Security policy

ONE MILLION BOT, SL is a technology company in the field of Artificial Intelligence with extensive experience in Natural Language Processing (NLP) and intelligent virtual assistants.

1MILLIONBOT was established in July 2018 as a spin off of ITYIS SIGLO XXI, SL, an economic group with 20 years of experience and successes in the digital economy.

Our company vision is the following: Lead the language that is yet to come, creating an Artificial Intelligence +e:

+ ethics

+ empathic

+ evolutionary

These values ​​are reflected in all our projects, in which we ensure the strictest ethics in the application of Artificial Intelligence, always taking care of the user experience and ensuring flexibility and growing value for companies and society.  

Our company purpose is to create personalized solutions in Artificial Intelligence to give value to our clients and to society, always guided by efficiency and ethics as fundamental principles. 1MILLIONBOT is highly committed to innovation, continuous improvement, and the quality of the service provided to its customers.

 

Legal framework

The regulatory framework on information security in which 1MILLIONBOT carries out its activity is essentially the following: 

  • Organic Law 3 / 2018, of December 5, of Protection of Personal Data. 
  • Royal Decree 1720/2007, of December 21, which approves the Regulations for the development of Organic Law 15/1999 on the Protection of Personal Data. 
  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data and which repeals the Directive 95/46/EC. 
  • Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of electronic administration. 
  • Royal Decree 951/2015, of October 23, modifying Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration.
  • Law 34/2002, of July 11, on Services of the Information Society and electronic commerce. 
  • Royal Legislative Decree 1/1996, of April 12, which approves the Consolidated Text of the Intellectual Property Law. 

Scope

This security policy affects all systems, workers and suppliers that are related to 1MILLIONBOT. 

The scope of this policy is in the systems, people, and suppliers that intervene in the information systems that support the processes of design, development and maintenance of virtual assistants based on artificial intelligence for services in SaaS mode, as well as in the design, development and maintenance of applications for the services provided to clients.

Principles and guidelines

The principles that are contemplated from 1MILLIONBOT when it comes to guaranteeing the security of information are those set out in Article 4 of RD 3/2010, which regulates the National Security Scheme in the field of Electronic Administration.

PREVENTION

1MILLIONBOT prevents information or services from being harmed by security incidents. To do this, the departments apply the minimum security measures determined by the National Security Framework, as well as any additional control identified through a threat and risk assessment. These controls, the security roles and responsibilities of all personnel, are clearly defined and documented. 

To ensure compliance with the security policy, 1MILLIONBOT: 

  • Authorize systems before going into operation
  • Request periodic third-party review for the purpose of obtaining an independent evaluation.

DETECTION

The services are continuously monitored to detect anomalies in the provision of services and act accordingly as established in art. 8 and art. 9 of the ENS.

There are established detection, analysis and reporting mechanisms that reach those responsible regularly and, especially, when there is a deviation from the pre-established parameters.

ANSWER

Mechanisms are in place to respond effectively to security incidents. A mailbox is enabled as a communication channel for security incidents, which will be supervised by the person in charge. The procedure for the exchange of information in this regard is established through the internal procedure for said purposes.

recuperación

To guarantee the availability of critical services, 1MILLIONBOT has a continuity plan for ICT systems as part of its general plan for business continuity and recovery activities.

Objectives

The systems must be managed diligently, taking the appropriate measures to protect them against accidental or deliberate damage that may affect the authenticity, availability, integrity, confidentiality or traceability of the information processed or the services provided.

The objective of information security is to guarantee the quality of information and the continuous provision of services, acting preventively, supervising daily activity and reacting quickly to incidents.

