Introduction

Information is a key asset for FOUNDSPOT SL, as it is essential to the provision of a large part of its services, and the company relies on ICT (Information and Communication Technology) systems to achieve its objectives. Notwithstanding this, the undeniable improvements these systems bring to information processing are accompanied by new risks; therefore, it is necessary to implement specific measures to protect both the information and the services that depend on it; These systems must be managed with due diligence, taking appropriate measures to protect them against accidental or deliberate damage that could affect the availability, integrity, confidentiality, authenticity, and traceability of the processed information.

The objective of information security is to ensure the quality of information and the continuous provision of services by taking preventive action, monitoring daily operations, and responding promptly to incidents, with the aim of reducing the risks to which they are exposed to an acceptable level.

ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, authenticity, traceability, intended use, and value of information and services.

To defend against these threats, a strategy is required that adapts to changes in environmental conditions to ensure the continuous provision of services.

This means that departments must implement the minimum security measures required by the National Security Framework, as well as continuously monitor service delivery levels, track and analyze reported vulnerabilities, and prepare an effective incident response to ensure the continuity of services provided.

The various departments must ensure that ICT security is an integral part of every stage of the system’s lifecycle, from its conception through development or procurement decisions and operational activities to its decommissioning, and must be prepared to prevent, detect, respond to, and recover from incidents, in accordance with the provisions of the National Security Framework.

Security requirements and funding needs must be identified and included in planning, in requests for proposals, and in bid documents for ICT projects.

Within each organization, only its top management has the necessary authority to set this level, order updates, and provide the means to carry them out.

In this regard, establishing an information security policy and subsequently assigning tasks and responsibilities are priority actions, as they are the primary tools for security governance and constitute the framework for all subsequent actions.

This document establishes the information security policy of FOUNDSPOT SL and will be supplemented by the development of the security organization.

Prevention, Detection, Response, and Recovery from Incidents

PREVENTION

Departments must avoid, or at least prevent to the greatest extent possible, information or services from being compromised by security incidents.

To this end, departments must implement the minimum security measures determined by the ENS, as well as any additional controls identified through a threat and risk assessment.

These controls and the security roles and responsibilities of all staff must be clearly defined and documented.

To ensure compliance with the policy, departments must:

  • Authorize systems before they go live.
  • Regularly assess security, including assessments of configuration changes made on a routine basis.
  • Request periodic third-party reviews to obtain an independent assessment.

DETECTION

Since services can degrade rapidly due to incidents—ranging from a simple slowdown to a complete stoppage—services must continuously monitor operations to detect anomalies in service delivery levels and act accordingly as established by the ENS. Monitoring is particularly relevant when establishing lines of defense in accordance with the aforementioned ENS.

Detection, analysis, and reporting mechanisms shall be established to regularly notify those responsible and whenever a significant deviation from the parameters pre-established as normal occurs.

RESPONSE

Departments must:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate a point of contact for communications regarding incidents detected in other departments or other agencies.
  • Establish protocols for the exchange of information related to the incident. This includes two-way communications with Emergency Response Teams.

RECOVERY

To ensure the availability of critical services, departments must develop ICT system continuity plans as part of their overall business continuity plan and recovery activities.

Scope

This policy applies to all ICT systems of FOUNDSPOT SL that support the following services:

The information services and systems used to optimize the management of users’ lost property, including inventory registration and requests for search, location, and delivery, ensuring legal compliance and the protection of sensitive information.

According to the current system categorization, the headquarters is located in Madrid. Calle Alameda 22, 28014.

It also applies to all members of the organization, without exception.

Mission

FOUNDSPOT SL, within the scope of the services it provides as previously described, operates in accordance with the principles of efficiency, hierarchy, decentralization, and coordination; promotes all kinds of activities; and provides services that contribute to meeting the needs and aspirations of its clients.

Therefore, for each service, FOUNDSPOT SL makes every effort to provide a service that is both functional and secure.

Regulatory Framework

As the regulatory basis for this security guide, current and applicable legislation affecting the organization’s operations has been analyzed, which explicitly requires the implementation of security measures in its information systems.

