Axians, as part of the VINCI Energies group, has been built around very solid values: Autonomy, Trust, Solidarity, Responsibility and Entrepreneurship. Those values forge our culture and guide our actions.
Autonomy: allows talent to express itself by giving empowerment and freedom of initiative to employees and managers to develop them within the framework of our corporate culture. We emphasize the ability to act quickly and creatively in direct contact with the client.
Trust: a quality that allows us to work in a team, knowing that we can count on our colleagues and managers.
Solidarity: a reality that is expressed in the network: knowledge, activities and resources are shared within the Group to increase efficiency and the ability to act quickly.
Responsibility: regardless of their place in the organization, all Axians employees and managers are responsible for their projects, clients and functions.
Entrepreneurship: understood as the initiative to achieve success. A capacity that leads to Continuous Innovation and the contribution of added value.
Axians future is marked by constant evolution; our customers demand new solutions and services oriented to their business development. We carried out that services in compliance with the requirements of our Integrated Management System (IMS), certified in accordance to the following Standards: UNE-EN ISO 9001, PECAL/AQAP 2110, UNE-EN ISO 14001, UNE-EN ISO 45001, UNE ISO/IEC 27001, UNE ISO/IEC 20000-1 and National Security Scheme.
Under the scope of our Integrated Management System, Axians has established a common Policy, a Security Information Management Policy and a Managed Services Policy, to guarantee continuous improvement.
Integrated Management System Policy
Axians, whose main activity consists of:
- Provide engineering services in the design, development, sale, implementation and maintenance of:
- secure networks for the transmission of voice, data, video
- storage systems
- Installation of structured cabling and fiber optic systems, local and extensive area networks, IP communications and security services
- Provision of remote monitoring services
By establishing this Policy, the company aims to focus both Axians staff and procedures towards the common goal of maximizing customer satisfaction and ensure employee’s health and safety, in an continuous improvement process that allows the company to achieve its goals and promotes the professional development of our team, meeting the applicable requirements.
Within the framework of our Integrated Management System, Axians assumes the following commitments:
- Adopting measures that allow a Continuous Improvement of the management systems implemented
- Establishing objectives and goals for quality, environment, information security and health and safety, consistent with this Policy and our activity development, in order to evolve positively in our business, improve the results of our behavior regarding the management systems implemented and thus achieving the Continuous Improvement of our Integrated Management System
- Establishing and maintaining a Continuous Improvement Plan to measure and monitor the improvement opportunities, mainly compliance grade with company objectives and customer requirements
- Maintaining an Integrated Management System appropriate to the organization and developing our activities in accordance with the principles of the standards UNE-EN ISO 9001, PECAL/AQAP 2110, UNE-EN ISO 14001, UNE-EN ISO 45001, UNE ISO/IEC 27001, UNE ISO/IEC 20000-1 and National Security Scheme, in their versions in force and for the scope defined for each of them
- Preventing pollution and carrying out its activities in order to minimize the impact they may have on the Environment
- Providing health and safe working conditions to prevent damage and deterioration of workers’ health
- Establishing actions to reduce the risks, damages and injuries of workers and achieving a health and safe work environment
- Protecting personal data and implementing the necessary mechanisms to prevent data security breaches
- Complying with all applicable data protection regulations, including Regulation (EU) 2016/679 and any other applicable data protection regulation withing the European Union, documenting the necessary conduct guides for this purpose and applying technical and organizational measures for ensuring compliance
- Complying with the applicable legislation, information security requirements and other requirements that Axians subscribes, related to the activity of the company, interested parties and environmental aspects
Axians‘ management approves this Policy and gives the management system manager and the occupational safety and health committee the necessary authority to ensure its development and application.
Information Security Policy
This policy is prepared in compliance with the requirement of Royal Decree 3/2010, of January 8, which regulates the National Security Scheme (ENS) in the field of Electronic Administration. Being Acuntia, S.A.U. (hereinafter, Axians) provider of information technology equipment and services for, among others, the Public Administration, has decided to voluntarily implement the measures established in said Royal Decree and incorporate them into its Information Security Management System, certificate in accordance with ISO 27001 requirements in its current version and for the scope detailed in section 2 below.
Axians, to develop its activity, need to manage information and make use of the systems that treat, store or transmit it (ICT systems). Consequently, and with the main objective of protecting the interests of the company and its customers, in a technological sector in which the security of the information in question is becoming increasingly important, the management of Axians has decided to formalize the need to protect your information by establishing an Information Security Management System (ISMS). The Axians risk management environment provides the appropriate context for the identification, evaluation and control of associated risks. The risk analysis, the declaration of applicability and the risk treatment plan that have been defined describe how these risks are controlled.
