{"id":48430,"date":"2025-03-11T12:55:10","date_gmt":"2025-03-11T11:55:10","guid":{"rendered":"https:\/\/jotelulu.com\/?page_id=48430"},"modified":"2025-09-02T11:04:38","modified_gmt":"2025-09-02T09:04:38","slug":"information-security-policy","status":"publish","type":"page","link":"https:\/\/jotelulu.com\/en-gb\/information-security-policy\/","title":{"rendered":"Information Security Policy"},"content":{"rendered":"<p><em>Last update: March 2025<\/em><\/p>\n<ol>\n<li id=\"purpose\"><span style=\"font-weight: 400;\"> Purpose<\/span><\/li>\n<\/ol>\n<p>The purpose of this policy is to establish the general guidelines and the commitment of Management to ensure that the company properly manages the security of the information it handles.<\/p>\n<p>This policy serves as the reference framework for the Information Security Management System (ISMS), based on the ISO 27001 standard, implemented at JOTELULU. It also complies with the requirements of the National Security Scheme (ENS), the French Public Health Code, and the CISPE (Cloud Infrastructure Services Providers in Europe) Code of Conduct.<\/p>\n<ol start=\"2\">\n<li id=\"scope\"><span style=\"font-weight: 400;\"> Scope and Staff Obligations<\/span><\/li>\n<\/ol>\n<p>This policy applies to all IT systems of JOTELULU and to all members of the organization, without exception.<\/p>\n<p>All members are required to be aware of and comply with this Information Security Policy and the associated Security Regulations.<\/p>\n<ol start=\"3\">\n<li id=\"mission\"><span style=\"font-weight: 400;\"> JOTELULU&#8217;s Mission<\/span><\/li>\n<\/ol>\n<p>JOTELULU is a cloud services platform with a mission to simplify cloud computing, making it accessible and affordable for IT companies and, ultimately, for small and medium-sized businesses (SMBs). Its primary goal is to enhance the competitiveness of technology companies by enabling them to offer cloud services in a simple and cost-effective manner.<\/p>\n<p>JOTELULU&#8217;s philosophy is based on three fundamental principles:<\/p>\n<ul>\n<li><strong>1.\tSimplicity:<\/strong> Developing products that are easy to deploy, manage, and maintain, minimizing the complexity of the cloud.<\/li>\n<li><strong>2.\tAffordability:<\/strong> Creating solutions accessible to businesses of all sizes, ensuring that the cloud is not exclusive to large corporations.<\/li>\n<li><strong>3.\tProfitability:<\/strong> Optimizing products so that IT companies can integrate the cloud as an essential and profitable part of their business.<\/li>\n<\/ul>\n<p>Additionally, JOTELULU aims to become the best cloud platform for the IT channel, offering cloud services that IT companies can market under their own brand and pricing.<\/p>\n<p>In this environment, security is a fundamental pillar for JOTELULU, reflecting its commitment to data protection and business continuity. High-security standards are essential to ensuring the trust of its users and the reliability of its services.<\/p>\n<ol start=\"4\">\n<li id=\"statement\"><span style=\"font-weight: 400;\"> Information Security Policy Statement<\/span><\/li>\n<\/ol>\n<p>The Information Security Policy establishes the guidelines and principles defined by JOTELULU, S.L.U. (hereinafter, JOTELULU) to ensure the protection of information, compliance with defined security objectives, and the assurance of confidentiality, integrity, and availability of information systems. Additionally, it guarantees adherence to all applicable legal obligations.<\/p>\n<p>JOTELULU&#8217;s management, fully aware of the importance of information security in the workplace, commits to the following principles regarding the Information Security Management System (ISMS):<\/p>\n<ul>\n<li>a) Establish information security objectives that are always aligned with the company&#8217;s strategy.<\/li>\n<li>b) Ensure that security requirements are integrated into the organization&#8217;s processes.<\/li>\n<li>c) Provide the necessary resources for the management system.<\/li>\n<li>d) Communicate the importance of effective information security management in compliance with ISMS requirements.<\/li>\n<li>e) Ensure that the information security management system (ISMS) achieves its intended results.<\/li>\n<li>f) Lead and support personnel to contribute to the effectiveness of the ISMS.<\/li>\n<li>g) Promote continuous improvement of the security management system.<\/li>\n<li>h) Support relevant roles in demonstrating leadership within their areas of responsibility.<\/li>\n<\/ul>\n<p>To fulfill these commitments, JOTELULU\u2019s management will ensure that all personnel comply with the security-related regulations, policies, procedures, and instructions established within the organization.