Aviso legal e Informaciones legales

This policy has been approved by the Management on 07/05/2025

Introduction

This document outlines the Information Security Policy of Augusta Abogados, S.L.P. (hereinafter, “Augusta Abogados”), as the set of basic principles and lines of action to which the organization is committed, within the framework of the National Security Scheme (ENS) and ISO 27001.
Information is a critical, essential, and highly valuable asset for the development of Augusta Abogados’ activities. This asset must be adequately protected, through the necessary security measures, against threats that may affect it, regardless of the formats, supports, transmission media, systems, or individuals involved in its knowledge, processing, or handling.
Information Security is the protection of this asset, with the aim of ensuring the quality of information and business continuity, minimizing risk, and allowing the maximization of return on investments and business opportunities.
Information security is a process that requires technical and human resources, as well as proper management and definition of procedures, and it is essential to have the full collaboration and involvement of all Augusta Abogados staff.
The management of Augusta Abogados, aware of the value of information, is deeply committed to the policy described in this document.

Definitions

Information System: an organized set of resources for collecting, storing, processing, maintaining, using, sharing, distributing, making available, presenting, or transmitting information.
Risk: an estimate of the degree of exposure to a threat materializing over one or more assets, causing damage or harm to the organization.
Risk Management: coordinated activities to direct and control an organization with respect to risks.
Information Security Management System (ISMS): a management system based on the study of risks, established to create, implement, operate, monitor, review, maintain, and improve information security. The management system includes the organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.
Availability: It is necessary to ensure that system resources will be available when needed, especially critical information.
Integrity: System information must be available as stored by an authorized agent.
Confidentiality: Information should only be available to authorized agents, especially its owner.
Authenticity: The identity or origin of the information must be ensured.
Traceability: It must be ensured for certain data who did what and when.

Purpose

The purpose of this Information Security Policy is to protect the information assets of Augusta Abogados, ensuring the availability, integrity, confidentiality, authenticity, and traceability of information and the facilities, systems, and resources that process, manage, transmit, and store it, always in accordance with business requirements and current legislation.

Scope

This Information Security Policy applies to all individuals, systems, and means that access, process, store, transmit, or use information known, managed, or owned by Augusta Abogados for the described processes.
The personnel subject to this policy includes all individuals with access to the described information, regardless of whether the support is automated or not, and whether the user is an employee of Augusta Abogados or not. Therefore, it also applies to any other third party with access to Augusta Abogados’ information or systems.
To ensure that the implemented security process is continuously updated and improved, an Information Security Management System will be implemented and documented. In this way, the content of the Information Security Policy will be developed in complementary security standards and procedures.

Objectives or Mission of the Organization

Augusta Abogados offers its clients transversal legal services to cover the needs of today’s businesses. In this way, we advise and provide legal solutions in all processes of business creation, protection, and development from different areas of law.

Foundations of this Policy

The ultimate goal of information security is to ensure that an organization can achieve its objectives, develop its functions, and exercise its competencies using information systems. Therefore, in matters of information security, the following basic principles must be taken into account:

Security as an Integral Process

Security must be understood as a process integrated by all technical, human, material, and organizational elements related to the system.
Awareness will be promoted among the individuals involved in the process and their hierarchical superiors, so that neither ignorance, lack of organization and coordination, nor inadequate instructions become a source of risk to security.

Risk-Based Security Management

Risk analysis is an essential and continuous part of the security process. The management of these risks will allow the maintenance of a controlled environment, with these risks at acceptable levels, and will be carried out through the application of security measures proportionally to the nature of the information processed and the services to be provided.

Prevention, Detection, Response, and Preservation

System security includes measures that implement the aspects of prevention, detection, and response to security incidents, and the preservation of information and services in case an incident occurs.

Existence of Defense Lines

Augusta Abogados implements a protection strategy based on multiple layers, consisting of organizational, physical, and logical measures, so that when one layer fails, the implemented system allows:

Gaining time for an adequate response to incidents that could not be avoided.
Reducing the probability of the system being compromised as a whole.
Minimizing the final impact on the system.