The following objectives are established for the current security policy: 

  1. Use of corporate resources, such as email, Internet access, computer and communications equipment.
  2. Management of information assets inventoried, categorized and associated with a person in charge.
  3. Necessary mechanisms so that any person who accesses, or can access information assets, knows their responsibilities and thus reduces the risk derived from misuse of assets. 
  4. Physical security, so that information assets will be located in secure areas, protected by physical access controls appropriate to their level of criticality. The information systems and assets contained in these areas will be sufficiently protected against physical or environmental threats. 
  5. Security in the management of communications and operations, so that the information transmitted through communications networks must be adequately protected, taking into account its level of sensitivity and criticality, through mechanisms that guarantee its security. 
  6. Access control, limiting access to information assets by users, processes and information systems through the implementation of identification, authentication and authorization mechanisms according to the criticality of each asset. 
  7. Acquisition, development and maintenance of information systems contemplating information security aspects in all phases of the life cycle of said systems. 
  8. Management of security incidents by implementing appropriate mechanisms for the correct identification, recording and resolution of security incidents. 
  9. Continuity management by implementing appropriate mechanisms to ensure the availability of information systems and maintaining the continuity of your business processes.

Security Organization

The implementation of the 1MILLIONBOT Security Policy requires that all members of the organization understand their obligations and responsibilities based on the position held.

INFORMATION SECURITY COMMITTEE

Information Security is an organizational responsibility that is shared by the 1MILLIONBOT board of directors. Consequently, it promotes the composition of an Information Security Committee, in order to establish a defined path and support for security initiatives.

Said Committee is made up of, at least, the person in charge of security, the person in charge of information, the person in charge of the service, the person in charge of information systems and a president who will be ultimately responsible for the decisions adopted and who will lead the Committee meetings. Security, informing, proposing and coordinating the activities and decisions.

This role of President initially falls to the General Management of 1MILLIONBOT. 

The functions of the Information Security Committee are the following: 

  • Review of the Information Security Policy and the main responsibilities. 
  • Define and promote the strategy and planning of information security, proposing the allocation of budget and precise resources. 
  • Supervision and control of significant changes in the exposure of information assets to the main threats, as well as the development and implementation of controls and measures aimed at guaranteeing the Security of said assets. 
  • Approval of the main initiatives to improve Information Security. 
  • Supervision and monitoring of aspects such as: 
    • Main incidents in Information Security.
    • Preparation and updating of continuity plans.
    • Compliance and dissemination of Security Policies.

ROLES AND RESPONSIBILITIES

The organizational structure, roles and responsibilities of 1MILLIONBOT are defined by internal procedure. The main roles are identified as follows:

  • Security Manager
  • Information Manager
  • Responsable of the service
  • Systems Manager

El Security Manager will be the one who makes the appropriate decisions to satisfy the security requirements of the information and services. You will have the following functions:

  • Supervise compliance with this Policy, its derived rules and procedures.
  • Advise on security matters to the members of the Security Committee who so require.
  • Be aware of and supervise the investigation and monitoring of security incidents.
  • Establish adequate and effective security measures to meet the security requirements established by the Services and Information Managers, following at all times what is required in Annex II of the ENS.
  • Advise, in collaboration with the Systems Managers, the Services and Information Managers, in carrying out risk analysis and management, submitting the resulting report to the Security Committee.
  • Monitor the security status of the system provided by security event management tools and audit mechanisms implemented in the system.
  • Promote security awareness and training activities in their area of ​​responsibility, following the guidelines of the Security Committee.
  • Carry out or promote periodic audits that allow verifying compliance with the Security Committee's obligations in terms of security.
  • Prepare the topics to be discussed at the Safety Committee meetings, providing timely information for decision-making.
  • Preparation and review of safety regulations Safety Committee.
  • Approval of security procedures prepared by the System Manager.

El Information Manager will be the owner of the same and will have the following functions:

  • Classify the information according to the established criteria and in each of the known and applicable security dimensions (availability, authenticity, traceability, confidentiality and integrity).
  • Work in collaboration with the person in charge of security and system in the maintenance of technological services.
  • Carry out the risk analysis that compromises it as well as the different risk management options to be implemented.
  • Evaluate and decide, together with the Service Managers, the residual risks calculated in the risk analysis, and carry out their monitoring and control, without prejudice to the possibility of delegating this task.
  • Ensure the inclusion of security clauses in contracts with third parties that may have access to information on the procedures it manages and monitor compliance.

El Responsable of the service will determine the requirements of the services provided, accordingly, will have the following functions:

  • Establish the security requirements of the service, or, in ENS terminology, the power to determine the security levels of the services.
  • Classify services according to the criteria and categories established in the ENS and in each of the known and applicable security dimensions (availability, authenticity, traceability, confidentiality and integrity), within the framework established in Annex I of the ENS.
  • Meet the information security requirements, such as availability, accessibility, interoperability, etc. that are demanded in the provision of services.
  • Ensure the inclusion of security clauses in contracts with third parties that may affect their services and monitor their compliance.