<\/p>\n<ol start=\"5\">\n<li id=\"objectives\"><span style=\"font-weight: 400;\"> Security Objectives<\/span><\/li>\n<\/ol>\n<p>Through the development of its Information Security Management System, JOTELULU aims to ensure the following security objectives:<\/p>\n<ul>\n<li>1.\tEnsure the confidentiality, integrity, availability, traceability, and authenticity of information.<\/li>\n<li>2.\tGuarantee that security is an integral part of every stage of the system lifecycle, from conception to decommissioning.<\/li>\n<li>3.\tComply with all applicable legal requirements.<\/li>\n<li>4.\tImplement the minimum security measures required by the ENS.<\/li>\n<li>5.\tMaintain a business continuity plan that enables the recovery of processes and activities in the shortest possible time in case of an incident.<\/li>\n<li>6.\tManage risks that may impact the organization by establishing the necessary mechanisms for control and improvement.<\/li>\n<li>7.\tTrain and raise awareness among all employees on information security matters.<\/li>\n<li>8.\tMeet the security expectations and needs of customers, employees, suppliers, management, and other stakeholders.<\/li>\n<li>9.\tEnsure that all employees are informed of their security roles and responsibilities and are accountable for fulfilling them.<\/li>\n<li>10.\tEnsure that departments are prepared to prevent, detect, respond to, and recover from incidents.<\/li>\n<li>11.\tProperly manage all incidents that occur.<\/li>\n<li>12.\tContinuously improve the ISMS and, consequently, the organization&#8217;s information security.<\/li>\n<\/ul>\n<ol start=\"6\">\n<li id=\"hds\"><span style=\"font-weight: 400;\"> HDS Security Objectives<\/span><\/li>\n<\/ol>\n<p>In particular within the framework of the HDS (H\u00e9bergeur de Donn\u00e9es de Sant\u00e9) certification, the following specific objectives are set with regard to the health data that may be hosted by our partners:<\/p>\n<p>1. Ensure the confidentiality of the health data hosted within the HDS Services, in particular implement appropriate methods, processes and policies to:<\/p>\n<ul>\n<li>regulate access to hosted personal health data and to HDS resources into which health data is hosted;<\/li>\n<li>prevent, identify and remedy vulnerabilities and limit the risk of unauthorized access to the health data and HDS resources;<\/li>\n<li>erase or delete the health data at the end of the services (before to reallocate the resources to another client) and at the end of life of the hardware infrastructure. <\/li>\n<\/ul>\n<p>2. Ensure the availability of the health data hosed within the services, in particular:<\/p>\n<ul>\n<li>Define and share with the Clients appropriate Service levels objectives (notably Services availability, response time to Client\u2019s requests and time to take in charge identified incidents impacting the availability of the HDS Services);<\/li>\n<li>Implement the necessary organization and procedures notably within the support and products team to match the Services levels objectives;<\/li>\n<li>Implement and test relevant services continuity plan to remediate any failure within the Service delivery;<\/li>\n<li>Ensure the availability of the encryption keys when JOTELULU provides health data encryption functionalities to the Client;<\/li>\n<li>Ensure the availability and integrity of the back-up when JOTELULU provides health data back-up services to the clients;<\/li>\n<\/ul>\n<p>3. Enable the Clients to use the services in an appropriate and secure manner, in particular:<\/p>\n<ul>\n<li>Provide a clear and accessible Services documentation and terms and conditions of use, presenting the characteristics of the services, the technical specifications, and the distribution of tasks and responsibilities between JOTELULU and the Clients;<\/li>\n<li>Make JOTELULU Support team, aware of the specific HDS processes and conditions of services.<\/li>\n<\/ul>\n<ol start=\"7\">\n<li id=\"organization\"><span style=\"font-weight: 400;\"> Security Organization<\/span><\/li>\n<\/ol>\n<p><strong>Security Committee<\/strong><\/p>\n<p>To ensure the proper performance of the Management System and compliance with the established objectives and requirements, JOTELULU&#8217;s management has appointed an ISMS Manager and a Security Committee. The Security Committee is responsible for ensuring compliance with the guidelines set forth in this policy. <\/p>\n<p>The committee is responsible for the following functions:<\/p>\n<ul>\n<li>Approving and verifying compliance with information security policies.<\/li>\n<li>Reviewing the results of system audits and any significant information security incidents.<\/li>\n<li>Assigning specific roles and responsibilities within the Information Security System and ensuring that those assigned are aware of their duties.