Information security is defined as the framework, processes, and controls defined within PIB Group España (hereinafter PIB) that aim to maintain the Confidentiality -only those who are authorised may access the information-, Integrity The information and its processing are accurate and complete. Availability – information and its assets can be accessed when required – of the information.
In the context of this policy, information security relates to the protection and safeguarding of all PIB data throughout its lifecycle from malicious or accidental disclosure, modification or destruction. For this reason, this policy affects information systems and applications that store, process or transfer such data. Likewise, printed documents and handwritten notes or conversations must be adequately protected.
For this reason, the PIB Steering Committee has decided to establish an Information Security Management System (ISMS) across the group in order to achieve and maintain appropriate levels of information security. The ISMS is oriented towards the internationally recognised standard ISO 27001:2022. Furthermore, it takes into account EIOPA's guidelines on IT governance and security (hereinafter DGSEIOPA).
This document defines the information security principles for the entire Group and therefore takes into account applicable legal and regulatory requirements.
Furthermore, the ‘Business Continuity Policy’ sets out the minimum requirements, objectives, responsibilities, processes, and information procedures for Business Continuity Management (BCM) in accordance with the guidelines 19, 21, 22 and 23 of DGSEIOPA.
Therefore, the ISMS and the GCN support the GDP in information protection, as well as in business recovery from emergency and crisis situations.
Information security – confidentiality, integrity and availability – is a key success factor for GDP and is becoming increasingly important due to the digitalisation of our business.
The data we collect, store, and process as part of our daily operations holds significant value for both GDP and other external parties who could misuse it. Information systems and the data they process can expose us to risks ranging from unauthorised access, unauthorised disclosure of information, theft, data corruption, or business discontinuity due to system loss.
The risks can materialise as a result of an accidental or intentional action by an employee or through malicious actions carried out by criminal organisations. These risks can jeopardise the Group through a loss of client confidence, non-compliance with a regulation, and/or a loss of competitive advantage.
For all these reasons, it is necessary to implement appropriate control measures to protect the Group's information assets and the processes that support them.
This document defines the information security principles for PIB and therefore takes into account applicable legal and regulatory requirements, in accordance with Directive 6 of DGSEIOPA. The policy serves as the basis for information security administration and for specific regulations to protect the confidentiality, integrity, and availability of information within PIB against internal or external threats, whether intentional or unintentional, in order to ensure the development, implementation, operation, maintenance, and use of PIB's information systems.
This policy applies to all employees, whether temporary or permanent, and to service providers who make use of the Group's information or information systems and/or its facilities.
The ISO's primary responsibility is to advise, coordinate, monitor, and review information and technology security-related risks within PIB. The ISO's responsibilities include, but are not limited to:
It is not possible to provide total security for all information, and not all information requires the same level of protection. Therefore, DPI manages information security based on risk (DGSEIOPA Guideline 4). This enables DPI to allocate and utilise resources in the areas where they are most urgently required. ISO, for this reason, defines unified requirements for information security risk management, thereby facilitating and overseeing risk-based decisions.
Both internal and external PIB employees are among the most important success factors for ensuring the required information security levels. Numerous security measures can only be implemented effectively if internal and external employees are sufficiently aware of information security and have sufficient skills in the field of information security. The ISO will therefore develop an information security training and awareness plan that enables all employees to meet their duties and responsibilities and minimise the risks associated with the use of technologies and information security (DGSEIOPA guideline 13).
The level of information security required across the Group can only be guaranteed through unified and binding minimum requirements and their local characteristics. For this reason, there are three mutually dependent levels of information security policy:
The ISO creates and maintains the Information Security Policy and Level 2 documents for all shared services across the Group. Procedures or work instructions are created and maintained by the respective responsible functional units.
Cooperation with external suppliers and service partners must not reduce the level of information security at PIB. For this reason, external suppliers and service partners may only be granted access to PIB information and IT resources once PIB has assessed and classified the information security levels of the external suppliers and service partners as appropriate. Furthermore, PIB only grants access to information and IT resources that are necessary for the cooperation (need-to-know principle). The ISO therefore defines unified requirements for security-oriented cooperation with external parties.
The required information security levels must be independently verified, monitored, and assessed in order to maintain and continuously optimise them (DGSEIOPA guideline 12). This is also supported in the Information Security Management area through the «Three Lines of Defence Model».
The first line of defence is comprised of operational management and is responsible for defining, implementing, and controlling information security measures for risk management and compliance with information security requirements.
The second line of defence is the responsibility of the ISO and the PIB's Information Security unit, with the support of the locally established risk management functions. The second line defines information security requirements and oversees the definition, implementation and control of the first line's information security measures.
Internal audit acts as an independent unit as a third line of defence, assessing the effectiveness of the first two lines of defence. Audits shall be performed periodically and in accordance with its auditaudit plan by auditors possessing sufficient knowledge, competence and experience in ICT risks and security in order to independently ensure its effectiveness (DGSEIOPA Guideline 5).
This policy will be reviewed annually by the Security Officer. The following concepts will be taken into account during the review process:
In the event of changes to the current version, it will be presented to the Safety Committee for approval. The decision taken and the justification must be documented.
Any modification made must be duly documented in the Change History section, indicating who made the change and the reason for it.
The security policies are listed below, defining the security requirements for each area of operation. These policies supplement what is defined in this policy.
