Skip to content

Information Security Policy and National Security Scheme

Future Space Management , aware of the need to promote, maintain and improve the customer focus in all its activities, has implemented an Integrated Management System (IMS) according to the standard whose ultimate goal is to ensure that we understand and share the needs and goals of our customers, trying to provide services that meet their expectations by working on continuous improvement. Expressly states its commitment to enhance the security and cybersecurity of the information of the service provided, and is committed to meeting the needs and expectations of stakeholders, to maintain high our competitiveness in services and products of Data & Analytics, Cyber Intelligence, Internet of things, Enterprise Cloud and Application Development.

Mission and Objectives:

  • Encourage continuous improvement of services and customer support.
  • Continue positioning Future Space as a reference in the sector.
  • Providing software solutions to transform data and information to aid in decision making for our clients.
  • To provide clients with the most professional equipment and to have highly qualified technicians, experts in the required disciplines and accustomed to working as a team, available immediately and for as long as necessary.
  • To provide a service based on our commitment to the continuous improvement of our systems, with security and cybersecurity of information as a central pillar, and by default.
Our mission and objectives will be achieved through:
  • A system of objectives, metrics and indicators for continuous improvement, monitoring, measuring our internal processes, as well as the satisfaction of our customers. Establishing and monitoring compliance with contractual requirements to ensure an efficient and safe service.
  • We continuously train and raise the awareness of our team in order to have the highest degree of professionalism and specialisation possible, as well as having our infrastructures in an adequate state and in accordance with the requirements of our clients.
  • With a secure product procurement management procedure.
  • Complying with the requirements of current legislation, especially with the GDPR and compliance with our Security Documentation.
  • Introducing continuous improvement processes that allow a permanent advance in our Information Security management.
  • Managing and developing plans for the management and treatment of risks with a risk analysis and management methodology used, based on standards.
  • Managing internal and external communications and information stored and in transit.
  • Ensuring interconnection with other information systems.
  • Managing and monitoring activity with log management.
  • With special attention to the management of security incidents.
  • Ensuring the continuity and availability of the business and services.
  • Ensure that our Assets and Services comply with ENS High Level measures for the dimensions of Confidentiality, Integrity, Availability, Authenticity and Traceability.
Likewise, these principles should be considered in the following safety areas:
  • Physical: Comprising the security of the premises, facilities, hardware systems, supports and any physical asset that treats or can treat information.
  • Logic: Including the protection aspects of applications, networks, electronic communication and computer systems.
  • Political-corporate: Formed by the security aspects related to the organization itself, internal rules, regulations and legal norms.
The ultimate goal of information security is to ensure that an organization can meet its objectives using information systems. The following basic principles should be considered in security decisions:
  • A) Integral security.
  • B) Risk management.
  • C) Prevention, response and recovery.
  • D) Lines of defence.
  • E) Periodic re-evaluation.
  • F) Differentiated function.

Security roles or functions

Responsible for the information:

Determine the requirements of the information processed.
  • To implement and maintain the Integrated Management System (IMS), continuously improving its effectiveness. 
  • Implement and maintain the ENS by continuously improving its effectiveness.
  • Supervise procedures and technical instructions.
  • Implement the measures and follow-ups indicated by the DPO.
  • Follow up and verify the implementation and effectiveness of all established corrective and preventive actions.
  • Ensure that the implemented system complies with the established standard.
  • Analyze the data obtained in the Integrated Management System (IMS) and ENS and propose improvements.
  • Draw up the annual internal audit plan.
  • Participate in management review decision making.
  • Management of safety non-conformities. 
  • Participate in External Audits. 
  • Responsible for the company's private data in terms of loss, theft and outdatedness. 
  • Comply with the manual of good information security practices. 
  • Delivers training programmes so that staff know how to act in the event of a contingency.
  • Maintain updated means of contact with the authorities. 
  • It keeps the inventory of media containing personal data.
  • Analyzes the audit reports and submits the conclusions to the data controller. 
  • Convene the ISC meetings.
  • Generates ISC meeting minutes.
  • Manages IS non-conformities, corrective actions and preventive actions.
  • Maintains IMS documents.
  • Maintains and deploys the security policy of Future Space as well as the rest of the policies to the staff involved in each of them. 
  • Responsible for the management of the security audit of data protection and GDPR. 
  • Supervises the LOPD tasks of the DPO. 
  • It prepares the security documents of Future Space.
  • Draw up agreements for the processing of data by third parties.
  • Attends to incidents in the field of data protection. 
  • It is responsible for contacting the authorities if necessary. 
  • Implementation and monitoring of compliance with IMS policies. Maintenance and implementation of the IMS Applicability Document.

