Smadex relies on ICT (Information and Communications Technology) systems to achieve its objectives. 

These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity and confidentiality of the information processed or services provided.

The objective of information security is to ensure the quality of information and the continued provision of services by acting preventively, monitoring daily activity and reacting promptly to incidents.

To defend against these threats, a strategy is required to adapt and ensure continuous service delivery. This implies that departments must implement the security measures required by ISO 27001, as well as continuously monitor service delivery levels, track, analyse and correct reported vulnerabilities, and prepare an effective response to incidents to ensure continuity of services provided.

The different departments must ensure that security is an integral part of every stage of the system lifecycle, from its conception through development or procurement decisions and operational activities to its decommissioning. 

Information security requirements shall be identified, defined and integrated into the organisation’s operational activities and business processes. All departments shall maintain the necessary capabilities and resources to prevent, detect, respond to and recover from information security incidents, ensuring the continued protection of information assets and the resilience of business operations.

Departments need to avoid, or at least prevent as far as possible, information or services being compromised by security incidents. ISO 27001 states that systems must be designed and configured to ensure security by default, in line with the “Need to Know” least privilege policy.

To this end, departments must implement the minimum-security measures determined by ISO 27001 as well as any additional controls identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented.

To ensure compliance with the policy, departments need to:

• Establish secure areas for critical or confidential information systems.
• Authorise systems before they go into operation.
• Regularly assess security, including assessments of configuration changes made on a daily basis.
• Request periodic review by third parties in order to obtain an independent assessment.

Since services can degrade rapidly due to incidents, ranging from simple slowdowns to shutdowns, services need to monitor the operation on a continuous basis to detect anomalies in service delivery levels and act accordingly as required by ISO 27001.

Monitoring is particularly relevant when establishing lines of defense. Detection, analysis and reporting mechanisms shall be implemented on a regular basis and when a significant deviation from pre-established normal parameters occurs.

Intrusion detection systems primarily monitor and audit the organisation’s resources, verifying that security policy is not violated and attempting to identify any malicious activity early and effectively.

The following classifications will have to be established as required:

• Intrusion detection systems at network level.
• Intrusion detection systems at system level.

Departments need to:

• Establish mechanisms to respond effectively to security incidents.
• Designate a point of contact for communications regarding incidents detected in other departments or other agencies.
• Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams (CERTs).

To ensure the availability of critical services, departments need to develop systems continuity plans as part of their overall business continuity plan and corresponding recovery activities.

This policy applies to the following Information Systems associated to:

Smadex  

Smadex’s Information Security Management System (ISMS) covers the assets that support the management, design, development, operation, and maintenance of the programmatic advertising platform (DSP), including campaign management, segmentation, reporting, and real-time data analysis.

Smadex, as a private company, in the scope of the provision of its programmatic advertising services, it objectively serves the interests of its clients, advertising agencies and advertising media.

As a regulatory basis for this security policy, we have analysed the legislation in force, which affects the development of the activities of the organisation, and which states the explicit implementation of security measures in the information systems. The legal framework for information security is established by the following legislation:

• ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection.

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
• Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

• Royal Decree-Law 14/1999, of 17 September, on electronic signatures, as the basic rule in this area.
• Regulation (EU) No 910/2014 of the European Parliament and of the Council (Electronic identification and trust services for electronic transactions in the internal market).
• Spain: Law 6/2020, of 11 November, regulating certain aspects of electronic trust services.
• United States (Federal Law): Electronic Signatures in Global and National Commerce Act (2000). 
• United States: Uniform Electronic Transactions Act (1999). 
• Singapore: Electronic Transactions Act 2010

• Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
• COM (2001) 298 – final of the European Commission – Network and Information Security: Proposal for a European Policy Approach.
• Law 6/2020, of 11 November, regulating certain aspects of electronic trust services.

• OECD guidelines for the security of information systems and networks. Towards a culture of security. As a complement to current legislation, there is currently the international standard UNE ISO/IEC 27002 “Code of Good Practice for information security management”, which has become a standard for auditing aspects related to information security in organisations.