<\/li>\n<li>Implementing necessary measures to ensure that personnel understand the security procedures relevant to their roles and the potential consequences of non-compliance.<\/li>\n<li>Ensuring that information security needs are properly identified and integrated into the organization&#8217;s relevant processes.<\/li>\n<li>Approving security objectives, ensuring they are measurable and have assigned responsibilities, resources, and deadlines.<\/li>\n<li>Providing all necessary resources to support Information Security.<\/li>\n<li>Establishing a strategic and consistent basis for decision-making to reduce or mitigate risks to acceptable levels for the company, its clients, and investors.<\/li>\n<li>Ensuring the proper monitoring and management of identified risks, in alignment with risk management practices.<\/li>\n<\/ul>\n<p><strong>Roles: Functions and Responsibilities. <\/strong><\/p>\n<table cellspacing=\"0\" cellpadding=\"0\" style=\"border:0.75pt solid #000000; border-collapse:collapse\">\n<tr>\n<td style=\"width:108.05pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\t<strong>Role<\/strong>\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-right-style:solid; border-right-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\t<strong>Functions<\/strong>\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\t<strong>Responsible at JOTELULU<\/strong>\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width:108.05pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tManagement\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-style:solid; border-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tUltimately responsible for the implementation of ENS.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-top-style:solid; border-top-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tManagement\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width:108.05pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:12pt; font-size:12pt\">\n\t\t\t\t\t\t\tInformation Responsible\/\n\t\t\t\t\t\t<\/p>\n<p style=\"margin-top:12pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tResponsable de la Informaci\u00f3n\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-style:solid; border-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tResponsible for information protection and for defining the security requirements of the processed information.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-top-style:solid; border-top-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tSecurity Committee\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width:108.05pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:12pt; font-size:12pt\">\n\t\t\t\t\t\t\tService Responsible\/\n\t\t\t\t\t\t<\/p>\n<p style=\"margin-top:12pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tResponsable del Servicio\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-style:solid; border-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tDetermines the security requirements of the provided services, according to the parameters of Annex I of ENS. <br >Ensures that security specifications are included in the service and system lifecycle, along with the necessary control procedures.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-top-style:solid; border-top-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tSecurity Committee\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width:108.05pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:12pt; font-size:12pt\">\n\t\t\t\t\t\t\tSecurity Responsible\/\n\t\t\t\t\t\t<\/p>\n<p style=\"margin-top:12pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tResponsable de la Seguridad\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-style:solid; border-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tMakes security-related decisions to meet the requirements established by the Information and Service Responsibles. <br >Analyzes self-assessment and\/or audit reports and submits conclusions to the System Responsible for corrective actions.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-top-style:solid; border-top-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tHead of Security\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width:108.05pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:12pt; font-size:12pt\">\n\t\t\t\t\t\t\tSystem Responsible\/\n\t\t\t\t\t\t<\/p>\n<p style=\"margin-top:12pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tResponsable del Sistema\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-style:solid; border-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tResponsible for the operation of the information system, ensuring compliance with the security measures set by the Security Responsible. <br >Implements corrective actions based on self-assessment and audit reports, with support from Engineering and Infrastructure teams.