Information Security

Net Studio considers information to be one of its most critical assets, which is why it deems it necessary to establish suitable measures in all locations where information can be stored or transmitted, in order to guarantee:

• Confidentiality, ensuring that only those who are authorized and genuinely need the information for their job ("need-to-know" principle) can access the relevant data, therefore avoiding problems of unintended leaks or deletions of sensitive information.
• Integrity, ensuring that the information and its processing methods are accurate and complete, therefore preventing possible unauthorized alterations.
• Availability, ensuring that authorized users can access the information and its associated assets when they need to, guaranteeing access to the company's critical systems at all times through the preparation of business continuity plans.

Information Security is an essential part of Net Studio's business strategy due to the impact it has on its own business and its customers' businesses. The company, in line with Indra group policies, has therefore adopted an Information Security Management System, certified under the standard ISO 27001, to define, implement and improve the most effective controls and procedures to minimize and manage risks in its internal processes, daily operations, the development and execution of programs and services from the commercial phase to operations, and in its customer management processes.

Cornerstones of our Security Strategy:

• Information security governance, which ensures correct coordination and organization of information security across all levels. At its helm is the CISO (Chief Information Security Officer), who reports directly to the Audit and Compliance Committee (ACC) and the Risk Coordination Unit (RCU) and is responsible for coordinating information in the company. The CISO's main function is to develop our information security strategy, objectives and plans. This area also includes the security and market LISOs (Local Information Security Officers), whose main function is to ensure information security in the markets and subsidiaries under their jurisdiction.
• An information security regulatory framework, applicable to all markets and areas of the company, as well as to all Indra companies, offices and subsidiaries. Compliance with this regulatory framework is mandatory for the entire Indra group, including Net Studio. At its core is the information security policy, which establishes the basic security principles underpinning the framework.
• Awareness and continuous training in Information Security during all phases of employment. The aim is to raise awareness in all users of the company, so that everyone understands their responsibility in the field of Information Security, and the importance of protecting the confidentiality, integrity and availability of information handled, both our customers and ours.
• Technology and security controls as an end-to-end solution encompassing physical and environmental security controls to prevent unauthorized physical access, damage and interference in the organization's facilities and information, as well as logical security controls to preserve the confidentiality, integrity and availability of information and the resources for processing it.
• The audit and compliance monitoring processes, as verification and control mechanisms, through regular, continuous supervision and internal monitoring processes, such as:
  • Security and network monitoring processes to ensure compliance with security regulations in networks and information systems.
  • Audits of platform and application technical vulnerabilities to discover and assess the security risks from these vulnerabilities.
  • Validation processes before the connection of platforms to the Indra network to guarantee compliance with information security regulations in relation to patching, critical updates, antiviruses, etc.

Indra’s annual group Sustainability Report also includes indicators that provide evidence of compliance with the Security Policy.

Furthermore, Net Studio’s ISMS is certified ISO 27001 by ACCREDIA (Ente Italiano di Accreditamento) and, as such, is subject to external audits.

In order to ensure security in the supply chain, we have established an Information Security Policy for suppliers, which is mandatory and included in the approval and contracting processes of the group’s suppliers.

Likewise, in order to guarantee the prompt detection and effective management of security incidents, Indra has established a global Computer Security Incident Response Team (CSIRT). In the event of any suspicious activity or vulnerability that may affect Indra and Net Studio information systems and assets, contact CSIRT@indra.es.