The organization’s information security strategy is not based on a single control, but on a set of interconnected principles that form the foundation of the adopted Management System.
The pillar on which the entire structure rests is the principle of shared responsibility. Information security is not a task relegated to a single department, but a duty that belongs to every person within the organization. For this reason, a culture is promoted in which every employee is aware of his or her role and feels obliged to promptly report any known or suspected security incident, weakness or anomaly.
This shared responsibility is driven by a proactive approach based on risk management. The decisions taken by the organization regarding information security are not arbitrary, but are derived from a formal analysis of threats and vulnerabilities, which allows for the implementation of proportionate and effective controls. One of the main fruits of this approach is the principle of access control, according to which access to information and systems is granted following the logics of „least privilege“ and „need-to-know“, ensuring
that each user has only the authorizations indispensable to perform their duties.
Controls, in turn, are not isolated elements. The principle of integrated security (security-by-design) ensures that security is a native component and not a late addition, being considered from the design phase of new processes, systems or services. Finally, the organization applies a defense in depth strategy, implementing multiple layers of security controls (technological, physical and procedural). In this way, if one barrier were to fail, others would be ready to intervene, creating a layered and resilient protection for our most valuable assets.