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-top-style:solid; border-top-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tHead of Operations\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"3\" style=\"width:758.3pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:12pt; font-size:12pt\">\n\t\t\t\t\t\t\t<strong>Personal Data<\/strong>\n\t\t\t\t\t\t<\/p>\n<p style=\"margin-top:12pt; margin-bottom:12pt; font-size:12pt\">\n\t\t\t\t\t\t\t<strong>JOTELULU<\/strong> processes personal data, which is documented in the <strong>Register of Processing Activities (RAT)<\/strong>:\n\t\t\t\t\t\t<\/p>\n<p style=\"margin-top:12pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tAll information systems must comply with the security levels required by regulations according to the nature and purpose of the collected personal data.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width:108.05pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tData Controller\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-style:solid; border-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tThe natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-top-style:solid; border-top-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tAs indicated in the RAT\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width:108.05pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tData Processor\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-style:solid; border-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tThe natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-top-style:solid; border-top-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; border-bottom-style:solid; border-bottom-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tAs indicated in the RAT\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width:108.05pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tData Protection Officer (DPO)\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:528.8pt; border-top-style:solid; border-top-width:0.75pt; border-right-style:solid; border-right-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\t&#xa0;Ensures compliance with data protection regulations and acts as a liaison with supervisory authorities.\n\t\t\t\t\t\t<\/p>\n<\/td>\n<td style=\"width:121.55pt; border-top-style:solid; border-top-width:0.75pt; border-left-style:solid; border-left-width:0.75pt; padding:3.75pt 3.72pt; vertical-align:middle\">\n<p style=\"margin-top:0pt; margin-bottom:0pt; font-size:12pt\">\n\t\t\t\t\t\t\tDPO\n\t\t\t\t\t\t<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<p><em>Conflicts between individuals, units, or governing bodies within the organizational structure of the Information Security Policy will be resolved by the common hierarchical superior, who may consult the Information Security Committee beforehand.<\/p>\n<p>In case of conflict, the decisions of the Information Security Committee will take precedence.<\/em><\/p>\n<p><strong>Designation Procedure<\/strong><\/p>\n<p>The role of Information Security Manager will be assigned to the CISO\/Head of Security. If the position becomes vacant, a new appointment will be proposed by the Security Committee.<\/p>\n<p>The role of System Manager will be assigned to the Head of Operations. If the position becomes vacant, a new appointment will be proposed by the Security Committee from within the Engineering, Operations, or Infrastructure departments.<\/p>\n<ol start=\"8\">\n<li id=\"framework\"><span style=\"font-weight: 400;\"> Regulatory Framework<\/span><\/li>\n<\/ol>\n<ul>\n<li><strong>General Data Protection Regulation (GDPR)<\/strong> \u2013 Regulation (EU) 2016\/679 on personal data protection and free movement of such data.<\/li>\n<li><strong>Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD)<\/strong> \u2013 Organic Law 3\/2018, aligned with the GDPR and European data protection regulations.<\/li>\n<li><strong>Directive (EU) 2022\/2555, NIS2<\/strong> \u2013 European directive on cybersecurity, pending transposition into national legislation under the Draft Law on Cybersecurity Coordination and Governance.<\/li>\n<li><strong>Royal Decree 311\/2022, of May 3,<\/strong> regulating the Spanish National Security Framework (ENS).<\/li>\n<li><strong>Intellectual Property Law<\/strong> \u2013 Royal Legislative Decree 1\/1996, protecting rights over computer programs and regulating their exploitation.<\/li>\n<li><strong>Law on Information Society Services and Electronic Commerce (LSSI-CE)<\/strong> \u2013 Law 34\/2002, regulating e-commerce and digital services.<\/li>\n<li><strong>Occupational Risk Prevention Law (PRL)<\/strong> \u2013 Law 31\/1995, applicable to workplace safety and health.