Information Security
ICT systems must be protected against rapidly evolving threats that have the potential to impact the confidentiality, integrity, availability, intended use and value of information and services.
To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure the continued delivery of services. This implies that organizations must implement minimum security measures, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of services provided.
COS has a strong commitment to information security, which is an integral part of every stage of the lifecycle of our services, from their conception to their retirement, through development or acquisition decisions and operational activities.
Information security is a fundamental pillar in COS's general strategy and in the provision of our services. That is why, since 2011, we have had an Information Security Management System (ISMS), in accordance with the international standard ISO 27001, which has been reviewed and approved by an external entity, issuing the corresponding certificate of validity. The ISMS is a tool to guarantee maximum confidentiality, integrity and availability of the information managed by an organization.
In the year 2021, COS has adapted its ISMS to the requirements of the National Security Scheme, achieving in June of the same year the medium level certification.
The fundamental pillars of COS's information security strategy are as follows:
- The Security Organization. COS has appointed an Information Security Committee to monitor, coordinate and support the initiatives related to information security. This committee is made up of the following roles: Security Manager, Service Manager, Information Manager and System Manager.
- A normative reference framework of mandatory compliance for all COS employees and suppliers. Highlights: Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights; Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration, Law 34/2002, of June 11, on information society services and electronic commerce, Industrial Property Law and UNE-EN ISO 27001:2013.
- Security policy. Taking the applicable regulatory framework as a reference, COS develops, approves, communicates and periodically reviews an Information Security Policy that must be complied with by employees and third parties. This policy is complemented by the Security Regulations and Security Procedures.
- Training and awareness on information security for all employees and third parties with access to information systems. Training and awareness-raising is aimed at all users of the systems and is intended to raise awareness of good security practices, as well as to make known the responsibilities of each user in relation to the protection of information.
- The use of technical protection measures. COS advocates the use of technology to help protect information, as well as prevent and detect incidents related to information security.
- Auditing and monitoring. In order to verify compliance with security policies, procedures and regulations, as well as the effectiveness of the technical measures implemented, COS conducts periodic audits, both internal and external.
You can consult our Information Security Policy here: