Fraternidad-Muprespa Information Systems Security Policy

Information Systems Security Policy

The Fraternidad-Muprespa information systems security policy is reflected in the principles shown below:

  • Medical Records , our main asset to protect.
    Therefore, one of its most critical assets is the set of medical records of injured workers and patients in general treated at its health facilities. The Information Systems Security Policy established by the Management identifies as a priority the protection of this asset under the parameters of confidentiality, availability and integrity, in an area that includes the provision of information services both to the mutual company's own staff and to the insured workers themselves who access this information through the Digital Office.
  • Automated data , other assets to protect.
    The information systems security policy also extends its scope to the rest of the data and management procedures that are automated, which is almost total practice in our organization. Thus, the business systems (companies, workers, economic benefits for temporary and permanent disability, administrative files, prevention) and the information systems internal to the Mutua itself (personnel management, financial economic environment, corporate intranet) are protected under the ISMS.
  • Scope of the concept “ protected information ”.
    By protected information we must understand not only that which is available in computerized systems in a traditional way (databases), but also that information of an unstructured nature that, through scanning or mass import procedures, has been incorporated into the different documentary files. The term "information" will also include documentation that in a residual way still remains on conventional support (paper, acetate) even when the vocation of the system is the complete automation of 100% of the information in the medium term.
  • Technical controls and  training and awareness policies.
    Security is an objective that aims to be achieved both through the implementation of controls of a technical nature and through training and awareness policies for all personnel involved in the management of the systems, since the Management of Fraternidad-Muprespa is convinced of the importance of the active participation of all those involved in the security chain. To this end, the corresponding training actions are developed that target all human resources and internal and external clients.
  • Compliance with current legislation.
    In the field of security, both the legislation concerning the protection of personal data and the provisions regarding medical history and access by interested parties have special relevance. These principles are followed both in the management of the information itself and in all relationships and transfers of data that may have a place in the scope of the Mutual Fund's management.
  • Extension of the policy  to agreements with suppliers.
    On the other hand, all contracts and agreements that, in terms of information and communications technologies, are established with the different suppliers, expressly include the requirements that must be met in terms of security in the provision of the contracted service.
  • Adaptation to standards .
    The security methodologies, operational procedures, corporate policies and in general the entire regulatory body generated within the Information Security Management System have a marked component of standardization, so that the “best practices” of the ICT sector are followed, the recommendations of the main interest groups (manufacturers, user communities, opinion leaders) are adapted and It facilitates, as far as possible, the adaptation of solutions already tested in other environments and organizations. Specifically, the international standards UNE-EN ISO/IEC 27001:2017 and UNE-EN ISO/IEC 27002:2017 are followed. The adaptation to the standards derived from compliance with the National Security Scheme is also met, and in particular to the technical standards prepared by the National Cryptological Center of the National Intelligence Center.
  • Security, a process.
    The security of information systems is not understood as a set of isolated measures that are implemented only in accordance with legal requirements, state of the art or technological trends; Rather, security is understood as a process that includes organizational, procedural, technological and human resource management aspects, with the latter aspect being crucial in user awareness and training policies.
  • Continuous improvement.
    Through the use of information security policies, objectives, results of internal and external audits, data analysis, corrective and preventive actions and the review of the system by the General Subdirectorate of Information Systems, the continuous improvement and effectiveness of the ISMS is ensured.
  • Risk analysis and management.
    The implementation of security measures is the result of applying risk treatment plans, derived from risk management decisions, according to the methodology defined and approved by Fraternidad-Muprespa and included in the procedure that establishes the risk analysis and management methodology. This methodology is conceptually based on the National Security Scheme, approved by RD 3/2010. 
    The residual risk assumed by the organization is approved by the Risk Owner, whose role is played by the Information and Communications Technology Committee (ICT Committee).
  • Components of the Information Security Management System (ISMS).
    The ISMS is made up of a body of documents that includes policies and procedures, technical instructions and records that support the organizational, procedural and technical aspects of the system, in addition to allowing its operation. Certain policies are applicable and extensive to all staff, and compliance is mandatory.
    The Fraternidad-Muprespa Management promotes the Information Systems Security Policy, and facilitates the provision of the technical and human resources necessary for its complete implementation.

The priority objectives of information security, defined by the Fraternidad-Muprespa Management, are:

  • Guarantee aspects of confidentiality, availability, integrity, authenticity and traceability in information systems. In this sense, all the projects carried out by the General Subdirectorate of Information Systems take into account the consideration of the risks involved in their implementation.
  • Permanently reduce the level of risk in the organization, through risk treatment plans, monitoring and control of risks and activities regarding training, acculturation and awareness of personnel, which are periodically carried out.
Logotipo de SGSI de Fraternidad-Muprespa

 

¿Que te ha parecido el contenido?