The Security Committee is the body that coordinates information security at the organisational level.

It shall consist of the Security Manager and representatives from other areas affected by ISO 27001.

• Responsibilities derived from the processing of personal data, supporting the Data Protection Officer (DPO) in his functions.
• Addressing the concerns of the competent superior bodies and of the different departments.
• Regularly report on the state of information security to the competent superior bodies.
• Promote the continuous improvement of the Information Security Management System (ISMS).
• To draw up the strategy for the development of the organisation in terms of information security.
• Coordinate the efforts of the different areas around information security, to ensure that efforts are consistent, aligned with the strategy decided on in this area, and to avoid duplication.
• Elaborate (and regularly review) the Information Security Policy as it is approved by the competent higher bodies.
• Approve the information security policies, regulations and procedures relating to the SGSI. 
• Develop and approve training and qualification requirements for administrators, operators and users from an information security point of view.
• Monitor the main residual risks assumed by the organisation and recommend possible actions in this respect.
• Monitor the performance of the security incident management processes and recommend possible actions in this respect. In particular, to ensure the coordination of the different security areas in the management of information security incidents.
• Promote periodic audits to verify compliance with the organisation’s security obligations.
• Approve plans to improve the organisation’s information security. In particular, it shall ensure the coordination of different plans that may be carried out in different areas.
• Ensure that information security is taken into account in all ICT projects from their initial specification to their implementation. In particular, it will have to ensure the creation and use of horizontal services that reduce duplication and support a homogeneous operation of all ICT systems.
• Resolve conflicts of responsibility that may arise between the different people in charge and/or between different areas of the Organisation, raising those cases in which it does not have sufficient authority to decide.

Approve the Security Improvement Plan, with its corresponding budget. The Information Security Committee is not a technical committee, but it shall regularly gather relevant information for decision-making from its own or external technical staff. The Information Security Committee shall take advice on matters on which it has to decide or give an opinion. This advice shall be determined on a case-by-case basis and may take different forms and shapes:

• Internal, external or mixed specialised working groups.
• External advice.
• Attendance at courses or other types of training or experience-sharing environments.

The Security Manager is the secretary of the Information Security Committee and as such:

• It convenes the meetings of the Information Security Committee.
• Prepares the topics to be discussed at the Committee meetings, providing timely information for decision-making.
• Prepares the minutes of the meetings.
• Is responsible for the direct or delegated execution of the Committee’s decisions.

The Security Policy must identify those clearly responsible for ensuring that it is complied with and is known by all members of the organisation.

The following roles are established in the organisation related to Information Security.

This corresponds to the level of a top-level governing body, made up of the competent superior bodies, which understands the mission of the organisation, determines the objectives it intends to achieve and is responsible for ensuring that they are achieved.

Its functions may be assigned to individuals or be assumed by the Information Security Committee.

• The Responsible of Information has ultimate responsibility for the use of certain information and, therefore, for its protection.
• Establishes the information security requirements. 
• Although the formal approval of the security levels is the responsibility of the Responsible of Information, the Responsible of Information may seek recommendations from the Security Manager and the System Administrator.

This role may coincide with that of the Responsible of Service.
This role shall not coincide with that of the Security Manager, Responsible of SGSI or the System Administrator.

When different from the Responsible of Information, it shall correspond to the level of a top-level Governing Body or to that of an Executive Directorate or management, which understands what each department does and how the departments coordinate with each other to achieve the objectives set by the competent higher bodies.

• Establishes the security requirements of the services. 
• Has ultimate responsibility for the use of services and therefore for their protection.
• The Responsible of Service is ultimately responsible for any error or negligence leading to a service availability incident.
• Determines the security levels in each dimension. 
• Although the formal approval of the security levels is the responsibility of the Responsible of Service, the Responsible of Service may seek recommendations from the Security Manager and the System Administrator.
• The provision of a service always must meet the security requirements of the information it handles, adding availability requirements, as well as other requirements such as accessibility or interoperability.

