Legal terms

Information security

All copyright, intellectual and industrial rights in this document and in the technical knowledge it contains are owned by Ink Innovation S.L. and/or their respective owners.

This document is made available to the end-users only for their internal use. No part of this document nor any data herein may be published, disclosed, copied, reproduced, redistributed by any form or means, electronically or mechanically or used for any other purpose whatsoever without the prior written approval of Ink Innovation S.L.

Any rights not expressly granted herein are reserved.

Purpose

The purpose of this Information Security Policy is to protect the information assets ofInk Innovation S.L., from all threats, whether internal or external, deliberate or accidental. This policy outlines the framework and principles for securing our information assets, ensuring their confidentiality, integrity, and availability.

Scope

This policy applies to all employees, contractors, consultants, temporary staff, and other workers at Ink Innovation S.L., including all personnel affiliated with third parties.It covers all information systems, networks, and physical locations where information is processed, stored, or transmitted.

The policy also extends to interested parties such as customers, regulators, suppliers, and partners, ensuring alignment with applicable contractual, regulatory, and statutory obligations.

Information Security Objectives

To ensure the confidentiality, integrity, and availability of information.
To protect against unauthorised access and breaches.
To comply with relevant laws, regulations, and contractual obligations, including data protection and privacy requirements.
To protect personal, sensitive, and confidential information in accordance with applicable privacy and data protection regulations.
To continually improve our information security management system in alignment with ISO/IEC 27001 and NIST requirements.

Roles and Responsibilities

Ink Executive Management Team: Provide leadership, commitment and promotion of the ISMS policies and procedures, allocate resources, and support continuous improvement.Demonstrate accountability for the effectiveness of the ISMS and ensure alignment with business objectives.

Chief Information Security Officer (CISO): Develop, implement, and maintain the ISMS, and ensure compliance withISO/IEC 27001 requirements. Oversee risk assessments, ensure compliance with regulatory and contractual security requirements, and enforce alignment with NIST FIPS 199 categorization.
IT Department: Implement technical controls, monitor systems, collect and review security logs, leverage threat intelligence, and respond to security incidents. Ensure segregation of duties is enforced to prevent unauthorized or unintentional modification of assets.
All Employees: Follow the information security policies and procedures, report security incidents promptly, safeguard confidential information, and participate in regular security training and awareness programs.

Risk Management

Conduct regular risk assessments to identify, evaluate, and prioritise risks to information security.
Perform information system categorization using NIST FIPS 199 criteria to classify systems and data according to potential impact levels (Low, Moderate,High) for confidentiality, integrity, and availability.
Implement appropriate controls based on categorization, with systems categorized as “High” requiring the most stringent protections.
Align risk treatment with the organisation’s defined risk appetite and ISMS context.
Review and update risk assessments periodically and in response to significant changes.

Information Security Controls

Access Control: Ensure access to information is granted based on business needs and subject to proper authorization.
Physical Security: Protect physical locations housing information assets from unauthorised access and environmental hazards.
Communications Security: Protect information in transit through encryption and secure communication protocols.
Incident Management: Establish and maintain an incident response plan to detect, respond to, and recover from security incidents.
Business Continuity and Disaster Recovery: Develop and test plans to ensure the continuation of critical business functions in the event of unplanned disruptions.
Supplier and Third-Party Security: Define, communicate, and enforce information security requirements with third-party suppliers, contractors, and service providers.
Monitoring and Logging: Monitor information systems for anomalies and security events. Collect, retain, and regularly review security logs to detect threats and support investigations.
Threat Intelligence: Use internal and external threat intelligence to proactively detect and mitigate risks.
Information Classification and Categorization: Classify and label information assets according to sensitivity, and categorize systems per NIST FIPS 199 (Low, Moderate, High). Controls shall be applied in proportion to categorization results.

Training and Awareness

Provide regular training to all employees on information security policies, procedures, and best practices.
Promote awareness of information security threats and the importance of reporting security incidents.

Compliance

Ensure compliance with relevant legal, regulatory, and contractual requirements.
Conduct regular audits and reviews to ensure the effectiveness of the ISMS and compliance with ISO/IEC 27001.

Continuous Improvement

Monitor and measure the performance of the ISMS through internal audits and reviews.
Implement corrective and preventive actions to address non-conformities and improve the ISMS.
Encourage feedback from employees and stakeholders to enhance information security practices.

Policy Review

This policy shall be reviewed at least annually or in response to significant changes to ensure its continuing suitability, adequacy, and effectiveness.The policy shall be communicated to all relevant internal and external interested parties and made available as documented information.