Information Security Policy

1. INTRODUCTION

This document sets out VIRCELL’s policy on information handling and on the security of its information systems.

This Security Policy also follows the requirements of the Esquema Nacional de Seguridad (ENS) and the CCN-STIC-805 guideline issued by the Centro Criptológico Nacional (CCN), part of the Centro Nacional de Inteligencia (CNI) in Spain.

The ENS aims to build the necessary trust for the use of electronic means through measures that guarantee the security of systems, data, communications and electronic services, enabling citizens and Public Administrations to exercise their rights and fulfil their obligations through these channels.

This implies applying the minimum security measures required by the ENS, continuously monitoring service levels, tracking and analysing reported vulnerabilities, and preparing an effective incident response to ensure service continuity.

VIRCELL shall ensure that ICT security is an integral part of every stage of the system life cycle—from conception to decommissioning—including build/buy decisions and operations. Security requirements and the related budget needs must be identified and included in planning, requests for quotation and tender specifications for ICT projects.

1.1 Prevention

VIRCELL shall avoid—or at least prevent as far as possible—any harm to information or services caused by security incidents. To that end it will implement the minimum ENS security measures and any additional controls identified through threat and risk assessment.

These controls, and the security roles and responsibilities of all personnel, will be clearly defined and documented.

To ensure compliance with this policy, the organisation shall:

  • Authorise systems before going live.

  • Regularly assess security, including routine reviews of configuration changes.

  • Request periodic third-party reviews to obtain an independent assessment.

1.2 Detection

Because services can quickly degrade due to incidents—from slow-downs to complete outages—operations must be continuously monitored to detect anomalies in service levels and act accordingly.

Monitoring is especially relevant where multiple lines of defence are in place. Detection, analysis and reporting mechanisms will be established to inform those responsible on a regular basis and whenever there is a significant deviation from pre-defined normal parameters.

1.3 Response

VIRCELL will:

  • Establish mechanisms to respond effectively to security incidents.

  • Designate a contact point for communications regarding incidents detected in other departments or organisations.

  • Establish protocols for information exchange related to incidents, including two-way communications with Computer Emergency Response Teams (CERTs).

1.4 Recovery

To guarantee the availability of critical services, VIRCELL will maintain ICT continuity plans as part of its overall business continuity plan and recovery activities.

2. MISSION

VIRCELL’s mission is to provide high-quality diagnostic solutions for infectious diseases, ensuring the safety and reliability of its products, complying with applicable regulations and meeting customer expectations in a dynamic, competitive environment.

With over 30 years of experience, VIRCELL develops and manufactures ready-to-use reagents for human infectious-disease diagnostics, offering 500+ references for the detection of bacteria, viruses, parasites and fungi using various techniques, and is present in laboratories in more than 90 countries.

In short, VIRCELL’s mission is to lead the development of reliable, safe diagnostic solutions for infectious diseases, with a strong commitment to quality, customer satisfaction and environmental sustainability.

3. SCOPE

This policy applies to all ICT systems and to all members of VIRCELL S.L. (hereinafter, VIRCELL) that support the provision of services to Spanish public administrations and their suppliers.

3.1 ENS certification scope

Information system supporting the services of:

VIRCELL, S.L.:

  • Design, Development, Production and Distribution of in-vitro diagnostic reagents for infectious diseases and of generic consumables for in-vitro diagnostics.

  • Design, Development, Production, Installation, Service (including technical support) and Distribution of in-vitro diagnostic instruments for infectious diseases, installed on-premises at customer facilities.

VIRCELL SPAIN, S.L.U.:

  • Installation, maintenance management and technical support for equipment used in in-vitro diagnostic and Biotechnology techniques.

  • Commercialisation and distribution of in-vitro diagnostic reagents and Biotechnology products.

4. REGULATORY FRAMEWORK

  • Real Decreto 311/2022, of 3 May, regulating the Esquema Nacional de Seguridad (ENS).

  • Ley Orgánica 3/2018 (LOPDGDD), on Personal Data Protection and digital rights.

  • Regulation (EU) 2016/679 (GDPR).

  • Real Decreto Legislativo 1/1996, Ley de Propiedad Intelectual (Intellectual Property Law).

  • Ley 34/2002 (LSSI), on Information Society Services and Electronic Commerce.