The role of Responsible of Information and the Responsible of Service may coincide in the same person or body.

This role shall not coincide with that of the Security Manager, Responsible of SGSI or System Administrator.

Corresponds to the level of a qualified employee in IT systems security. 

 The role shall be assigned to a natural person.

The System Administrator shall be responsible for the implementation, management and maintenance of the security measures applicable to the Information System. In particular:  

• Ensure that established security controls are strictly implemented.
• Ensure that traceability, audit trails and other required security logs are enabled and recorded at the desired frequency, in accordance with the organisation’s established security policy. 
• Apply the required security procedures, controls and security mechanisms and services to systems, users and other related assets and resources, both internal and external. 
• Ensure that the approved procedures for managing the information system and the required security mechanisms and services are applied. 
• The management, configuration and updating, where appropriate, of the hardware and software on which the security mechanisms and services of the Information System are based. 
• Monitor hardware and software installations, modifications and upgrades to ensure that security is not compromised. 
• Approve changes to the current configuration of the Information System, ensuring that the security mechanisms and services in place remain operational. 
• Report any security-related anomalies, compromises or vulnerabilities to the System and Security Officers.
• Monitor the security status of the system.

The main purpose of the System Administrator, in case of a security incident, is logging, accounting and management of security incidents in the systems under his responsibility. 

In particular, the System Administrator shall:

• Implement the approved security plan. 
• Isolate the incident to prevent spread to elements not yet affected.  
• Take short-term decisions if information has been compromised in a way that could have serious consequences.
• Ensure the integrity of critical elements of the System if their availability has been affected. 
• Maintain and retrieve the information stored by the System and its associated services. 
• Investigate the incident: determine the manner, means, motives and origin of the incident.

This role shall not coincide with the role of Responsible of Information, Responsible of Service, Security Manager and Responsible of SGSI.

For certain Information Systems which, due to their complexity, distribution, physical separation of their elements or number of users, require additional personnel to carry out the functions of the System Administrator, the Delegated System Administrators deemed necessary may be appointed by the System Administrator, prior approval by the Information Security Committee.

 Through the designation of delegates, functions are delegated. The ultimate responsibility remains with the System Administrator.

 The Delegated System Administrators shall be in charge of all the functions delegated by the System Administrator and shall report directly to the Security System Administrator.

Corresponds to the level of an Executive Directorate or Management.
Only one person in the organisation shall be formally appointed as such.

• Shall report directly to the Information Security Committee.
• Act as Secretary of the Information Security Committee.
• Convene the Information Security Committee.
• Be a member of the Corporate Security Committee, to coordinate Information Security needs within the framework of the rest of the Corporate Security needs.
• Maintain the security of the information used and the services provided by the information systems in its area of responsibility, as established in the Organisation’s Security Policy.
• Promote information security training and awareness within its area of responsibility.

• Gather the security requirements of the Information and Service Officers and determine the category of the System.
• Perform Risk Analysis.
• Produce a Statement of Applicability based on the required security measures according to the ISO 27002 domains and the result of the Risk Assessment.
• Provide the Responsible of Information, Service and SGSI with information on the residual risk level expected after implementing the treatment options selected in the risk analysis and the required security measures.
• Coordinate the preparation of the System Security Documentation.
• Participate in the elaboration, within the framework of the Information Security Committee, of the Information Security Policy for approval by the Management.
• Participate in the elaboration and approval, within the framework of the Information Security Committee, of the security policies, regulations and procedures relating to the ISMS. 
• Define, maintain and oversee Information Security Requirements and Procedures. 
• Periodically provide the Security Committee with a summary of security actions, incidents relating to information security and the security status of the system (in particular the level of residual risk to which the system is exposed).
• Elaborate, together with the Responsible of SGSI, Security Improvement Plans for approval by the Information Security Committee.
• Elaborate the Information Security Training and Awareness Plans for personnel, which must be approved by the Information Security Committee.
• Validate the Systems Continuity Plans drawn up by the Responsible of SGSI, which must be approved by the Information Security Committee and periodically tested by the Responsible of SGSI.
• Approve the guidelines proposed by the Responsible of SGSI to consider Information Security during the entire life cycle of the assets and processes: specification, architecture, development, operation and changes.