<\/li>\n<li><strong>Industrial Property Laws<\/strong> \u2013 Regulations on industrial designs, trademarks, patents, and utility models (Law 17\/2001, Law 24\/2015, and Law 3\/1991).<\/li>\n<li><strong>eIDAS Regulation<\/strong> \u2013 Regulation (EU) 910\/2014 on electronic identification and trust services in digital transactions.<\/li>\n<li><strong>Legal Protection of Computer Programs Law<\/strong> \u2013 Law 16\/1993, protecting software and combating software piracy.<\/li>\n<li><strong>French Public Health Code<\/strong> \u2013 Legislative framework regulating the organization of the healthcare system, health security, and data protection in France under the HDS certification.<\/li>\n<li><strong>CISPE Code of Conduct<\/strong> &#8211; Reinforcing data protection in the context of cloud services in Europe. <\/li>\n<li><strong>EU AI Act, approved by the European Parliament on March 13, 2024, and by the EU Council on May 21, 2024.<\/strong><\/li>\n<\/ul>\n<p>This regulatory framework will be reviewed at least once a year in collaboration with the legal department or whenever a significant change is published in the BOE, regional bulletins, official government websites, or in response to relevant alerts.<\/p>\n<ol start=\"9\">\n<li id=\"risks\"><span style=\"font-weight: 400;\"> Risk Management<\/span><\/li>\n<\/ol>\n<p>All systems subject to this policy must undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated: <\/p>\n<ul>\n<li>Regularly, at least once a year.<\/li>\n<li>When there is a change in the information handled.<\/li>\n<li>When there is a change in the services provided.<\/li>\n<li>When a serious security incident occurs.<\/li>\n<li>When severe vulnerabilities are reported.<\/li>\n<\/ul>\n<p>To ensure consistency in risk analyses, a reference assessment is established for the different types of information handled and services provided. The Security Committee will facilitate the allocation of resources to meet the security needs of various systems, promoting horizontal investments.<\/p>\n<ol start=\"10\">\n<li id=\"documentation\"><span style=\"font-weight: 400;\"> Structuring of Security Documentation<\/span><\/li>\n<\/ol>\n<p>The Information Security Policy is structured into the following hierarchically related levels:<\/p>\n<ul>\n<li>1. First Level: Information Security Policy, as outlined in this document, reviewed and approved by the Security Committee, and signed by the CEO.<\/li>\n<li>2. Second Level: Information Security Topic Specific, also reviewed and approved by the Security Committee and signed by the CEO.<\/li>\n<li>3. Third Level: Information Security Procedures and Technical Instructions. These are technical documents and controls aimed at addressing security-related tasks within the systems, governed by the ISMS. <\/li>\n<li>4. Fourth Level: Reports, records, and electronic technical evidence, published in our document management systems<\/li>\n<\/ul>\n<ol start=\"11\">\n<li id=\"review\"><span style=\"font-weight: 400;\"> Review of the Information Security Policy<\/span><\/li>\n<\/ol>\n<p>The Information Security Policy, along with the processes of the Management System, is regularly reviewed at planned intervals or whenever significant changes occur to ensure its continued suitability, effectiveness, and efficiency. In general, it is reviewed annually as part of the internal ISMS audit process.<\/p>\n<p>Monitoring procedures are in place to provide insights into the proper performance of the ISMS.<\/p>\n<p>Management also plays a key role in reviewing the system, conducting an in-depth analysis to identify potential improvements and deficiencies.<\/p>\n<ol start=\"12\">\n<li id=\"communication\"><span style=\"font-weight: 400;\"> Communication of the Information Security Policy<\/span><\/li>\n<\/ol>\n<p>The management system policy is communicated at the time of onboarding, during awareness training, and internally through email and\/or corporate channels.<\/p>\n<p>The statement of this policy will be made available to external stakeholders of JOTELULU by publishing it in a shared document on the web.<\/p>\n<ol start=\"13\">\n<li id=\"regulations\"><span style=\"font-weight: 400;\"> Information Security Regulations and Specific Aspects<\/span><\/li>\n<\/ol>\n<p>This policy will be implemented through Security Specific Topics that address specific aspects of security. These regulations are available to all members of the organization, particularly those who use, operate, or manage information and communication systems.