The applicable legal framework regarding information security is established by the following legislation:

  • Law 11/2007 of June 22 on citizens’ electronic access to public services, in Article 42.2 regarding the National Security Framework, establishes as one of its principles that a reference framework must be in place to set forth the necessary conditions of trust in the use of electronic means.
  • Royal Decree 311/2022 of May 5, regulating the National Security Framework in the field of Electronic Administration, sets forth the basic principles and minimum requirements, as well as the protective measures to be implemented in government systems.
  • Royal Decree 951/2015 of October 23, amending Royal Decree 3/2010 of January 8, which regulates the National Security Framework in the field of Electronic Administration.
  • Royal Decree 311/2022 of May 3, 2022, regulating the National Interoperability Framework in the field of Electronic Administration, the purpose of which is to create the necessary conditions to ensure an adequate level of technical, semantic, and organizational interoperability of the systems and applications used by public administrations, enabling the exercise of rights and the fulfillment of duties through electronic access to public services, while also promoting effectiveness and efficiency.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Organic Law 3/2018 of December 5 on the Protection of Personal Data and the Guarantee of Digital Rights.
  • Royal Decree-Law 28/2020, of September 22, on Remote Work.

Security Organization

Information security management requires an organizational structure that, in accordance with Article 10 of the ENS, defines distinct responsibilities regarding information requirements, service requirements, and security requirements.

This organizational structure for information security at FOUNDSPOT SL is established as follows:

Information Officer:

  • Determines the security requirements for the information processed, in accordance with the parameters of Annex I of the ENS.
  • Approves information security levels. (This activity cannot be delegated).
  • Assess the consequences of a negative impact on information security, taking into account the repercussions on the organization’s ability to achieve its objectives, protect its assets, fulfill its service obligations, and respect the law and citizens’ rights.

Service Manager:

  • Determine the security levels of the services, in accordance with the parameters of Annex I of the ENS.
  • Approval of service security levels. (This activity cannot be delegated.)
  • Include security specifications in the lifecycle of services and systems, accompanied by the corresponding control procedures.
  • Assess the consequences of a negative impact on service security, taking into account the repercussions on the organization’s ability to achieve its objectives, protect its assets, fulfill its service obligations, and respect the law and citizens’ rights.

Security Officer:

  • Determines the relevant security decisions to meet the requirements established by the information and service managers.
  • Objectively require that organizations providing security services have qualified professionals and appropriate levels of management and maturity in the services provided.
  • When acquiring information and communications technology security products, evaluate and select those whose security functionality related to the purpose of the acquisition is certified, in a manner proportionate to the determined system category and security level; except in cases where the requirements of proportionality, in terms of the risks assumed, do not justify it in the Security Officer’s judgment.
  • Expand the security measures set forth in Annex II of the ENS and those necessary to ensure the proper processing of personal data.
  • Replace the security measures set forth in Annex II of the ENS provided that it is documented that they protect against risks to assets equally well or better and that the basic principles and minimum requirements set forth in Chapters II and III of the Royal Decree are met.
  • Indicate in the Statement of Applicability, in detail, the correspondence between the compensatory measures implemented and the measures in Annex II of the ENS that they compensate for.
  • Formalize and sign the Statement of Applicability.
  • Analyze the self-assessment and/or audit reports and submit the conclusions to the System Manager so that they may adopt the appropriate corrective measures.
  • Promote training and awareness regarding information security within their area of responsibility.

System Manager:

  • Their primary role is to oversee the operation of the information system.
  • Comply with the security measures determined by the Security Officer.
  • Adopt appropriate corrective measures based on the conclusions received from the Security Officer, derived from their analysis of the self-assessment reports and/or audits

.

  • In the case of HIGH-category systems, upon review of the audit report, they may decide to suspend the operation of certain information, a service, or the entire system for as long as deemed prudent and until the prescribed modifications are implemented.

Data Protection Officer:

  • Advise on the documentation necessary to demonstrate compliance with the GDPR and the LOPDGDD, including, but not limited to, policies, procedures, contracts, templates, and forms, and ensure that they are kept up to date.
  • Inform and provide expert advice to all staff regarding their obligation to comply with the relevant provisions of the GDPR and the LOPDGDD concerning the processing of personal data.
  • Monitor compliance with the GDPR and the LOPDGDD and promptly inform relevant parties within the Company of any changes.
  • Act as the sole point of contact for the supervisory authority on matters related to the processing of personal data and consult with the supervisory authority, when necessary, on any other relevant personal data issues.
  • Act as the primary point of contact for employees and all stakeholders and cooperate with all staff members on data protection matters.
  • Provide advice and guidance on the Data Protection Impact Assessment (DPIA), including conducting or overseeing the performance of the DPIA.
  • Assist the Data Controller in reporting personal data security breaches and in taking the necessary measures to inform relevant stakeholders when required.
  • Monitor compliance with data protection policies and any other internal documents related to data protection.
  • Advise the organization on the Privacy Policies to be provided to data subjects at the time of collecting their personal data.
  • All other duties arising from current legislation on personal data protection that are not expressly stated here.