Defense lines must consist of organizational, physical, and logical measures.

Continuous Monitoring and Periodic Re-evaluation

Continuous monitoring will allow the detection of anomalous activities or behaviors and their timely response.
Augusta Abogados implements regular security controls and evaluations, including routine configuration change assessments, to always know the security status of systems in relation to manufacturers’ specifications, vulnerabilities, and updates affecting them, reacting diligently to manage risk based on the security status of the systems. Before the introduction of new elements, whether physical or logical, formal authorization will be required.
Likewise, periodic reviews by third parties will be requested to obtain an independent evaluation.
Security measures will be periodically evaluated and updated, adjusting their effectiveness to the evolution of risks and protection systems, potentially leading to a reconsideration of security if necessary.

Differentiation of Responsibilities

Augusta Abogados has organized its security by committing all members of the corporation through the designation of different security roles with clearly differentiated responsibilities, as outlined later in this document.
In information systems, the information owner, who determines the security requirements of the processed information; the service owner, who determines the security requirements of the services provided; the system owner, who is responsible for the provision of services; and the security owner, who determines the decisions to meet security requirements, will be differentiated. In cases of personal data processing, the data controller and, where applicable, the data processor will also be identified.

Security Requirements

This security policy will be developed by applying the following requirements:

Organization and Implementation of the Security Process

Information security commits all members of the organization. Augusta Abogados identifies the responsible parties and establishes their responsibilities in the sections “Roles, Responsibilities, and Duties” and “Third Parties” of this document. This Security Policy and the regulations will be known by all individuals within the scope of this document.

Risk Analysis and Management. Inclusion of Risks with Personal Data

Understanding risks and developing a strategy to manage them appropriately is essential for Augusta Abogados, as only by knowing the security status can appropriate decisions be made to mitigate the risks faced.
When an information system processes personal data, the provisions of the GDPR and the LOPDGDD or, where applicable, Organic Law 7/2021 of May 26, on the protection of personal data processed for the purposes of prevention, detection, investigation, and prosecution of criminal offenses and the execution of criminal penalties, will apply. The controller or processor, advised by the Data Protection Officer, will conduct a risk analysis in accordance with Article 24 of the General Data Protection Regulation and, in the cases of its Article 35, a data protection impact assessment. Additional measures to be implemented may result from this analysis.
Augusta Abogados uses the Magerit methodology to analyze risks, conducting a detailed analysis of risks affecting the assets listed in an asset inventory, which is documented in a Risk Analysis document.
The entity determines the risk levels from which it takes action to address them. A Risk is considered acceptable when implementing more security controls is estimated to consume more resources than the possible associated impact.
The Information Security Committee will be responsible for ensuring that the risk analysis is conducted, as well as identifying gaps and weaknesses and bringing them to the attention of management. This analysis will be repeated:

Regularly, at least once a year.
When the information handled and/or services provided change significantly.
When a serious security incident occurs or serious vulnerabilities are detected.

Once the risk assessment process is completed, Augusta Abogados’ management is responsible for approving residual risks and risk treatment plans.
In the case of measures implemented under the ENS, if the risk analysis establishes more important measures, these will be added to those described in the ENS.

Personnel Management

All Augusta Abogados personnel related to information and systems are trained and informed of their duties and obligations in terms of security, essentially through the applicable security procedures and the regulations for the use of assets. Their actions are supervised according to established roles to verify that defined procedures are followed.
User accesses are unique, and their rights and activities related to Information Security are periodically verified to correct or demand responsibilities as appropriate.

Professionalism, Awareness, and Training

The security of systems is managed and reviewed by qualified Augusta Abogados personnel and specialized external personnel, who receive and update the necessary training to ensure information security throughout the lifecycle of information systems: planning, design, acquisition, construction, deployment, operation, maintenance, incident management, and decommissioning. Qualification requirements (training and experience) will always be established by Augusta Abogados.
This Information Security Policy must be known by all internal and external users and by companies that access, manage, or process data from Augusta Abogados.
The set of Policies, standards, and complementary procedures to this Information Security Policy must also be adequately communicated and made known to the individuals, companies, and institutions affected or involved in each case.
Periodically, communication, awareness, and training programs will be defined, and the regulations for the use of information assets will be made available to users.
Augusta Abogados will promote the necessary technical training in Information Security, as well as awareness activities for all personnel.