5. SECURITY ORGANISATION

The Security Committee coordinates information security at VIRCELL and is composed of:

  • Information Owner.

  • Service Owner.

  • Security Officer.

  • System Owner.

Committee members are listed in document SGSI-00002 – Committee Members.

The following sections describe the functions assigned to each role.

5.1 Information Owner

Responsibilities:

  • Owner of essential information assets and decision-making regarding information.

  • Ensures proper use and protection of information.

  • Ultimately responsible for any error or negligence leading to a confidentiality or integrity incident.

  • Sets information security requirements.

  • Defines the security levels for information.

5.2 Service Owner

Responsibilities:

  • Owner of essential service assets and decision-making regarding services.

  • Sets service security requirements, including interoperability, accessibility and availability.

  • Defines the security levels for services.

5.3 Security Officer

  • Acts as the Information Security Officer in accordance with the ENS.

  • Ensures management-system processes are established, implemented and maintained per applicable standards.

  • Reports to Management on the system’s performance and effectiveness for management review and continual improvement.

  • Promotes awareness of customer requirements on Information Security at all organisational levels.

  • Supports Management in defining and implementing policies and standards aligned with company strategy.

  • Plans, schedules and, where appropriate, participates in internal and external audits.

  • Controls the creation, update, approval and distribution of management-system documentation.

  • Acts as liaison with external parties (customers, suppliers, authorities and other interested parties).

  • Oversees actions to prevent and manage non-conformities and evaluates actions after improvement suggestions are reported.

5.4 System Owner

Responsibilities:

  • Owner of non-essential assets: responsible for decisions regarding all elements of VIRCELL’s information system except essential services and information.

  • Develops, operates and maintains the Information System throughout its life cycle, including specifications, installation and verification of correct operation.

  • Defines the topology and management model of the Information System, establishing usage criteria and available services.

  • Ensures that specific security measures are properly integrated into the overall security framework.

  • Administers and manages user accounts.

  • Ensures that only authorised persons have access.

  • Ensures that systems meet the availability levels required by the organisation.

  • Includes applicable security requirements in new developments.

5.5 Appointment procedure

The fulfilment of the responsibilities defined in this Security Policy depends on the positions to which they are linked. If any of these positions disappears or changes name, it is the responsibility of VIRCELL’s CEO to assign the role to the appropriate new position.

5.6 Conflict-resolution procedures

In the event of conflict between roles, it will be resolved by their hierarchical superior. Failing that, the decision of the Security Committee will prevail.

6. DOCUMENTED INFORMATION

To implement this Management System, the following documentation structure is maintained:

  • Security Policy (this document): establishes the basis of the company’s Management System.

  • Standards/Norms: define permitted and prohibited uses within the organisation.

  • Procedures: describe activities required to implement the Management System and meet applicable requirements.

  • Technical Instructions/Work Instructions: detail specific steps for activities that require precise guidance to meet objectives.

Documents are as extensive as needed to ensure effective operation and process control, depending on process complexity, interactions and staff competence.

6.1 Document control for the Management System

VIRCELL has established and maintains procedure PSGSI-00010 – ISMS Management, which describes document control for the system, including criteria and responsibilities for controlling the documents required for the Management System.

7. DEVELOPMENT OF THE INFORMATION SECURITY POLICY

7.1 Minimum security requirements

The basic principles related to information security (Article 11 ENS) that govern the organisation’s policy are:

  • Conflict resolution – see section “Conflict-resolution procedures”.

  • Security organisation and implementation – see section “Security Organisation”.

  • Risk analysis and management – see section “Risk Management”.

  • Personnel management – see section “Staff Obligations”.

  • Professionalism – see section “Staff Obligations”.

  • Access authorisation and control – see section “Access Control”.

  • Facilities protection – see section “Physical and Environmental Security”.

  • Acquisition of products – see section “Third Parties”.

  • Least privilege – see section “Configuration Management”.

  • System integrity and updates – see section “System Integrity and Updates”.

  • Protection of information at rest and in transit – see “Access Control”.

  • Protection against interconnected systems – see “Communications Management”.

  • Activity logging – see “Monitoring and Logging”.

  • Security incidents – see “Security Incident Management”.

  • Business continuity – see “Continuity Management”.

  • Continual improvement – as specified in this policy, the Security Committee and the responsible roles will promote continual improvement by planning and carrying out objectives and improvement actions (see “Security Organisation”).