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last update: March 2025 Purpose The purpose of this policy is to establish the general guidelines and the commitment of Management to ensure that the company properly manages the security of the information it handles. This policy serves as the reference framework for the Information Security Management System (ISMS), based on the ISO 27001 standard, [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-48430","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Information Security Policy - Jotelulu<\/title>\n<meta name=\"robots\" content=\"noindex, nofollow\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Information Security Policy - Jotelulu\" \/>\n<meta property=\"og:description\" content=\"Last update: March 2025 Purpose The purpose of this policy is to establish the general guidelines and the commitment of Management to ensure that the company properly manages the security of the information it handles. This policy serves as the reference framework for the Information Security Management System (ISMS), based on the ISO 27001 standard, [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jotelulu.com\/en-gb\/information-security-policy\/\" \/>\n<meta property=\"og:site_name\" content=\"Jotelulu\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-02T09:04:38+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/information-security-policy\\\/\",\"url\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/information-security-policy\\\/\",\"name\":\"Information Security Policy - Jotelulu\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/#website\"},\"datePublished\":\"2025-03-11T11:55:10+00:00\",\"dateModified\":\"2025-09-02T09:04:38+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/information-security-policy\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/information-security-policy\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/information-security-policy\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Information Security Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/#website\",\"url\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/\",\"name\":\"Jotelulu\",\"description\":\"Cloud Paradise for Tech Companies\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/jotelulu.com\\\/en-gb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Information Security Policy - Jotelulu","robots":{"index":"noindex","follow":"nofollow"},"og_locale":"en_GB","og_type":"article","og_title":"Information Security Policy - Jotelulu","og_description":"Last update: March 2025 Purpose The purpose of this policy is to establish the general guidelines and the commitment of Management to ensure that the company properly manages the security of the information it handles. This policy serves as the reference framework for the Information Security Management System (ISMS), based on the ISO 27001 standard, [&hellip;]","og_url":"https:\/\/jotelulu.com\/en-gb\/information-security-policy\/","og_site_name":"Jotelulu","article_modified_time":"2025-09-02T09:04:38+00:00","twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jotelulu.com\/en-gb\/information-security-policy\/","url":"https:\/\/jotelulu.com\/en-gb\/information-security-policy\/","name":"Information Security Policy - Jotelulu","isPartOf":{"@id":"https:\/\/jotelulu.com\/en-gb\/#website"},"datePublished":"2025-03-11T11:55:10+00:00","dateModified":"2025-09-02T09:04:38+00:00","breadcrumb":{"@id":"https:\/\/jotelulu.com\/en-gb\/information-security-policy\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jotelulu.com\/en-gb\/information-security-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/jotelulu.com\/en-gb\/information-security-policy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/jotelulu.com\/en-gb\/"},{"@type":"ListItem","position":2,"name":"Information Security Policy"}]},{"@type":"WebSite","@id":"https:\/\/jotelulu.com\/en-gb\/#website","url":"https:\/\/jotelulu.com\/en-gb\/","name":"Jotelulu","description":"Cloud Paradise for Tech Companies","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jotelulu.com\/en-gb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"}]}},"_links":{"self":[{"href":"https:\/\/jotelulu.com\/en-gb\/wp-json\/wp\/v2\/pages\/48430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jotelulu.com\/en-gb\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/jotelulu.com\/en-gb\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/jotelulu.com\/en-gb\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/jotelulu.com\/en-gb\/wp-json\/wp\/v2\/comments?post=48430"}],"version-history":[{"count":10,"href":"https:\/\/jotelulu.com\/en-gb\/wp-json\/wp\/v2\/pages\/48430\/revisions"}],"predecessor-version":[{"id":72050,"href":"https:\/\/jotelulu.com\/en-gb\/wp-json\/wp\/v2\/pages\/48430\/revisions\/72050"}],"wp:attachment":[{"href":"https:\/\/jotelulu.com\/en-gb\/wp-json\/wp\/v2\/media?parent=48430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}