Authorization and Access Control

Access to information systems is controlled, monitored, and limited to users, processes, devices, and information systems with the minimum allowed and/or authorized functionalities.
The necessary authorizations for critical tasks will be established and managed.

Protection of Facilities

The systems of Augusta Abogados and its communication infrastructure are located in properly protected areas, equipped with physical security measures, redundancy, continuity, and environmental measures, along with a physical access control procedure.

Acquisition of Security Products and Security Service Contracts

For the acquisition of products, Augusta Abogados will ensure that these products are certified for the security functionality related to the purpose of their acquisition, except in cases where the proportionality requirements regarding the risks assumed do not justify it, in the opinion of the Information Security Committee.
For the contracting of security services, the provisions of the previous sections and the “Third Parties” section further in this document will apply.

Minimum Privilege and Security by Design

At Augusta Abogados, systems are always designed and configured with Security by Default in mind. The system provides the minimum required functionality because the operation, administration, and activity logging functions are the minimum necessary, and Augusta Abogados ensures that they are only accessible by authorized persons and from authorized locations or devices.
Unnecessary or inappropriate functions for the intended purpose will be removed or deactivated through configuration control. The ordinary use of the system must be simple and secure, so that insecure use requires a conscious act by the user. To achieve this, security configuration guides for different technologies will be applied, adapted to the system’s categorization, in order to eliminate or deactivate unnecessary or inappropriate functions.
All projects related to or affecting information systems must include a security requirements evaluation in their analysis process and define a security model agreed upon with the Information Security Committee.
In the design, development, installation, and management of information systems and projects, security by design, secure coding, and the necessary security controls and measures according to the applicability document approved by Augusta Abogados will be considered and applied.

System Integrity and Updates

At Augusta Abogados, systems are periodically evaluated to monitor their security status, considering the manufacturer’s specifications, vulnerabilities, configuration deficiencies, necessary updates, and early detection of incidents, thus managing their integrity.
All system components require prior authorization before installation.

Protection of Stored and Transmitted Information

Information is classified according to the required sensitivity for processing and the applicable security and protection levels.
Augusta Abogados pays special attention to information stored or transmitted through insecure environments. This includes information stored or processed on portable devices, tablets, smartphones, peripheral devices, information media, as well as communications over open networks or with weak encryption, where security measures are applied to ensure the information is treated according to its classification.
Procedures will be applied to guarantee the recovery and long-term preservation of electronic documents produced by information systems.
Any non-electronic information that has been a direct cause or consequence of electronic information must be protected with the same level of security. For this, appropriate measures will be applied based on the nature of the medium, in accordance with the applicable standards.

Prevention against Other Interconnected Information Systems

Augusta Abogados protects the perimeter of access to its system, particularly in Internet connections, by always analyzing the risks derived from interconnection with other systems, and establishing the necessary measures to ensure the required security level.

Activity Logging and Malicious Code Detection

Augusta Abogados has enabled activity logs to retain the necessary information to monitor, analyze, investigate, and document unauthorized or improper activities, allowing the identification of the person taking action at any time. All of this is done with full guarantees of the right to honor, personal and family privacy, and image rights of the affected individuals, in accordance with personal data protection regulations and other applicable provisions.
Augusta Abogados implements a comprehensive process for detecting, reacting to, and recovering from malicious code by developing procedures covering detection mechanisms, classification criteria, analysis and resolution procedures, as well as communication channels to stakeholders and recording actions.
To preserve the security of information systems, ensuring strict adherence to the principles of action of public administrations, and in accordance with the General Data Protection Regulation and the principles of purpose limitation, data minimization, and retention limitation stated therein, incoming or outgoing communications may be analyzed, to the strictly necessary and proportionate extent, solely for the purpose of information security, to prevent unauthorized access to networks and information systems, stop denial of service attacks, avoid the malicious distribution of harmful code, and other damage to the aforementioned networks and information systems.
To correct or, if necessary, assign responsibility, each user accessing the information system must be uniquely identified, so that it is always clear who receives access rights, what type of rights they are, and who performed a specific activity.

