cIndra considers information to be one of its most critical assets, which it is why it has deemed it necessary to establish suitable measures in all locations where information can be stored or from which it can be transmitted in order to guarantee:
- Confidentiality, ensuring that only those who are authorized and genuinely need the information for their job ("need-to-know" principle) can access the relevant data, therefore avoiding problems of unintended leaks or deletions of sensitive information.
- Integrity, ensuring that the information and its processing methods are accurate and complete, therefore preventing possible unauthorized alterations.
- Availability, ensuring that authorized users can access the information and its associated assets when they need to, guaranteeing access to the company's critical systems at all times through the preparation of business continuity plans.
Information Security is an essential part of Indra's business strategy due to the impact it has on its own business and its customers' business. The company has therefore developed an Information Security Management System, certified under standard ISO 27001, to define, implement and improve the most effective controls and procedures to minimize and manage risks in its internal processes, daily operations, the development and execution of programs and services from the commercial phase to the operation, and in its customer management processes.
Cornerstones of the security strategy:
- Information security governance, which ensures correct coordination and organization of information security across all levels. At its helm is the CISO (Chief Information Security Officer), who reports directly to the Audit and Compliance Committee (ACC) and the Risk Coordination Unit (RCU) and is responsible for coordinating information in the company. The CISO's main function is to develop Indra's information security strategy, objectives and plans. This area also includes the security and market LISOs (Local Information Security Officers), whose main function is to ensure information security in the markets and subsidiaries under their jurisdiction.
- An information security regulatory framework, applicable to all markets and areas of the company, as well as to all Indra companies, offices and subsidiaries. Compliance with this regulatory framework is mandatory for the entire Indra group and at its core is the information security policy, which establishes the basic security principles underpinning the framework. The current version of the Information Security Policy was approved by the Board of Directors on March 27, 2023.
- Awareness and continuous training in Information Security during all phases of employment, which aims to raise understanding and learn all users of the company, so that everyone in the company is aware of their responsibility in the field of Information Security and the criticality of protecting the confidentiality, integrity and availability of the information handled, both ours and our customers.
- Technology and security controls as an end-to-end solution encompassing physical and environmental security controls to prevent unauthorized physical access, damage and interference in the organization's facilities and information, as well as logical security controls to preserve the confidentiality, integrity and availability of information and the resources for processing it.
- The audit and compliance monitoring processes, as verification and control mechanisms, internally through continuous supervision and monitoring processes, which are permanently active, such as:
- Security and network monitoring processes to ensure compliance with security regulations in networks and information systems.
- Audits of platform and application technical vulnerabilities to discover and assess the security risks from these vulnerabilities.
- Validation processes before the connection of platforms to the Indra network to guarantee compliance with information security regulations in relation to patching, critical updates, antiviruses, etc.
Additionally, the annual sustainability report includes indicators that provide evidence of compliance with the security policy.
And externally, since Indra is subject to a variety of external verification audits, such as: audits of standard ISO 27001 by AENOR, an internationally renowned certification body, financial audits, and FIICS and ICT audits.
In order to guarantee security in the supply chain, Indra has established an Information Security Policy for suppliers, which is mandatory, and which is included in the approval and contracting processes of our suppliers.
Likewise, in order to guarantee the prompt detection and effective management of security incidents. Indra has formalized an Computer Security Incident Response Team "Indra CSIRT", which provides its services in accordance with those stipulated in document RFC2350. In the event of any suspicious event or vulnerability that may affect Indra's information systems, contact Indra CSIRT