Information Security Policy

March 2024
Imagen Sello Certificación 27001. Clínica Universidad de Navarra

Introduction

The Information Security Management System (hereinafter, ISMS) of the University Organization of Navarra (hereinafter, CUN or the Organization) is based on the ISO 27001:2022 model on Information Security, Cybersecurity, and Privacy Protection – Information Security Management Systems. This model uses a risk-management approach across the entire system in order to identify, plan, and act on the risks and opportunities relevant to achieving the expected outcomes and meeting the established Information Security objectives.

Leadership and Commitment

CUN’s Management demonstrates its leadership and commitment to the Information Security Management System in the following ways:

  • Ensuring that CUN’s Information Security Policy and its objectives are established and aligned with the Organization’s strategic direction.
  • Ensuring that the ISMS requirements are integrated into the organization’s processes.
  • Providing the necessary resources to implement, maintain, and continually improve the ISMS.
  • Communicating the importance of effective system management and of meeting system requirements.
  • Ensuring that the ISMS achieves its intended outcomes.
  • Directing and supporting personnel to contribute to the effectiveness of the ISMS.
  • Promoting continuous improvement.
  • Fostering an information security culture among all members of the Organization.
  • Ensuring that information security objectives are established and communicated.
  • Supporting other relevant management functions to demonstrate leadership within their areas of responsibility.

General Information Security Policy

CUN Management agrees that developing the Organization’s activities and achieving its strategic objectives in Information Security requires maintaining, at all times, a high level of compliance with the established standards of Confidentiality, Availability, Traceability, Authenticity, and Integrity of information and assets, as well as compliance with the relevant legal, organizational, and technical principles, especially—within the scope of this policy—those related to the protection of personal data.

CUN considers it essential to guarantee information security in all its aspects (integrity, confidentiality, availability), as well as the security of the processes, infrastructures, people, and other resources involved in providing the Organization’s services. CUN must properly manage security by protecting these elements from possible threats, minimizing their risks, and ensuring business process continuity.

Therefore, protecting information and maintaining its security become global objectives that must be embraced by every member of CUN, who must be familiar with and comply with the Information Security Policy, as well as the procedures, regulations, standards, and recommendations implementing it.

To this end, the ISMS has been developed and implemented to establish the reference framework for securely managing the Organization’s assets.

CUN’s commitments regarding Information Security Management are as follows:

  • Make the Management’s commitment to the ISMS explicit, including Information Security Management.
  • Ensure that ISMS requirements are integrated into CUN’s business processes.
  • Ensure that Information Security objectives are established within the ISMS and that they are consistent with the Organization’s context and strategic direction.
  • Define, develop, and implement the necessary controls, promoting the process approach and risk-based thinking to ensure compliance with the approved risk levels at all times.
  • Comply at all times with current legislation, as well as with the particular standards and specifications applicable to the services provided by the Organization.
  • Create an integrated management culture for Information Systems and Security—both internally, among all staff, and externally, among patients and suppliers.
  • Engage, direct, and support staff to contribute to the effectiveness of the ISMS; ensure the availability of the necessary resources; and support other relevant management roles in applying the management system within their areas of responsibility.
  • Treat Information Security Management as a process of continuous improvement.
  • Maintain the trust and satisfaction of patients and the Organization’s staff.

Scope and Field of Application

This Information Security Policy applies to all information managed by CUN, all information systems, networks, applications, and hardware and software equipment owned or controlled by CUN, as well as to all personnel who, on a permanent or temporary basis, provide services at CUN—including personnel from external organizations, directly or indirectly related to CUN and its ISMS—who require access to such information to perform their duties and tasks.

Legal and Regulatory Framework

CUN commits to complying with all applicable laws and regulations regarding data protection and information security, including:

  • Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).
  • General Data Protection Regulation (GDPR).
  • Law on Information Society Services and Electronic Commerce (LSSI).
  • Law on Occupational Risk Prevention (LPRL).
  • Intellectual Property Law (LPI).
  • Law 6/2020 of November 11 (Trust Services).
  • eIDAS 2 Regulation.
  • Joint Commission International Requirements.
  • NIS2 Directive of the European Parliament and Council.
  • ISO 27001 on Information Security, Cybersecurity, and Privacy Protection.

Review and Compliance

This Information Security Policy shall be reviewed annually or whenever significant changes occur in CUN’s environment or in the applicable regulations. Non-compliance may result in disciplinary measures, in accordance with CUN’s internal regulations and current legislation.