Security Incidents

To prevent information and/or services from being affected by security incidents, Augusta Abogados implements the established security measures, as well as any additional controls identified as necessary through a threat and risk assessment. These controls, as well as the roles and responsibilities of security for all personnel, are clearly defined and documented.
When a significant deviation from pre-established normal parameters occurs, the necessary detection, analysis, and reporting mechanisms will be set up to ensure that they reach the responsible parties regularly.
Augusta Abogados will establish the following measures to respond to security incidents:

Mechanisms to effectively respond to security incidents.
Designating a point of contact for communications regarding incidents detected in other departments or organizations.
Establishing protocols for the exchange of information related to the incident. This includes two-way communications with the Emergency Response Teams.
To ensure service availability, Augusta Abogados has the necessary resources and techniques to guarantee the recovery of critical services.

Users have established channels to immediately report any detected incident or anomaly.

Business Continuity

Augusta Abogados performs backups to ensure the recovery of information, and establishes appropriate mechanisms to guarantee the continuity of operations in case of loss of the usual means.
In this regard, procedures have been developed to ensure the recovery and long-term preservation of electronic documents and data produced within its scope of responsibilities.

Continuous Improvement of the Security Process

The implemented security management system is continuously updated and improved, as specified by certifications, as described further in this document.

Legal Requirements and Regulatory Framework

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of individuals with regard to the processing of personal data (GDPR).
Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).
Organic Law 7/2021, of May 26, on the protection of personal data processed for the purposes of preventing, detecting, investigating, and prosecuting criminal offenses, and the enforcement of criminal sanctions.
Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law.
Law 2/2019, of March 1, which modifies the consolidated text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12, and incorporates the Directive 2014/26/EU of the European Parliament and of the Council of February 26, 2014, and Directive (EU) 2017/1564 of the European Parliament and of the Council of September 13, 2017, into Spanish law.
Royal Decree-Law 12/2018, of September 7, on the security of networks and information systems.
Royal Decree 43/2021, of January 26, which develops Royal Decree-Law 12/2018, of September 7, on the security of networks and information systems.
Royal Decree 311/2022, of May 3, which regulates the National Security Scheme.
Law 58/2003, of December 17, General Tax Law.
Law 2/2007, of March 15, on Professional Societies.
Royal Decree 135/2021, of March 2, which approves the General Statute of the Spanish Bar Association.
Royal Legislative Decree 1/2007, of November 16, which approves the consolidated text of the General Law for the Defense of Consumers and Users and other complementary laws.
Royal Legislative Decree 2/2015, of October 23, which approves the consolidated text of the Workers’ Statute Law.
Law 9/2017, of November 8, on Public Sector Contracts.
UNE-ISO/IEC 27001:2023 Information Security, Cybersecurity, and Privacy Protection. ISMS. Requirements.
UNE-ISO/IEC 27002:2023 Information Security, Cybersecurity, and Privacy Protection. Information Security Controls.

Additionally, the Information Security Committee will be responsible for identifying the security guidelines of the National Cryptologic Center (CCN) that will apply to improve compliance with the National Security Scheme.

Roles, Responsibilities, and Duties

Users
Any person or system that accesses information processed, managed, or owned by Augusta Abogados will be considered a user. Users are responsible for their behavior when accessing information or using the computer systems of Augusta Abogados. The user is responsible for all actions performed using their identifiers or personal credentials.
Users have the obligation to:

Comply with the Information Security Policy and the complementary rules, procedures, and instructions.
Protect and safeguard the information of Augusta Abogados, preventing its disclosure, external transmission, modification, accidental or unauthorized deletion or destruction, or misuse, regardless of the medium or means by which it was accessed or known.
Understand and apply the Information Security Policy, the Information Systems Usage Rules, and other applicable security policies, rules, procedures, and measures.

