Politica de Seguridad

Oximesa S.L. – Esquema Nacional de Seguridad (ENS)

Objectives

The NGE Information Security System is designed to achieve the following objectives:

Those objectives are pursued through:

  1. Confidentiality (information is accessible only to authorized individuals or systems);
  2. Integrity (information and processing methods must be accurate and complete);
  3. Availability (information must be available and usable as required by business processes);
  4. Authenticity (the identity of users, processes and information can be verified and guaranteed);
  5. Traceability (actions on information and services can be attributed and reconstructed over time).

This information has been extracted from the Nippon Gases Europe Group policy and, in case of discrepancy, the official documents of the group shall always prevail.

Legal framework

The legal framework for action is based on Spanish and European regulations related to e-Government, cybersecurity and information security in general, as well as data protection. In the field of information security, these are the national laws that must be complied with:

Roles and responsibilities

Security committee

The Security Committee has several key responsibilities, including:

The members of the Security Committee are: CIO, Information Security Director, ISMS&GRC Manager (or delegate), Senior Systems Manager (or delegates), and Derecho.com (or delegate).

Process of Designation and Renewal of Roles

To ensure the effectiveness and accountability of the information security management system, the organization maintains a clear and structured process for the designation and renewal of the roles associated with the implementation and maintenance of the National Security Framework (ENS).

Roles critical to ENS compliance, such as the Security Officer, Data Protection Officer (DPO), System Administrator, Information Owner and Service Owner, must be formally assigned to qualified individuals. These designations are not made informally or by implication, but are documented, approved by management, and reviewed periodically to ensure ongoing suitability.

The process begins with the identification of all roles necessary to support the organization’s security framework. Each role is clearly defined in terms of responsibilities, authority, required competencies and its relationship to specific ENS controls. Once defined, the roles are assigned through a formal process. The designation is recorded in official organizational charts or role matrices, and individuals are notified of their appointments through signed responsibility acknowledgment forms.

All appointments and renewals are approved by the Security Committee or equivalent governance body. The outcome of each designation or renewal is logged in the ENS Activity Record and is traceable through documented meeting minutes or updated role matrices.

Mechanisms for coordination and resolution of conflicts

Coordination

The Security Committee will meet at least annually and additionally as needed. The agenda will include coordination of security activities, review of incidents, and discussion of any conflicts or issues raised. Minutes will be recorded and distributed to relevant stakeholders.

Official communication channels (for example, secure email or ticketing system) must be used for reporting and discussing coordination issues. All communications must be documented and traceable.

Issues that cannot be resolved at the operational level must be escalated to the Security Committee. If the Security Committee cannot resolve the issue, it will be escalated to senior management

Conflict Resolution Mechanisms

Any employee may report a conflict or coordination issue related to information security. Reports should be made through the designated communication channel, providing all relevant details.

The Security Committee (or designated subgroup) will assess the reported issue, determining its nature, impact and urgency.

The Security Committee will facilitate a meeting with the involved parties to discuss the issue and seek a resolution. If necessary, mediation by an impartial internal or external party may be arranged. The agreed resolution will be documented and communicated to all relevant stakeholders.

If a resolution cannot be reached, the issue will be escalated to senior management for a final decision. Senior management’s decision will be documented and implemented.

Documentation structure guidelines

The system documentation is structured, managed and accessed according to the internal procedure «IT-EU-PRO-SEC-000 – ISMS Document Management». Accordingly, any document created specifically to comply with the ENS shall maintain that nomenclature by including the acronym ENS in its name.

Risks Arising from the Processing of Personal Data

The processing of personal data introduces specific security and compliance risks that the organization must actively manage, both to protect individuals’ rights and to meet regulatory obligations under the General Data Protection Regulation (GDPR) and the National Security Framework (ENS).

Personal data, by its nature, is highly sensitive and must be handled with care throughout its lifecycle. The potential consequences of a data breach, such as unauthorized access, loss, alteration or misuse of personal information, can result in significant harm to individuals and reputational and legal repercussions for the organization.

Among the primary risks identified are breaches of confidentiality (for example, accidental disclosure of personal data), integrity violations (for example, unauthorized modification of health or identity records), and availability disruptions (for example, system failure leading to inaccessible data). Other notable risks include collecting more data than necessary (data minimization failure), using it for purposes beyond those originally declared (purpose creep), and the inability to trace how or when data has been accessed or shared.

ENS-mandated security controls are applied and reinforced to support data protection goals. These include strict access control mechanisms to limit data access to authorized users, encryption of data at rest and in transit, regular backup and recovery strategies to avoid data loss, and audit logging to detect any inappropriate access or anomalies. Moreover, all staff involved in processing personal data receive appropriate training to help prevent errors and reinforce accountability. This process is coordinated with the Data Protection Officer (DPO), who ensures that privacy risks are well understood and mitigated appropriately.

Sello de conformidad ENS Medio