The minimum security requirements established in the ISMS, as set out in Article 11 of the ENS, are as follows:
- Organization and implementation of the security process. Security responsibilities are identified in point 5 of this policy and it is communicated and mandatory for all personnel within the scope of the ISMS
- Analysis and risk management. Performed periodically and in accordance with the methodology included in UNE 71504
- Personnel management. The staff has been trained and informed in relation to their obligations and duties regarding security, through the security regulations developed. The identification of the user allows monitoring of the user’s performance, if necessary
- The personnel in charge of the ISMS is qualified for its management, in the different phases of the service life cycle (implementation, operation, service reversal)
- Authorization and access control. Access to information is limited and controlled, so that only authorized users
- Protection of facilities. There is a double access control for secure areas (CPD and COM zone)
- Acquisition of products. For the acquisition of products, products that have the security functionality related to the purpose of their acquisition will be used, whenever possible
- Default security. The functions of operation, administration and registration shall be the minimum necessary and accessible only to authorized persons and equipment
- Integrity and system update. Any hardware or software element will require prior authorization for installation in the system. The security status of the systems will be known at all times
- Protection of information stored and in transit. The information stored and in transit is protected and the backup copies allow its recovery, if applicable
- Prevention against other interconnected information systems. The perimeter of the system and the connections with the client are protected
- Activity log. User activity is recorded through log collection and management
- Security incidents. Security incidents are recorded and treated in accordance with established procedures
- Continuity of the activity. There is a contingency and availability plan that guarantees the continuity of the service, in case of loss of the usual means of work
- Continuous improvement of the security process. The ISMS is updated and improved continuously
Axians should avoid or prevent, as far as possible, that the information it handles or the services it provides are affected by security incidents. To this end, Axians has implemented the minimum security measures included in the ENS, the ISO 27001 standard and the additional measures identified through the evaluation of threats and risks. These measures have been defined and documented in the current Declaration of Applicability.
To ensure compliance with the policy, Axians has established appropriate mechanisms to:
- Authorize systems before entering into operation
- Regularly assess security, including evaluations of configuration changes made routinely and
- Request periodic review by third parties, in order to obtain an independent evaluation
Since remote management services can be affected by security incidents, from their slowdown to the impossibility of providing them, the equipment with which the service is provided is constantly monitored, so that they can be predicted or detected operating anomalies prior to its occurrence. Detection, analysis and reporting mechanisms have been established, which reach those responsible for the service regularly and when there is a significant deviation from the parameters with respect to the pre-established acceptable range.
In case an Axians security incident is detected:
- Has established mechanisms to respond effectively to security incidents
- Designated a point of contact for communications regarding incidents detected in other departments or third parties
- Has established mechanisms for communication and information related to the incident
Within the scope of this policy, continuity plans for information systems have been developed, which include the activities to be carried out for the recovery of services.
Taking into account the Axians context for the ISMS, in which the internal and external issues of the organization, the relevant stakeholders and their requirements for information security are determined, Axians has established the following Scope:
Information systems that support the remote monitoring activities of Customer Information Technology infrastructures in the Spanish territory, in accordance with their current Declarations of Applicability.
Axians provides through the IT Attention and Surveillance Area (also called Multiservice Operation Center or COM) located at its headquarters in Madrid (Calle Valle la Fuenfría 3) the management and monitoring of its customers’ ICT infrastructure (understanding both external and internal clientes as such), guaranteeing the efficiency and availability parameters required by these infrastructures and thus downloading our clients from the most complex tasks of such management and remote monitoring.
The services provided by Axians from its Multiservice Operation Center are summarized in the following illustration:
The Axians COM extends the range of traditional services and offers a global and focused approach. Not only are incidents, problems and queries about communication infrastructure failures addressed, but also an interface is provided for other activities such as: permanent monitoring, remote configuration, change management, service level management, configuration management, reports custom, etc.
Ultimately, Axians provides Managed Services over a wide range of ICT areas, with a personalized approach of high technical granularity, both in monitoring and operation and in information that, correlated and added in real time, represents a decisive value for the business.
4 Regulatory Framework
Information security is implemented in accordance with the directives of the European Union, Spanish legislation, contractual agreements with third companies and other regulations or requirements assumed by Axians, as detailed in the document “Applicable Regulations” published in the company’s intranet.
5 Security Organization
5.1 Information Security Committee
The Security Committee, which reports directly to the Director General, is made up of the Information Security Officer, the Office of Management and Security, the Head of the Transformation and Corporate Systems Department and the Human Resources Manager, or persons in charge the ones you delegate.