Users who fail to comply with the Information Security Policy or the complementary rules and procedures may be penalized in accordance with the terms outlined in the contracts that govern their relationship with Augusta Abogados and the applicable legislation.

Information Owner (National Security Scheme)
The Information Owner, whose responsibility lies with the Management, is the one who determines the requirements for the processed information.
The Information Owner has the following responsibilities:

Ensure the proper use of the information and, therefore, its protection.
Establish the security requirements for the information.
Determine the security levels for the processed information, assessing the consequences of a negative impact.

Service Owner (National Security Scheme)
The Service Owner, whose responsibility lies with the Management, will have the following general responsibilities:

Establish the service requirements in terms of security, including requirements for interoperability, accessibility, and availability.
Determine the security levels for the service, in accordance with the Information Security Committee.
Maintain the security of the information handled and the services provided by the information systems within their area of responsibility.

Management

The management of Augusta Abogados is deeply committed to the policy described in this document and is aware of the value of the information and the serious economic and reputational impact that a security incident can cause.
The Management is, therefore, the owner of Augusta Abogados’ information assets and is also responsible for the associated risks.
The management also assumes the following responsibilities:

Demonstrate leadership and commitment to the information security management system.
Ensure that the information security policy and objectives are established and aligned with the organization’s strategic direction.
Approve and communicate the Information Security Policy, the Information Systems Usage Rules, and the importance of compliance to all users, both internal and external, as well as to clients and suppliers.
Meet at least once a year, and when any extraordinary event or request demands it, with the Partners of Augusta Abogados to report on the ISMS and update the information security strategy.
Promote a corporate culture of information security.
Support the continuous improvement of information security processes.
Ensure that the necessary resources are available for complying with the information security policy, the systems usage rules, and the functioning of the information security management system.
Define the approach for analyzing and managing information security risks, the criteria for accepting risks, and ensure their evaluation at least annually.
Ensure that internal audits of information security are carried out and that their results are reviewed to identify improvement opportunities.
Define and control the budget for information security.
Approve training plans and improvements and projects related to information security.
Approve the documentation up to its second level of rules and procedures.
Determine the measures, whether disciplinary or of any other kind, that could be applied to those responsible for security breaches.

Security Officer

The security officer makes decisions to meet the information security and service requirements and oversees the implementation of the necessary measures to ensure that the requirements are met and reports on these matters.
The person holding the position of Information Security Officer will assume the following functions:

Promote the security of the information handled and the electronic services provided by the information systems, with the responsibility and authority to ensure that the Information Security Management System complies with the requirements of the National Security Framework (ENS) and the UNE-ISO/IEC 27001 standard.
Oversee compliance with this Policy, its derived rules and procedures, and the security configuration of the systems.
Establish appropriate and effective security measures to meet the security requirements set by the Service and Information Managers, following the requirements specified in Annex II of the ENS, declaring the applicability of these measures.
Promote awareness and training activities on security within their area of responsibility.
Coordinate and monitor the implementation of projects for compliance with the standards specified, in collaboration with the Systems Manager.
Conduct, in collaboration with the Systems Manager, the required risk analyses, select the safeguards to be implemented, and review the risk management process. Also, together with the Systems Manager, accept the residual risks calculated in the risk analysis.
Promote periodic audits to verify compliance with information security obligations and analyze the audit reports, preparing the conclusions to be presented to the Systems Manager for corrective actions to be taken.
Coordinate the Security Management process, in collaboration with the Systems Manager.
Sign the Statement of Applicability, which includes the list of selected security measures for a system.
Prepare periodic security reports that include the most relevant incidents during each period, in coordination with the Systems Manager.
Determine the system’s category according to the procedure described in Annex I of the ENS and the security measures that must be applied according to the provisions of Annex II of the ENS.
Verify that the security measures are adequate for the protection of information and services.
Participate in preparing the topics to be discussed at Security Committee meetings, in coordination with the Systems Manager, providing up-to-date information for decision-making.
Responsible for the direct or delegated execution of the Management’s decisions, will meet with the Management and the Systems Manager to ensure strategy alignment.
Regarding documentation, and with the support of the Systems Manager, the Security Officer’s duties include:
Propose to Management and the Systems Manager for approval the second-level security documentation (IT Security Rules – STIC – and General Procedures of the Information Security Management System – ISMS -) and sign this documentation.
Approve third-level security documentation (Operational STIC Procedures and Technical STIC Instructions).
Maintain the documentation organized and up-to-date, managing access mechanisms.

