1. Objective
At AERTEC we take information security very seriously. We aim to protect the information of our customers, employees and partners, ensuring that it is always secure, available and accurate and that we can always offer them a quality and reliable service.
2. Scope
This policy applies to all employees, contractors and third parties who handle information related to our aerospace consulting activities.
3. Fundamental Principles
We are aware that all our business processes use IT services or equipment to be carried out, and we are aware of our responsibility as an active part of their security in all the activities we perform. We therefore observe the following security principles:
- Confidentiality
- Data Protection: Only authorised persons may access sensitive information.
- Privacy: We respect the privacy of our customers and employees, following all data protection laws and regulations.
- We take responsibility for the data and applications we handle at all times to prevent data leakage.
- Integrity
- Accuracy of Information: We maintain correct and complete information, avoiding unauthorised modifications.
- Accountability: Each employee is responsible for the accuracy of the information they handle.
- Availability
- Secure Access: We ensure that information is available to those who need it, when they need it.
- Business Continuity: We have plans to ensure that our services continue in the event of a disruption.
- Compliance and regulation
- National and international regulation is increasingly demanding with regard to information security. We are therefore aware that it is important to comply with all company information security policies and those specific to the projects we work on.
- National and international regulation is increasingly demanding with regard to information security. We are therefore aware that it is important to comply with all company information security policies and those specific to the projects we work on.
4. Roles and Responsibilities
- All Employees: We are responsible for following this policy and reporting any security incidents.
- IT Department: Manages the technology infrastructure and ensures that systems are protected against threats.
- Information Security Officer: Oversees compliance with this policy and coordinates the response to security incidents.
- Third parties: They are responsible for complying with AERTEC’s security policies or their own equivalent, ensuring that security measures are complied with throughout the supply chain.
5. Security Measures
- Prevention
- Secure credentials and passwords: We must all take care of our credentials and passwords, use them only to perform our work and ensure that they are secure.
- Access control and permissions: Only if we have authorisation can we access sensitive, confidential or critical information.
- Classification of information: at all times we are aware of the confidentiality of the information we are working with and we classify and protect the information accordingly by following security regulations.
- Security by default: in any process, system or activity of the company, we always consider information security first, assessing the risks to which we are exposed.
- Physical security: we do not forget that physical security is an important part of information security, and we take appropriate precautions with the devices we use and the facilities in which we work.
- Continuous training: we are aware of our obligation to undertake regular company security training to keep up to date with best security practices.
- Internal regulations: we are aware of the internal security regulations published by AERTEC, and we know how to use IT equipment and services safely.
- Detection
- Continuous Monitoring: At AERTEC we continuously monitor the operation of our services, infrastructure and equipment to detect anomalies and act quickly in the event of any possible incident.
- Response and recovery
- Incident Management: At the company we have established mechanisms to respond effectively to security incidents, including the designation of a point of contact for communication with third parties and the implementation of information exchange protocols.
- Continuity Plan: To ensure the availability of critical services, we have also developed ICT systems continuity plans as part of our overall business continuity plan and recovery activities.
6. Compliance
- Internal Compliance: We are committed to complying with all company security policies and standards, as this helps to ensure the security of AERTEC and our customers.
- Legal Compliance: We comply with all applicable laws and regulations, including the General Data Protection Regulation (GDPR) and other relevant aerospace and information security regulations.
- Review and Update: We are committed to continually improving our security practices. We regularly review and update this policy to adapt to new threats and technologies.
7. Incident Management
If we discover or suspect a security issue, either our own or in our relationship with a third party, we are obliged to report it immediately to our IT team via the usual point of contact or via the security@aertecsolutions.com mailbox. We will respond quickly to minimise any impact, communicate with other parties and manage a coordinated response.
8. Continuous Improvement
We are committed to continually improving our security practices. Objectives are established and are planned and measured regularly. We regularly review and update this policy to adapt to new threats and technologies, or changes in business needs. And, of course, we subject systems to regular internal and external audits to verify that all is well.
9. Conclusion
Information security at AERTEC is everyone’s responsibility. With your help, we can protect our information and maintain the trust of our clients and partners.
In Malaga, June 06th, 2024