The Committee is responsible for:
- Distribute the security policy and regulations, and ensure compliance by employees
- Approve Axians safety regulations
- Review the Security Policy annually
- Designate roles and responsibilities in the field of information security
- Supervise and approve follow-up tasks of the Information Security Management System
- Track and approve the identified risks
- The efficiency and continuous improvement of the Information Security Management System
5.2 Informaton Security Manager
The Information Security Manager is the Responsible for the Integrated Management System, in collaboration with the Manager of the Office of Management and Security. It has among its functions the following:
- Verify that the established security measures are adequate and effective
- Analyze, complete and approve all documentation related to system security
- Support and supervise the investigation of security incidents, from notification to resolution
- Prepare a periodic safety report, including the most relevant incidents of the period
- Develop security procedures, in collaboration with the Information and Service Manager
- Prepare the company’s safety regulations
- Faculty to categorize the system
5.3 Information and Service Manager
The Information and Service Manager is the Manager Office of Management and Security. It has among its functions the following:
- Maintain the security of the information handled and the services provided
- Promote the training and awareness of personnel responsible for information and service
- Monitor the security status of the system provided by the security event management tools and audit mechanisms
- Collaborate with the Information Security Officer in the execution of their tasks
6 Personal Data
Axians carries out treatments in which it makes use of personal data, for which it adopts the appropriate security measures, following the guidelines of the current data protection regulations. Specifically, there is a Security Document where these measures are developed, which can be found published on the Intranet.
7 Risk management
All services and information systems, subject to this Policy, have been subject to a risk analysis in which the threats and risks to which they are exposed have been evaluated. The security dimensions taken into account to perform said risk analysis are Availability, Integrity, Authenticity, Confidentiality and Traceability (AIACT).
This analysis is repeated at least once a year and, in any case, when the information handled changes, when the services provided change, when a serious security incident occurs or when serious vulnerabilities are reported.
The Information Security Committee establishes the baseline assessment for the information handled and the service affected.
The Information Security Committee will boost the availability of resources to meet the security needs of the different systems, promoting horizontal investments.
8 Development of Information Security Policy
This policy is developed through regulations and security procedures such as access control, protection against malicious software, application installation, remote access, use of laptops, media management, treatment of printed information, classification of information, use of assets, use of the web, backup copies, treatment of personal information, clear and unattended job, key management, physical security, relations with third parties and other relevant controls to meet business objectives, international and national standards (ISO / IEC 27001 in force, ENS) and code of good practice in general. This regulation is mandatory for Axians employees.
The safety regulations are available to all employees on the company’s intranet.
9 Staff obligation
All Axians employees have the obligation to know and comply with this Information Security Policy and other existing security regulations, being the responsibility of the Information Security Committee to have the necessary means for the information to reach those affected.
Training actions will be carried out, at least once a year, to educate and raise awareness among employees on the most relevant aspects of safety procedures.
People with responsibility for the use, operation or administration of ICT systems will receive training for the safe management of the systems to the extent that they need it to carry out their work. Training will be mandatory before assuming a responsibility, whether it is your first assignment or if it is a change of job position or responsibilities in it.
In case of breach of this policy, penalties will be derived in accordance with current legislation, Axians internal regulations and labor contracts, under the responsibility of the Axians Human Resources department.
10 Third parties
When Axians provide services or manage information from third parties, they will be made participants in this Information Security Policy, channels for reporting and coordination with other ICT Security Committees will be established and action procedures will be established for the reaction to security incidents.
When Axians use third-party services or transfer information to third parties, they will also be made participants in this Security Policy and in the Security Regulations applicable to such services or information. These third parties will be subject to the obligations established in said regulations, being able to develop their own operational procedures to satisfy it. Specific procedures for reporting and resolving incidents will be established. It will be ensured that third-party personnel are adequately aware of security, at least at the same level as established in this Policy.
When any aspect of the Policy cannot be satisfied by a third party, as required in the preceding paragraphs, a report from the Security Officer will be required that specifies the risks incurred and how to deal with them. Approval of this report will be required by those responsible for the information and services affected before moving forward.
11 Approval and Eforcement
The present Information Security Policy is approved on July 3, 2019 by the CEO of Axians. This Policy is effective from that date and until it is replaced by a new version.
The security policy is presented and communicated in printed or electronic format to all employees and relevant third parties. It is maintained by the Information Security Officer, will be reviewed at least once a year and will be adapted, when necessary, to reflect business needs.
Managed Services Policy
Through the Managed Services Policy, Axians Management aims to focus both staff and procedures related with managed services towards the common goal of maximizing the service satisfaction, in a process of continuous improvement that allows the company to achieve its objectives and to stimulate the professional development of our human resources, meeting also the applicable requirements.
As a result, Axians commits to:
- Communicating this Policy to the employees, the customers and interested parties , so they all participate on it and help to improve the quality of the service
- Making the continuous improvement and innovation a fundamental principle of the service management
- Managing actions and resources for complying with our customers agreements, both internal and external
- Managing our customer needs, dealing with complaints, suggestions and requests, and making decisions that improve satisfaction
- Taking the actions to identify, evaluate and correct any non-conformity related to the commitment this Policy establishes
- Promoting the participation and commitment of the personnel related to the Service, ensuring proper competence
- Carrying out our activities ensuring compliance with the applicable legislation and our interested parties requirements
- Managing the underlying risks at services deliver