For the development of any of their functions, the Security Officer may seek the collaboration of the Systems Manager.

Data Protection Officer
In accordance with the GDPR and the LOPDGDD, the Data Protection Officer will have at least the following functions:

Inform and advise the data controller and their employees on the obligations they have under the GDPR and other data protection provisions.
Monitor compliance with the provisions of this Regulation, other data protection provisions of the Union or Member States, and the policies of the controller or processor regarding personal data protection, including the assignment of responsibilities, raising awareness, training staff involved in processing operations, and conducting corresponding audits;
Provide advice upon request on data protection impact assessments and monitor their application in accordance with Article 35;
Cooperate with the supervisory authority;
Act as the point of contact for the supervisory authority on matters related to processing, including the prior consultation referred to in Article 36, and consult, where appropriate, on any other matters.

Systems Manager
The Systems Manager, either personally or through in-house or contracted resources, is responsible for developing the specific method of implementing security in the system and overseeing its daily operation, delegating to administrators or operators under their responsibility.
The duties of the Systems Manager include:

Develop, operate, and maintain the Information System throughout its lifecycle, including its specifications, installation, and verification of proper functioning.
Define the topology and management system of the Information System, establishing usage criteria and available services.
Ensure that specific security measures are properly integrated within the general security framework.
Conduct exercises and tests on operational security procedures and existing continuity plans.
Monitor the lifecycle of systems: specification, architecture, development, operation, changes.
Implement the necessary measures to ensure the security of the system throughout its lifecycle, in accordance with the Information Security Committee.
Approve any substantial modification to the configuration of any element of the system.
Suspend the handling of certain information or the provision of an electronic service if notified of serious security deficiencies, after agreement with the Information Security Committee and Management.
Carry out, in collaboration with the Information Security Committee, the required risk analyses, select the safeguards to be implemented, and review the risk management process. Also, together with the Information Security Committee, accept the residual risks calculated in the risk analysis.
Prepare, in collaboration with the Information Security Committee, third-level security documentation (STIC Operational Procedures and STIC Technical Instructions).

System Security Administrator
The duties performed will be as follows:

Implementation, management, and maintenance of the security measures applicable to the information system.
Management, configuration, and updating, where applicable, of the hardware and software on which the security mechanisms and services of the information systems are based.
Management of the authorizations granted to system users, including monitoring that the activities performed on the system comply with the authorized permissions.
Application of operational security procedures.
Apply configuration changes to the information system.
Ensure that established security controls are strictly adhered to, as well as ensure that approved procedures are applied for handling the information system.
Monitor hardware and software installations, their modifications, and improvements to ensure that security is not compromised and that they always comply with the relevant authorizations.
Monitor the security status of the system provided by the security event management tools and the technical audit mechanisms implemented in the system.
Inform the respective Managers of any anomaly, compromise, or vulnerability related to security.
Collaborate in the investigation and resolution of security incidents, from detection to resolution.

Information Security Committee
The Information Security Committee is composed of:

- President: Management area.
- Secretary: TMT Lawyer.
- Members:
  - Data Protection Officer and responsible for security.
  - Administration Manager.
  - Systems Manager.