• Analyse and propose safeguards to prevent similar incidents in the future.

This role may only coincide with that of the Responsible of Service and the Responsible of Information.

This role shall not coincide with that of the Responsible of SGSI and the System Administrator.

For certain Information Systems which, due to their complexity, distribution, physical separation of their elements or number of users, require additional personnel to carry out the functions of the Security Manager, the Delegated Security Managers deemed necessary may be appointed by the Security Manager, prior approval by the Information Security Committee.

 Through the designation of delegates, functions are delegated. The ultimate responsibility remains with the Security Manager.

 The Delegated Security Managers shall be in charge of all the functions delegated by the Security Manager and shall report directly to the Security Manager

Corresponds to the level of an Operational Directorate.

Only one person shall be formally appointed as such for each system.

Its functions shall be the following:

• Develop, operate and maintain the Information ISMS throughout its lifecycle, from its specifications, installation and verification of its correct functioning.
• Define the topology and management system of the Information System, establishing the criteria for its use and the services available in it.
• Ensure that the specific security measures are properly integrated within the general security framework.
• May agree to suspend the use of certain information or the provision of a certain service if being informed of serious security deficiencies that could affect the satisfaction of the established requirements. This decision must be agreed with the Responsible of Information, Responsible of Service and the Security Manager before being executed.
• Implement the security operating procedures developed and approved by the Security Manager.
• Monitor the security status of the Information System and report periodically or in case of relevant security incidents to the Security Manager.
• Elaborate the System Continuity Plans as they are validated by the Security Manager, and coordinated and approved by the Information Security Committee.
• Conduct periodic drills and tests of the System Continuity Plans to keep them up to date and verify that they are effective.
• Develop guidelines for considering Information Security throughout the lifecycle of assets and processes (specification, architecture, development, operation and changes) and provide them to the Security Manager for approval.

• Plan the implementation of safeguards in the system.
• Execute the approved security plan.

This role shall not coincide with the role of Responsible of Information and Responsible of Service.

This role may coincide with that of System Administrator.

The Data Protection Officer is a role contemplated by the RGPD (European Data Protection Regulation) and the applicable Spanish Organic Law 3/2018 on General Protection of Personal Data.

Such role shall be assumed by a natural person.

• Reporting directly to the highest hierarchical level recommendations, assessments or advice regarding personal data protection.
• Collaborate with the Security Manager in the event of security incidents which may affect personal data.
• Supervise compliance of applicable privacy law, both internally and externally.
• Assist on the assessment of risks related to personal data and safeguards thereof.
• Participate in awareness and training activities related to data protection matters.

The Information Security Committee, with the support and involvement of Management, shall ensure that adequate resources are made available to address information security requirements across the organisation, promoting the adoption of shared and organisation-wide security solutions where appropriate.

For the processing of personal data, the Organization has established a personal data management model in full compliance with the GDPR framework, which ensures that risk analyses are carried out in those procedures that involve greater sensitivity.

The Organization’s strategy combines advanced technical solutions, such as pseudonymization and encryption. In addition, employees are trained to ensure that the management of personal information is always ethical, lawful and transparent. The Organization also participates in the IAB TCF framework to manage consent in a lawful and transparent manner.

See: Register of Processing Activities (RAT) where the files concerned and the corresponding controllers are listed. All Smadex ‘s information systems shall comply with the security levels required by law, for the purpose and effect of the nature and purpose of the personal data collected.

All systems subject to this Policy will have to perform a risk analysis, assessing the threats and risks to which they are exposed.

The risk analysis will be the basis for determining the security measures to be adopted, which will be detailed in the Risk Analysis’ document and the Statement of Applicability (SoA).