El Information Systems Manager, within their areas of action, will be assigned the following functions:

  • Development, operation and maintenance of the Information system throughout its life cycle, its specifications, installation and verification of its correct operation.
  • Guarantee that security measures are adequately integrated within the general framework of Information Security.
  • Approve any substantial modification of the configuration of any element of the system.
  • Develop technical security procedures for information systems.
  • Prepare continuity plans for information systems.
  • Collaborate to carry out the risk analysis of the information systems for which it is responsible.
  • Implement, manage and maintain security measures applicable to the information system.
  • Manage, configure and update, where appropriate, the hardware and software on which the security mechanisms and services of the information system are based.

APPOINTMENT PROCEDURES

Appointments are established by the General Management of 1MILLIONBOT and will be reviewed every 2 years or when the position becomes vacant.

Security Documentation

The guidelines for structuring the system documentation, its management and access are detailed in the general procedure 'Management of documented information'.

Documentation related to Information Security is classified into three levels, so that each level document is based on those of a higher level: 

  • First level: Information security policy.
  • Second level: Regulations, internal policies and security procedures.
  • Third level: Reports, records and evidence.

First level: Security policy.

Mandatory document for all staff, internal and external, of the Organization.

Second level: Regulations, internal policies and security procedures.

Mandatory compliance according to the corresponding organizational, technical or legal scope, developed by 1MILLIONBOT within the framework of its Management System, in which the specific aspects of the ENS have been included to comply with the minimum security requirements established in its article 11.

The responsibility for approving the documents drawn up at this level will be the responsibility of the Safety Committee.

Third level: Reports, records and evidence.

Documents of a technical nature that collect evidence generated during all phases of the life cycle of the information system, as well as threats and vulnerabilities of the information systems.

General data

All 1MILLIONBOT information systems comply with the security levels required by regulations for the nature and purpose of personal data.

In application of the principle of proactive responsibility established in the General Data Protection Regulation (GDPR) and the new LOPD, personal data processing activities are integrated into the categorization of systems of the National Security Scheme, considering the threats and risks associated with this type of treatment.

Likewise, any other regulations in force regarding the protection of personal data will be applied.

Risk management

All systems subject to this Policy must carry out a risk analysis, evaluating the threats and risks to which they are exposed. 

This analysis will be repeated: 

  • Regularly, at least once a year. 
  • When the information handled changes. 
  • When the services provided change. 
  • When a serious security incident occurs. 
  • When serious vulnerabilities are reported. 

For the harmonization of risk analysis, the Security Committee will establish a reference assessment for the different types of information that it handles and the different services provided. 

The Security Committee will streamline the availability of resources to meet the security needs of the different systems, promoting investments of a horizontal nature. 

Staff obligation

All members of 1MILLIONBOT have the obligation to know and comply with this Information Security Policy and the Security Regulations, being the responsibility of the Security Committee to provide the necessary means for the information to reach those affected. 

All 1MILLIONBOT members will attend a security awareness session at least once a year. A continuous awareness program will be established to serve all 1MILLIONBOT members, particularly newcomers. 

People with responsibility for the use, operation or administration of ICT systems will receive training for the safe handling of the systems to the extent that they need it to carry out their work. The training will be mandatory before assuming a responsibility, whether it is your first assignment or if it is a change of job or responsibilities in it.

Third parties

When 1MILLIONBOT uses third-party services or transfers information to third parties, they will be made aware of this Security Policy and the Security Regulations that pertain to said services or information.

Said third party will be subject to the obligations established in said regulations, being able to develop its own operating procedures to satisfy it. Specific incident reporting and resolution procedures will be established. It will be ensured that third party personnel are adequately aware of security, at least to the same level as that established in this Policy. 

When any aspect of the Policy cannot be satisfied by a third party as required in the previous paragraphs, a report from the Security Manager will be required that specifies the risks incurred and the way to treat them. Approval of this report by those responsible for the information and affected services will be required before proceeding.