Security policy - Euroval
Request a valuation

Security policy

1. APPROVAL AND EFFECTIVE DATE

This Information Security Policy corresponds to the version approved by the General Management of EUROVALORACIONES, S.A. (EUROVAL) on March 28, 2023, and reviewed to the current date.

This policy will be effective from its approval and will remain in force until it is revised or replaced by a new version that formally supersedes it.

2. SCOPE

The General Scope of the information systems associated with the business processes that are subject to certification under the UNE ISO/IEC 27001 standard is as follows: “Appraisal and valuation services for movable and immovable property.”

3. INTRODUCTION

EUROVALORACIONES S.A. (hereinafter, EUROVAL) depends on ICT (Information and Communications Technologies) systems to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity, or confidentiality of the information processed or the services provided.

ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use, and value of information and services. Defending against these threats requires a strategy that adapts to changes in environmental conditions to ensure the continuous provision of services. This implies that departments must apply the minimum security measures required by the UNE ISO/IEC 27001 standard, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of services provided.

The different departments must ensure that ICT security is an integral part of each stage of the system lifecycle, from its conception to its decommissioning, including development or acquisition decisions and operating activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and bidding documents for ICT projects.

Departments must be prepared to prevent, detect, react to, and recover from incidents, in accordance with security regulations.

To this end, the principles that guide EUROVAL’s actions in this area are:

  • Regulatory compliance.
  • Risk management and resilience.
  • Integrated security.
  • Awareness and responsibility.
  • Continuous improvement.

4. SECURITY OBJECTIVES OF THE INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

EUROVAL has implemented various security measures proportional to the nature of the information and services to be protected and, considering its risk analysis and its statement of applicability, establishes and promotes the following strategic objectives:

  • Security as an integral process and security by default.
  • Periodic re-evaluation and integrity and updating of the system.
  • Personnel management and professionalism.
  • Risk-based security management and risk analysis and management.
  • Security incidents, prevention, reaction, and recovery.
  • Lines of defense and prevention against other interconnected systems.
  • Differentiated function and organization and implementation of the security process.
  • Authorization and control of access.
  • Protection of facilities.
  • Acquisition of security products and contracting of security services.
  • Protection of information stored and in transit and business continuity.
  • Activity logs.

5. REGULATORY FRAMEWORK

EUROVAL is subject, by way of example and not limitation, to the following regulations:

  • Regulation (EU) 2016/679 (GDPR) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
  • Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI-CE).
  • Royal Legislative Decree 1/1996, of April 12, approving the Revised Text of the Intellectual Property Law.
  • Royal Decree-Law 10/2021, of July 9, relating to remote work, together with current labor regulations on data protection and information security.
  • Law 10/2010, of April 28, on the Prevention of Money Laundering and the Financing of Terrorism.
  • Law 41/2007, of December 7, reforming the mortgage and financial system.
  • Royal Decree 775/1997, of May 30, on the approval of appraisal services.
  • Order ECO/805/2003, of March 27, on valuation standards for real estate and certain rights for certain financial purposes.
  • Circulars of the Bank of Spain applicable to appraisal companies (including Circular 7/2010 and Circular 3/1998, amended by Circulars 5/2003 and 2/2009).
  • Regulation (EU) 2022/2554 (DORA) of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.
  • Royal Decree 311/2022, of May 3, which regulates the National Security Scheme (ENS).

Likewise, EUROVAL maintains the coherence of its ISMS with the European regulatory framework on digital resilience, observing the guidelines and recommendations issued by the European supervisory authorities, including the European Banking Authority (EBA).

6. ROLES AND RESPONSIBILITIES

All members of EUROVALORACIONES S.A. have the obligation to know and comply with this Information Security Policy and the Security Regulations, and it is the responsibility of the Security Committee to provide the necessary means for the information to reach those affected.

All members of EUROVALORACIONES S.A. will attend an awareness session on ICT security at least once a year. A continuous awareness program will be established to cater to all members of EUROVALORACIONES S.A., particularly new hires.

People with responsibility for the use, operation, or administration of ICT systems will receive training for the safe handling of systems to the extent that they need it to perform their work. Training will be mandatory before assuming a responsibility, whether it is their first assignment or a change of job or responsibilities in the same.

Notwithstanding the foregoing, the following main roles are established with responsibilities in the compliance of the Information Security Policy:

  • EUROVAL Management: Chief Executive Officer.
  • Security and Systems Manager.
  • Organization and Human Resources Manager.
  • IT Management.
  • Regulatory Compliance Manager.

Security Committee: composed of the Chief Executive Officer, the Security and Systems Manager, the Organization and HR Manager, the IT Management, and the Regulatory Compliance Manager. This committee has the function of coordinating, supervising, and promoting the implementation of the Information Security Management System (ISMS) in the organization.

7. POLICY REVIEW

EUROVAL maintains an extended internal version of this policy, of a restricted nature, which develops the operational procedures and specific controls of the ISMS.

This Policy will be reviewed, at least, once a year or whenever relevant changes occur in the regulations, in the organizational structure or in the technological systems, in order to guarantee its validity, adequacy, and effectiveness.

The review will include the evaluation of the degree of compliance with the security objectives, the effectiveness of the implemented controls and the identification of opportunities for improvement within the framework of the continuous improvement process of the ISMS.

¿Cómo prefieres que contactemos contigo?

Puedes llamarnos al +34 915 98 80 80

How would you prefer us to contact you?

You can call us at +34 915 98 80 80