For the harmonisation of risk analyses, the Information Security Committee shall establish a baseline assessment for the different types of information handled and the different services provided.

Detailed risk assessment criteria shall be specified in the risk assessment methodology to be developed by the organisation, based on recognised standards and best practices.

As a minimum, all risks that could seriously prevent the provision of services or the achievement of the organisation’s mission shall be addressed.

Particular priority shall be given to risks that imply a cessation of the provision of services rendered.

Residual risks shall be determined by the Security Manager.

The expected residual Risk levels on each Information after the implementation of the safeguards for the treatment of such risk (including the implementation of the security measures foreseen in ISO 27002) will have to be accepted by the Responsible of Information.  

The residual Risk levels expected on each Service after the implementation of the safeguards for the treatment of such risk (including the implementation of the security measures foreseen in ISO 27002) shall be accepted in advance by the Responsible of Service. 

The Residual Risk levels shall be submitted by the Security Manager to the Information Security Committee, so that it may proceed, if necessary, to evaluate, approve or rectify the proposed processing options.

The analysis of risks and their treatment must be a regularly repeated activity, as required by ISO 27001. This analysis shall be repeated:

• Regularly, at least once a year.
• When there are significant changes in the information handled.
• When there are significant changes in the services provided.
• When there are significant changes in the systems handling the information and involved in the provision of services.
• When a serious security incident occurs.
• When serious vulnerabilities are reported.

All members of the Organisation have the obligation to know and comply with this Information Security Policy and the Security Regulations, and it is the responsibility of the Information Security Committee to provide the necessary means to ensure that the information reaches those affected.

Compliance with this Security Policy and the Employees Regulation (REGU-02 Security Regulations of Roles and Duties of Staff) is mandatory for all internal or external personnel involved in the organisation’s processes, and non-compliance with it constitutes a serious offence for employment purposes, in accordance with the collective labour agreement.

The Management is committed to the Professional Training and Awareness of Smadex staff.

Smadex’s objective is to continuously raise awareness of cybersecurity among its employees:

• Initial training when employees join the organisation.
• Cybersecurity awareness pills are sent quarterly.
• Dispatch of information pills on cybersecurity, responding to risk situations.
• Annual Cybersecurity refresher training for all staff.
• Specific training according to the job position and specific needs.
• Sporadic phishing simulation campaigns.

The above-mentioned awareness training is monitored through attendance tracking. In case any employee does not pass the training test or exam, the Security Manager together with the Human Resources Department will provide additional training in order to ensure the employee understands the subject of the training. 

When services are provided or information is managed by other organisations, they shall be made aware of this Information Security Policy, reporting and coordination channels shall be established for the respective Information Security Committees, and procedures shall be established for reacting to security incidents.

When third party services are used or information is transferred to third parties, they shall be made aware of this Security Policy and the Security Regulations of Roles and Duties of Staff concerning these services or information. This third party shall be subject to the obligations set out in documents and may develop its own operating procedures to meet these obligations.

Specific incident reporting and resolution procedures shall be established. Likewise, it shall be ensured that third party personnel are adequately security-aware to at least the same level as set out in this Policy.

Where any aspect of the Policy cannot be satisfied by a third party as required in the above paragraphs, a report from the Security Manager specifying the risks incurred and how they will be addressed shall be required. Approval of this report will be required from those responsible for the information and services concerned before proceeding further.

Third party providers will be required to sign a Non-Disclosure Agreement in order to protect critical information regarding data and IT systems of the company.

The Information Security Policy shall be reviewed by the Information Security Committee at planned intervals, not to exceed one year in duration, or whenever significant changes occur, to ensure that its suitability, adequacy and effectiveness are maintained.

Changes to the Information Security Policy shall be approved by the appropriate higher competent body. 

Any changes to the Information Security Policy shall be informed to all affected parties.

The Security Policy shall be notified, communicated and made available to all Smadex personnel and stakeholders.