The Information Security Committee will meet once a quarter and more frequently if the circumstances require.
Its duties are as follows:

- Address requests related to Information Security from the Administration and various security roles and/or areas, regularly informing about the state of Information Security.
- Advise on Information Security matters.
- Resolve responsibility conflicts that may arise between different administrative units.
- Promote continuous improvement of the Information Security management system. To do this, it will:
  - Coordinate efforts from various areas on Information Security to ensure they are consistent, aligned with the strategy, and avoid duplications.
  - Propose Information Security improvement plans, with the corresponding budget allocation, prioritizing actions in security when resources are limited.
  - Ensure that Information Security is considered in all projects from their initial specification to their operation. In particular, it must ensure the creation and use of horizontal services that reduce duplications and support homogeneous operation of all ICT systems.
  - Monitor the main residual risks accepted and recommend possible actions regarding them.
  - Monitor the management of security incidents and recommend possible actions regarding them.
  - Regularly review this Information Security Policy for approval by the competent body.
  - Develop the Information Security regulations for approval in coordination with General Management.
  - Verify the information security procedures and other documentation for approval.
  - Develop training programs to educate and raise awareness among staff on Information Security and personal data protection.
  - Develop and approve the training and qualification requirements for administrators, operators, and users from an Information Security perspective.
  - Promote periodic ENS, ISO 27001, and data protection audits to verify the organization’s compliance with Information Security obligations.

The Information Security Committee will also adopt the functions of the Security Officer.
Designation Procedure and Conflict Resolution
The management of Augusta Abogados assigns, renews, and communicates the responsibilities, authorities, and roles regarding information security, determining the reasons and the validity period in each case. It will also ensure that users are aware of, assume, and exercise the assigned responsibilities, authorities, and roles, resolving any conflicts that arise in relation to each responsibility in Information Security.

Personal Data

The organization will only collect personal data when it is adequate, relevant, and not excessive, and when it is related to the scope and purposes for which it was obtained. Likewise, it will adopt the necessary technical and organizational measures to comply with the applicable data protection regulations in each case.
Thus, with the LOPDGDD, appropriate measures have been adopted such as analyzing the legal legitimacy of each data processing activity, risk analysis, impact assessment if the risk is high, activity logging, and the appointment of the person who will perform the functions of Data Protection Officer.

Third Parties

When the organization provides services to other entities or handles information from other entities, they will be informed of this Information Security Policy. Augusta Abogados will define and approve channels for coordinating information and procedures for responding to security incidents, as well as other actions that Augusta Abogados carries out concerning security in relation to other entities.
When Augusta Abogados uses third-party services or shares information with third parties, they will be made aware of this Security Policy and the existing Security Regulations concerning those services or information. Such third parties will be subject to the obligations established in the mentioned regulations and may develop their own operational procedures to comply with them. Specific communication and incident resolution procedures will be established. It will be ensured that third-party personnel are adequately trained in security, at least to the same level established in this Security Policy.
When any aspect of this Security Policy cannot be satisfied by a third party as required in the previous paragraphs, a report from the Information Security Committee will be required, specifying the risks involved and how to address them. The approval of this report by the responsible parties for the affected information and services will be required before proceeding.

Development of the ISMS, Review, and Audits

Management has approved the development of an Information Security Management System (ISMS) that is established, implemented, maintained, and improved according to security standards. This system will be adapted and serve to manage the controls of the National Security Framework and ISO 27001. The system will be documented and will allow for the generation of evidence of controls and compliance with the established objectives. There is a document management procedure that sets the guidelines for structuring the security documentation of the system, its management, and access.
The Information Security Policy and Standards will be adapted to the evolution of systems, technology, and organizational changes and will align with the current legislation and the standards and best practices of the National Security Framework and ISO 27001, with special attention given to the guidelines published by the National Cryptologic Center as part of the development of security measures and controls.
The security measures and applicable physical, administrative, and technical controls will be detailed in the Applicability Document and will be proportional to the criticality of the information to be protected and its classification.
The Information Security Committee will review this policy annually or when significant changes suggest it, and will resubmit it for approval by management. Reviews will assess the effectiveness of the policy, considering the effects of technological and business changes.
Management will be responsible for approving necessary modifications to the text when a change occurs that affects the risk situations outlined in this document.
The security management system will be audited annually in internal audits (ENS and ISO 27001) and external ISO 27001 audits, and every two years in external ENS audits, according to an audit plan developed by the Information Security Committee.

Security policy