Information System Manager:

  • Responsible for the operation of the information system, in accordance with the security measures determined by the Security Manager.
  • Implement appropriate corrective measures based on the findings of self-assessment reports and/or audit reports analyzed by the competent Security Manager.
  • In the case of HIGH-category systems, following review of the audit report, the system manager may decide to suspend the operation of certain information, a specific service, or the entire system for as long as deemed prudent and until the prescribed modifications are implemented.

Risk Management

All systems subject to this Policy must conduct a risk analysis, evaluating the threats and risks to which they are exposed.

This analysis shall be repeated:

  • regularly, at least once a year
  • when the information handled changes
  • when the services provided change
  • when a serious security incident occurs
  • when serious vulnerabilities are reported

Development of the Information Security Policy

This Information Security Policy complements the security policies on various topics that apply within the organization, such as:

  • Policy on the appropriate use of organizational resources.
  • Password policy.
  • Mobile device policy.
  • Clean desk policy.
  • Clean screen policy.
  • Cryptography policy.
  • Backup Policy.
  • Remote Access Policy.
  • Telework Policy.
  • Metadata Deletion Policy.

This Policy will be implemented through security regulations addressing specific aspects. The security regulations will be made available to all members of the organization who need to know them, particularly those who use, operate, or administer information and communications systems.

Staff Obligations

All members are required to be familiar with and comply with this Information Security Policy and the Security Regulations; it is the responsibility of the ICT Security Committee to provide the necessary means to ensure that the information reaches those concerned.

All members shall attend an ICT security awareness session at least once a year.

A continuous awareness program will be established to cover all members of the organization, particularly new hires.

Individuals responsible for the use, operation, or administration of ICT systems will receive training on the secure handling of systems to the extent necessary for them to perform their work.

Training will be mandatory prior to assuming a role, whether it is their first assignment or involves a change in position or responsibilities within the same role.

Third Parties

When FOUNDSPOT SL provides services to other organizations and/or handles information from other organizations, it will share this Information Security Policy with them, establishing channels for reporting and coordination with the respective ICT Security Committees, and will establish procedures for responding to security incidents.

When FOUNDSPOT SL uses third-party services or transfers information to third parties, they will be made aware of this Security Policy and the Security Regulations pertaining to such services or information.

Such third parties will be subject to the obligations established in said regulations and may develop their own operating procedures to comply with them.

Specific procedures for reporting and resolving incidents will be established, ensuring that third-party personnel are adequately trained in security matters, at least to the same level as that established in this Policy.

When any aspect of the Policy cannot be met by a third party as required in the preceding paragraphs, a report from the Security Officer will be required, specifying the risks involved and how to address them.

Such a report must be approved by the data controllers and the affected departments before proceeding.

Personal Data

FOUNDSPOT SL processes personal data in its daily operations and is therefore subject to compliance with applicable regulations, as detailed in the REGULATORY FRAMEWORK section of this policy.

All processing of personal data shall comply with the requirements of current regulations, ensuring that such data is processed lawfully, fairly, and transparently in relation to the data subject; collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes; adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date, with all reasonable measures taken to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay; kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; they may not be stored for longer periods unless processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, without prejudice to the application of appropriate technical and organizational measures required by applicable regulations in force to protect the rights and freedoms of the data subject; processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through the application of appropriate technical or organizational measures.

The Privacy Policies applicable to the specific case exist and are available to data subjects, who may request them at no cost by sending a written request to the following email address: infodpo@forlopd.es

Approval and Entry into Force

The Information Security Policy will be reviewed by the Information Security Committee at scheduled intervals, which may not exceed one year, or whenever significant changes occur, in order to ensure that it remains suitable, appropriate, and effective.

This Information Security Policy is effective as of this date and remains in effect until replaced by a new Policy.

Madrid, March 2, 2026