7.2 Data classification policy

The data classification system applies to all information held by VIRCELL. Consistent application is essential to properly protect information and information systems.

Four classification levels are defined: Public, Internal Use, Confidential, Sensitive.

7.3 Risk management

All systems subject to this Security Policy will carry out a risk analysis, assessing threats and risks. This analysis will be repeated:

  • Regularly, at least annually.

  • When the information handled changes.

  • When the services provided change.

  • When a serious security incident occurs.

  • When serious vulnerabilities are reported.

To harmonise risk analysis, the Security Committee will establish a baseline assessment for the different types of information managed and services provided.

7.4 Staff obligations

All VIRCELL personnel must know and comply with this Information Security Policy and other security standards developed by VIRCELL. The Security Committee is responsible for ensuring the information reaches those affected.

All personnel within the ENS scope will receive security awareness and training. Where specific training is required for secure system management, those responsible for operating or administering information systems will receive it as needed.

Within the employment or contractual relationship, employees must always perform their assigned duties with professionalism—that is, with capability and effectiveness.

7.5 Access control

Information must be protected against unauthorised access; only the information necessary for the job shall be accessible. No user may access the network, systems, applications or information without formal authorisation.

Visitors or unauthorised personnel on premises must be accompanied by a responsible staff member at all times, ensuring resources remain protected.

Where service providers or external companies need access to facilities or information for justified reasons, they must sign confidentiality agreements to maintain the same level of security as organisation employees.

7.6 Physical and environmental security

Logical security is only effective if physical security is in place to prevent unauthorised access and other damage or interference. VIRCELL takes the necessary steps to ensure only authorised individuals can access its facilities.

All offices have the required physical barriers to safeguard resources. Premises are equipped with fire-extinguishing devices as required by law and with properly signposted emergency exits.

7.7 Third parties

When VIRCELL provides services to, or handles information from, other organisations, they will be made aware of this Information Security Policy. Reporting and coordination channels will be set between the respective Security Committees, and procedures will be established to react to security incidents.

When VIRCELL uses third-party services or shares information with third parties, they will be made aware of the security requirements to be met. Providers must ensure their staff are adequately trained in security according to VIRCELL’s requirements.

A specific procedure has been developed for supplier management, documenting information-security considerations for acquiring new components, engaging suppliers and managing those contracts.

7.8 Configuration management

Management, configuration and updating of the hardware and software underpinning the security mechanisms and services of the Information System shall always follow secure-by-default and minimal functionality principles.

7.9 System integrity and updates

Any physical or logical component requires formal authorisation prior to installation; a specific authorisation policy is in place.

Systems must be kept up to date with vendor specifications, vulnerability advisories and updates. A policy defines how equipment maintenance, patching and vulnerability management are to be performed.

7.10 Protection of stored information

VIRCELL will implement physical and logical measures to protect information wherever it is stored, whether on physical or digital media. Backups will be made to ensure recovery in case of incident.

7.11 Communications management

VIRCELL will control access to services on internal and external networks and ensure users do not put those services at risk. Appropriate interfaces between the organisation’s network and other networks will be established, along with suitable authentication mechanisms for users and devices, and access permissions for each user of the information system.

Corporate networks will be protected against threats originating from public networks such as the Internet.

7.12 Monitoring and logging

A global monitoring strategy will be defined for systems and activities, identifying the most critical systems and establishing appropriate controls to record any event that must be detected (unauthorised activities or improper system behaviour). Logs must be stored protected against modification or deletion.

Where necessary, mechanisms will be established to detect unauthorised information-processing activities. This includes performing controls and inspections of system logs and activities to test the effectiveness of data-security measures and integrity procedures, to ensure compliance with policy and to recommend any necessary changes.

7.13 Security incident management

Any employee who suspects or observes a security incident—physical (fire, water, etc.), software or systems (malware, data loss, etc.) or support services (communications, power, etc.)—must report it immediately so that appropriate measures can be taken and the incident recorded.

Responsibilities and procedures for incident management will be established to ensure a rapid, effective and orderly response. Procedures will cover all possible incident types.

7.14 Continuity management

Systems will have backups and the mechanisms necessary to guarantee continuity of operations in the event of loss of normal working conditions.

VIRCELL ensures that services are not interrupted. To achieve this, appropriate analyses and plans have been developed.