Systems Manager:

Determines the requirements of the services provided.
  • Develop, operate and maintain the System throughout its life cycle, from its specifications, installation and verification of its correct functioning.
  • Define the topology and management policy of the System, establishing the criteria of use and the services available in it.
  • Define the policy of connection or disconnection of equipment and new users in the system.
  • Approve changes that affect the security of the System's mode of operation.
  • Decide on the security measures to be applied by the System component suppliers during the development, installation and testing stages of the System.
  • Implement and control the specific security measures of the system and ensure that they are properly integrated within the general security framework.
  • Determine the authorized hardware and software configuration to be used in the system.
  • Approve any substantial modification to the configuration of any element of the System.
  • Carry out the mandatory risk analysis and management process in the System.
  • Determine the category of the system according to the procedure described in Annex I of the ENS and determine the security measures to be applied as described in Annex II of the ENS.
  • Elaborate and approve the security documentation of the System.
  • Delimit the responsibilities of each entity involved in the maintenance, operation, implementation and supervision of the System.
  • Ensuring compliance with IHR obligations
  • Investigate security incidents affecting the system and, if necessary, notify the Head of Security or whoever he/she may determine.
  • Establish contingency and emergency plans, carrying out frequent drills to familiarise staff with them. In addition, the system manager may agree to suspend the handling of certain information or the provision of a certain service if he/she is informed of serious security deficiencies that could affect the satisfaction of the established requirements. This decision must be agreed with those responsible for the affected information, the affected service and the security manager, before being executed.

Information Security Manager:

Determines decisions to meet information security and service requirements.
  • Responsible for cybersecurity.
  • Supervise the Safety Manual, procedures and technical instructions. 
  • Overall responsibility for managing the implementation of security practices.   
  • Ensure that the implemented system complies with the established standard. 
  • Analyze the data obtained in the Information Security Management System and ENS and propose improvements. 
  • Participate in management review decision making. 
  • Participate in External Audits. 
  • Responsible for the risk of physical intrusion of the company's devices.  
  • Comply with the manual of good information security practices.
  • Segregation of tasks and environments. 
  • Report any fire, flood or HVAC emergency that may activate the BCP. 
  • Review the Business Continuity Plan.
  • Verifies the functioning of the Business Continuity Plan. 
  • Controls the access of people to the premises where the systems are installed. 
  • Supervises the security incidents that occur. 
  • Performs and safeguards backups. 
  • Generates risk management treatment plans and monitors their implementation. 
  • Update the risk analysis. 
  • Oversees the collection of metrics. 
  • Performs IMS security reviews. 
  • Maintains the Business Continuity Plan. 
  • Incorporates corrective measures in the incident log. 
  • Enforcement and monitoring of compliance with SGI policies.

Responsible for the Service:

Determines the security levels of the services.
  • Ensure compliance with the objectives and metrics established for the service (SLAs).
  • Daily organization of resources.
  • Responsible for the loss and theft of information of services and IT solutions for clients and users in general.
  • Comply with the manual of good practices.
  • Determines the requirements of the services provided.
  • Program, direct, coordinate, supervise and control all the activities of the service.
  • Review and compliance of service reports.

Information Security Committee

The Information Security Committee (ISC) of Future Space reaches the entire company, is the mechanism for coordination and conflict resolution, among other functions:
  • Appointment and/or renewal of security positions, as well as their roles and responsibilities.
  • Create, plan, implement and integrate the strategic direction of the organization and align it with the ISMS.
  • Knowledge of the ICT market and new technologies and their application in the company.
  • Management and supervision of the different security projects of the company.  
  • Participate in and promote compliance with the organization's information security policy. 
  • Ensure compliance with legal provisions and regulations of public administrations and internal rules relating to information security. 
  • Approval of the ISMS, as well as its changes and new versions.
The ISC is composed of: Chairman, Vice-Chairman, Chief Information Officer, Service Manager and Information Security Officer.
Considering these guidelines, this management reiterates its firm commitment to join efforts to achieve these objectives, so that this policy is understood, implemented and kept up to date at all levels of the organization.

LEGAL FRAMEWORK: Royal Decree 951/2015, of 23 October, amending Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.

Revision 1 - Date: 07/01/2021