Documentació SGSI

1. Scope of the ISMS

The scope of the Information Security Management System (ISMS) covers all services provided by Intergrid (Opengea SCCL), including:

• Cloud Hosting, Dedicated Hosting and VPS.
• Registration and management of domains.
• Cloud-based web applications.
• Physical infrastructure hosted in advanced Data Centers in Germany, Finland, United States and Singapore, and fully managed by Intergrid from Barcelona.

2. Information Security Policy

Intergrid is committed to protecting the confidentiality, integrity, and availability of its own information and that of its clients, through appropriate technical and organizational controls, continuous risk assessment, and continuous improvement of the ISMS.

3. Risk Analysis and Treatment Methodology

• Identification of assets, threats and vulnerabilities.
• Impact and probability assessment (High, Medium, Low, None).
• Assignment of measures and controls to reduce risks.
• Documentation of residual risk and responsible party.

4. Statement of Applicability (SoA)

This statement certifies the commitment and actual implementation of the requirements of the ISO/IEC 27001:2022 standard through a responsible declaration by the organization.

Controls from Annex A of the ISO/IEC 27001 standard have been selected and applied according to the risk assessment. Including:

• A.5: Polítiques de seguretat
• A.6: Organització de la seguretat
• A.8: Gestió d'actius
• A.9: Control d'accés
• A.12: Seguretat operativa
• A.13: Seguretat de les comunicacions
• A.15: Relacions amb proveïdors
• A.16: Gestió d'incidents de seguretat
• A.17: Continuïtat del negoci

5. Security Objectives

• Prevent data leaks from hosted web services
• Ensure authentication and legitimate access to systems
• Ensure complete and available backups
• Ensure compliance with the GDPR

6. Key Records

• Record of assets and liabilities
• Security Training Record
• Security incidents
• Internal audits and management reviews

7. Specific Procedures

Security Incident Management

All incidents must be reported immediately to the ISMS manager. They will be documented in the incident register and an analysis will be carried out to identify causes, impact and corrective actions.

Access Control

• Access limited according to roles and needs
• Strong Authentication: complex keys and 2FA
• Periodic review of permissions

Backup Policy

• Automatic daily and weekly backups
• Replication in Multiple Data Centers (independent physical locations)
• Regular restoration tests

Acceptable Use Policy

Users and technicians can only use Intergrid resources for authorized purposes. Any abusive, illegal use or that compromises security will be subject to sanction.

Third-party and supplier management

• Confidentiality agreements with collaborators
• Control of suppliers' access to internal systems
• Periodic review of subcontracted services

Business continuity

• Georedundant backups and constant monitoring
• Disaster recovery procedures
• Assignment of key roles in crisis situations

Audits and continuous improvement

• Periodic internal audits of the ISMS
• Review of policies and procedures
• Record of corrective actions and improvements

Device and equipment management

• Updated inventory of equipment and devices
• Screen lock policy and disk encryption
• Limitation of the use of external devices (USB, etc.)

Email Security

• Filtering of suspicious emails (spam, phishing)
• Configuration of SPF, DKIM, and DMARC
• Shipping restrictions and campaign review

Classification and handling of information

• Labeling according to sensitivity (confidential, internal...)
• Distribution restrictions according to classification
• Secure destruction of obsolete information

Training and awareness

• Periodic training sessions on safety
• Awareness campaigns for all staff
• Periodic phishing simulation tests

Management of records and evidence

• Record preservation during the period established by regulations
• Access control to confidential records
• Integrity and availability guaranteed through redundant systems

Specific policies for projects and clients

• Assignment of security managers for project
• Limited privacy controls and sharing according to contracts
• Security validation before deploying services to clients

This documentation is basic and extensible according to the evolution of the ISMS. It is recommended to review it at least annually or after significant incidents.

Information Security Policy (ISMS)

Empresa: Intergrid (Opengea SCCL)
Approval date: 15-10-2024
Approved by: Direcció Tècnica

1. Objective: Garantir la Confidentiality, integrity and availability de la informació, dades de clients i sistemes.
2. Scope: Tota la infraestructura de hosting i aplicacions desenvolupades o allotjades per Intergrid.
3. Commitment: Aplicació del marc ISO/IEC 27001.
4. Responsibility: Compliment per tot el personal.
5. Key measures:
   • Control d'accés per rol i 2FA
   • Segregated backups
   • Incident Monitoring
   • Annual risk assessment
   • Training and awareness
6. Translation: \"Review:\" Anual.