Information security

INTRODUCTION

AUREN relies on Information and Communication Technology systems (hereinafter, ICT) to achieve its objectives. Such systems must be managed diligently, implementing appropriate measures to protect them against damage that could affect the availability, integrity, and confidentiality of the information processed or the services provided, particularly those classified as essential.

The objective of information security is to ensure the quality of information and the continued provision of services, acting proactively, monitoring daily operations, and responding promptly to incidents.

ICT systems must be safeguarded against rapidly evolving threats that could impact the confidentiality, integrity, availability, intended use, and value of information and services. To defend against these threats, a strategy that adapts to changing environmental conditions is required to ensure the continuous delivery of services. This entails implementing the minimum security measures mandated by the National Security Framework (Esquema Nacional de Seguridad, ENS), continuously monitoring service delivery levels, tracking and analysing reported vulnerabilities, and preparing an effective incident response to guarantee service continuity.

AUREN must consider ICT security as an integral part of every stage of the system lifecycle, from conception to decommissioning, including development or procurement decisions and operational activities. Security requirements and funding needs must be identified and incorporated into planning, requests for proposals, and tender documents for ICT projects.

Departments must be prepared to prevent, detect, respond to, and recover from incidents, in accordance with Article 7 of the ENS.

PREVENTION

Departments must prevent, or at least mitigate as far as reasonably possible, any compromise of information or services due to security incidents. To this end, they shall implement the minimum security measures determined by the ENS and prescribed by the IT department, as well as any additional controls identified through a threat and risk assessment. These controls, along with the roles and responsibilities regarding security for all personnel, must be clearly defined and documented.

To ensure compliance with this policy, departments shall:

  • Authorise systems prior to operational deployment.
  • Regularly assess security, including evaluations following configuration changes.

Arrange periodic independent reviews to obtain an external assessment.

DETECTION

As services may degrade rapidly due to incidents, operations must be continuously monitored to detect anomalies in service performance and respond accordingly, as established in Article 8 of the ENS.

Monitoring is particularly relevant when implementing lines of defence in accordance with Article 9 of the ENS. Detection, analysis, and reporting mechanisms shall be established, providing regular updates to responsible parties and notifying them of significant deviations from pre-established normal parameters.

RESPONSE

At AUREN, the following must be ensured:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate a point of contact for communications regarding incidents detected in other departments or organisations.
  • Implement protocols for the exchange of incident-related information.

RECOVERY

To ensure the availability of essential services, ICT system continuity plans must be developed as part of the overall business continuity plan and recovery activities.

SCOPE

This policy applies to AUREN’s ICT systems and to all members of the organisation, without exception.

VISION AND MISSION

Our mission is to provide clients with highly specialised professional services of significant added value.

In the information era, where security is an indispensable requirement, our vision is to offer clients the highest standards of security, associating the AUREN name with cybersecurity, as has been achieved by other leading firms.

LEGAL FRAMEWORK

AUREN is subject to the following regulations in the provision of services to clients:

  • Organic Law 3/2018 of 5 December on Personal Data Protection and the Guarantee of Digital Rights.
  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), applicable to fully or partially automated processing of personal data, as well as non-automated processing of personal data contained in or intended for inclusion in a file.
  • Occupational Risk Prevention Law 31/1995 of 8 November and Royal Decree 39/1997 of 17 January, approving the Regulation of Prevention Services.
  • The applicable collective labour agreement for “Offices and Agencies”.
  • Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE).
  • Royal-Decree Law 13/2012 of 30 March on cookies.
  • Law 59/2003 of 19 December on electronic signatures.
  • Law 39/2015 of 1 October on the Common Administrative Procedure of Public Administrations.
  • Royal Decree 1553/2005 of 23 December regulating the national identity document and its electronic signature certificates.
  • Royal Legislative Decree 1/1996 of 12 April, approving the consolidated text of the Intellectual Property Law, regularising, clarifying, and harmonising the existing legal provisions on the matter.

Other applicable regulations governing AUREN’s activities also form part of the legal framework.

The legal framework covering this document is established in the following sections of Royal Decree 311/2022 of 3 May, regulating the National Security Framework (ENS):

ENS, Article 13. Organisation and Implementation of the Security Process

Security must engage all members of the organisation. The security policy, in accordance with the principle of differentiation of responsibilities referred to in Article 11 and detailed in Section 3.1 of Annex II, must be known by all members of the organisation and unequivocally identify those responsible for ensuring compliance.

ENS, Annex II

Security Measures – Organisational Framework [org]

Security Policy [org.1]

For the management, control, and monitoring of applicable legislation, AUREN utilises a subscription service to the Official State Gazette (BOE) in the areas of “Telecommunications” and “Technology and Research.”

APPROVAL AND ENTRY INTO FORCE

Text reviewed and approved on 27 July 2023 by the Security Committee. This Information Security Policy is effective from that date and shall remain in force until replaced by a subsequent policy.

Sign up for our publications

    Your data will be processed by Auren Foundation for managing your subscription request and sending the relevant publications. By clicking the “Subscribe” button, you are giving your explicit unequivocal consent for us to process your data for this purpose. Such data will be retained for as long as necessary for the aforementioned purpose. Your data will not be shared or transferred to any third parties beyond the Auren Group, unless required by law or subject to your explicit consent. You may find more information regarding the processing of your personal data and how to exercise your rights of access, rectification, removal, objection, portability and restriction to processing in our Privacy Policy.

    logo Auren fundación
    +Info
    Registered Office

    C/ de Mallorca, 260
    08008
    Barcelona, Spain

    Contact Us

    info@aurenfundacion.com
    +34 932 155 989

    © 2025 Auren Fundación. All rights reserved

    Privacy Preference Center

    Privacy Preferences

    Accessibility by WAH
    Privacy Overview
    Auren Fundación

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

    Strictly Necessary Cookies

    Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

    Analytics

    This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

    Keeping this cookie enabled helps us to improve our website.