives of the organization.

Roles and responsibilities

Senior Management	Provide the necessary resources for the System Lead the System
Responsible for the Information	It determines the requirements for the protection of information (confidentiality, integrity, availability, traceability, authenticity). Participates in the impact assessment for the ENS categorization and in the acceptance of risks related to the information
Service Manager	Determines and approves service requirements (including availability/continuity and applicable security requirements). Participates in the assessment of the impact of the service for the purposes of ENS categorization. Prioritise, together with the rest of the managers, the actions necessary to comply with the ENS and validate/accept residual risks from the service when appropriate.
Responsible for Data Protection Personal	Advises and informs the controller/processor and the teams about GDPR/LOPDGDD obligations and how they translate into requirements for systems and services. Monitor compliance: internal policies, assignment of responsibilities, awareness/training and audits related to data protection. It ensures that the risk and measures are aligned: that the security approach (ENS) covers the requirements of security of the processing (art. 32 GDPR) and that the risk/control analysis takes into account the nature of the processing (data, categories, scale, etc.). etc.). Drives privacy by design and by default on relevant changes to the system (new functionalities, integrations, third parties, cloud, transfers), so that changes go through impact assessment/controls before being implemented. Advises on breaches or incidents with personal data: assessment, notification criteria, coordination with Security/System and traceability of decisions in the Committee for the management and coordination of security (ENS Committee).
Security Manager	Proposes, coordinates and supervises the security framework applicable to the system/service according to the ENS. It promotes the preparation and maintenance of safety documentation (policies, regulations, procedures, risk management, etc.). Coordinates the management of security incidents and the follow-up of corrective actions. Determines, based on the evaluations made by service/information managers, the category of the system when applicable.
Systems Manager	Develops and technically implements the measures and controls necessary to comply with the ENS in the system, and supervise its operation. It guarantees the safe operation of the system (configuration, changes, vulnerabilities, copies, continuity, monitoring, etc.). Provides evidence and support to ENS audits/self-assessments and execute approved corrective actions.

Policies

Senior Management is responsible for:

Provide the necessary means and provide your employees with the resources
sufficient for their compliance, making them publicly known through
this ENS Policy within the IMS.
The ENS Committee is responsible for:
To make the most important decisions related to the
security, being the executive body with the greatest responsibility within the system
information security management system, without having to subordinate its activity to
no other element of our company.
To appoint the members of the ENS Committee, which is the only body that can
appointing, renewing and dismissing them, being the following members:
○ Responsible for the information.
○ Responsible for services
○ Responsible for security.
○ Systems Manager.
Comply with applicable legal requirements and any other requirements of
compliance that we voluntarily assume and the commitments acquired with the
customers, as well as the continuous updating of them.
Preserve the interests of its key stakeholders (customers,
shareholders, employees and suppliers), the reputation, brand and activities of
value creation. The Security Officer is responsible for:
Identify potential threats as well as the impact on operations of
business that such threats, if they materialize, may cause.
Continuously improve our information security system.
Record and manage incidents or breaches considered to be any
event, failure, deviation, unplanned situation that interrupts, degrades, or may
disrupt confidentiality, integrity or availability, regulatory compliance,
ethical and safety guidelines.
Manage the information system, which will be available in a repository, by
which can be accessed according to the access profiles granted according to our
current access management procedure.
Evaluate and guarantee the technical competence of the personnel, as well as ensure the
adequate motivation of the latter for their participation in the continuous improvement of
our processes, providing training and internal communication
adequate for them to develop good practices defined in the system.
The Information Officer is responsible for:
Ensure continuous analysis of all relevant processes,
establishing the pertinent improvements in each case, depending on the results
obtained and the established objectives.
Guarantee the correct state of the facilities and the appropriate equipment,
in such a way that they are in correspondence with the activity, objectives and goals of the
company.
The Service Manager is responsible for:
Work together with our suppliers and subcontractors with the
in order to improve IT service delivery, service continuity, and
information security, which have an impact on the greater efficiency of our
activity.
The Systems Manager is responsible for:
Ensure the correct operation, maintenance and availability of the
information.
Implement and manage technical controls, including profiles and permissions for
access, in accordance with current security policies.
The Personal Data Protection Officer is responsible for:
Manage incidents or breaches of personal data, considered as
any event, failure, deviation, unplanned situation that interrupts, degrades
or may disrupt confidentiality, integrity or availability,
regulations, ethical and safety guidelines.
Ensure compliance with personal data protection regulations,
advising on its correct application in systems and processes.
Oversee risk management, protection measures and data processing
personnel, including staff training and awareness.