Oximesa S.L. – Esquema Nacional de Seguridad (ENS)
Objectives
The NGE Information Security System is designed to achieve the following objectives:
- protect the interest of shareholders, employees and third parties;
- ensure compliance with applicable laws and regulations;
- ensure a standard model for corporate information protection and the management of related risks;
- guarantee proper corporate information protection and the continuity of business processes, based on the level of confidentiality, integrity, availability, authenticity and traceability requested;
- minimize the business risk by preventing and minimizing the impact of information security incidents;
- retain documentation of the designed and implemented systems;
- retain evidence of the authorization processes and of the performed activities as required by business functions.
Those objectives are pursued through:
- the application to systems design and implementation of the best standard currently available to protect information assets and to ensure compliance with relevant legislation on information processing, guaranteeing the required level of:
- Confidentiality (information is accessible only to authorized individuals or systems);
- Integrity (information and processing methods must be accurate and complete);
- Availability (information must be available and usable as required by business processes);
- Authenticity (the identity of users, processes and information can be verified and guaranteed);
- Traceability (actions on information and services can be attributed and reconstructed over time).
- the establishment, implementation, operation, monitoring, review, maintenance and continuous improvement of an effective Information Security Management System (ISMS);
- a strong commitment of top management that guarantees the resources needed to achieve these objectives.
This information has been extracted from the Nippon Gases Europe Group policy and, in case of discrepancy, the official documents of the group shall always prevail.
Legal framework
The legal framework for action is based on Spanish and European regulations related to e-Government, cybersecurity and information security in general, as well as data protection. In the field of information security, these are the national laws that must be complied with:
- Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales.
- Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de desarrollo de la Ley Orgánica 15/1999 (vigente en aquellos artículos que no contradigan el RGPD).
- Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico.
- Real Decreto Legislativo 1/1996, de 12 de abril, por el que se aprueba el texto refundido de la Ley de Propiedad Intelectual.
- Real Decreto 311/2022, de 3 de mayo, por el que se regula el Esquema Nacional de Seguridad.
Roles and responsibilities
- Information Responsible: ensures that information security requirements align with the organization’s standards and objectives and comply with the National Security Framework guidelines. Defines the Information Security Requirements.
- Service Responsible: responsible for defining security requirements for the organization’s services and ensuring service-level compliance with security standards as outlined in the National Security Framework. Defines the Services Security Requirements.
- Security Responsible: leads the Information Security Management System (ISMS), coordinates security strategy and policies, and oversees the organization’s adherence to security protocols and risk management. Determines and supervises the implementation of the Information and Services Security Requirements.
- System Responsible: oversees the security and functionality of IT systems throughout their lifecycle, ensuring that all technical components adhere to security policies and risk management guidelines. Implements the Security Requirements and supervises the Security Operations.
- Data Protection Officer: ensures the organization’s compliance with data protection laws, manages data processing activities, and serves as the point of contact for data breach notifications and risk assessments. Ensures data protection compliance.
Security committee
The Security Committee has several key responsibilities, including:
- Defining Security Policies: establishing and maintaining the organization’s security policies in line with ENS requirements.
- Risk Management: identifying, analyzing and managing cybersecurity risks to ensure the protection of information and systems.
- Monitoring Compliance: ensuring compliance with ENS regulations and other applicable security frameworks.
- Incident Management: overseeing security incidents, ensuring proper response, reporting and continuous improvement.
- Coordination and Communication: acting as a liaison between different departments and ensuring security awareness across the organization.
- Continuous Improvement: reviewing security measures regularly and updating policies to adapt to new threats and technologies.
- Audit and Certification Support: assisting with audits and ensuring the organization meets ENS certification requirements.
The members of the Security Committee are: CIO, Information Security Director, ISMS&GRC Manager (or delegate), Senior Systems Manager (or delegates), and Derecho.com (or delegate).
Process of Designation and Renewal of Roles
To ensure the effectiveness and accountability of the information security management system, the organization maintains a clear and structured process for the designation and renewal of the roles associated with the implementation and maintenance of the National Security Framework (ENS).
Roles critical to ENS compliance, such as the Security Officer, Data Protection Officer (DPO), System Administrator, Information Owner and Service Owner, must be formally assigned to qualified individuals. These designations are not made informally or by implication, but are documented, approved by management, and reviewed periodically to ensure ongoing suitability.
The process begins with the identification of all roles necessary to support the organization’s security framework. Each role is clearly defined in terms of responsibilities, authority, required competencies and its relationship to specific ENS controls. Once defined, the roles are assigned through a formal process. The designation is recorded in official organizational charts or role matrices, and individuals are notified of their appointments through signed responsibility acknowledgment forms.
All appointments and renewals are approved by the Security Committee or equivalent governance body. The outcome of each designation or renewal is logged in the ENS Activity Record and is traceable through documented meeting minutes or updated role matrices.
Mechanisms for coordination and resolution of conflicts
Coordination
The Security Committee will meet at least annually and additionally as needed. The agenda will include coordination of security activities, review of incidents, and discussion of any conflicts or issues raised. Minutes will be recorded and distributed to relevant stakeholders.
Official communication channels (for example, secure email or ticketing system) must be used for reporting and discussing coordination issues. All communications must be documented and traceable.
Issues that cannot be resolved at the operational level must be escalated to the Security Committee. If the Security Committee cannot resolve the issue, it will be escalated to senior management
Conflict Resolution Mechanisms
Any employee may report a conflict or coordination issue related to information security. Reports should be made through the designated communication channel, providing all relevant details.
The Security Committee (or designated subgroup) will assess the reported issue, determining its nature, impact and urgency.
The Security Committee will facilitate a meeting with the involved parties to discuss the issue and seek a resolution. If necessary, mediation by an impartial internal or external party may be arranged. The agreed resolution will be documented and communicated to all relevant stakeholders.
If a resolution cannot be reached, the issue will be escalated to senior management for a final decision. Senior management’s decision will be documented and implemented.
Documentation structure guidelines
The system documentation is structured, managed and accessed according to the internal procedure «IT-EU-PRO-SEC-000 – ISMS Document Management». Accordingly, any document created specifically to comply with the ENS shall maintain that nomenclature by including the acronym ENS in its name.
Risks Arising from the Processing of Personal Data
The processing of personal data introduces specific security and compliance risks that the organization must actively manage, both to protect individuals’ rights and to meet regulatory obligations under the General Data Protection Regulation (GDPR) and the National Security Framework (ENS).
Personal data, by its nature, is highly sensitive and must be handled with care throughout its lifecycle. The potential consequences of a data breach, such as unauthorized access, loss, alteration or misuse of personal information, can result in significant harm to individuals and reputational and legal repercussions for the organization.
Among the primary risks identified are breaches of confidentiality (for example, accidental disclosure of personal data), integrity violations (for example, unauthorized modification of health or identity records), and availability disruptions (for example, system failure leading to inaccessible data). Other notable risks include collecting more data than necessary (data minimization failure), using it for purposes beyond those originally declared (purpose creep), and the inability to trace how or when data has been accessed or shared.
ENS-mandated security controls are applied and reinforced to support data protection goals. These include strict access control mechanisms to limit data access to authorized users, encryption of data at rest and in transit, regular backup and recovery strategies to avoid data loss, and audit logging to detect any inappropriate access or anomalies. Moreover, all staff involved in processing personal data receive appropriate training to help prevent errors and reinforce accountability. This process is coordinated with the Data Protection Officer (DPO), who ensures that privacy risks are well understood and mitigated appropriately.