SECURITY POLICY

Last revision: 6th September of 2019

The Management of Genomcore, SL, the company that owns the Made of Genes trademark (hereinafter, the “Company”), establishes as fundamental and priority the protection of its information assets for the correct provision of its services in the context of the personalized medicine and sensitive data management. Aware of the importance of good information security management for its business and customer satisfaction and as part of a strategy aimed at business continuity, risk management and the consolidation of a security culture, the Company has decided to design and implement an Information Security Management System (ISMS) applying the requirements of the UNE ISO / IEC 27001: 2013, ISO / IEC 27017: 2015, ISO / IEC 27018: 201 and its stakeholders.

The Company recognizes the importance of identifying and minimizing the risks to which its information assets are subjected, developing and implementing a security management model to prevent the loss, disclosure, modification and unauthorized use of information, thus helping to reduce operating and financial costs, guarantee compliance with legal, contractual, regulatory and business requirements. These aim to guarantee the security of the information by preserving its availability, ensuring that authorized users have access to the information and its associated assets when required, its confidentiality, ensuring that only those who are authorized can access the information and its integrity, ensuring that the information remains unchanged and traceable.

The Information Security Policy is supported by a set of policies, standards and procedures that guide the correct handling of information and that are based on the control objectives of the international standard UNE ISO 27002: 2013, ISO / IEC 27017 : 2015, ISO / IEC 27018: 2019.

The development, maintenance and continuous improvement of the ISMS will be based on the results of a process of continuous evaluation of the risks that act on the information assets of The Company that participate in the provision of its services, including the storage, analysis and management of genetic data, clinical information and other highly sensitive private information.

The Company’s Management undertakes to:

-Periodically establish objectives on the management of Information Security, and the actions necessary for its development.
-Establish the risk analysis system, evaluating the impact and threats.
-Implement the necessary actions to reduce the identified risks that are considered unacceptable, according to the criteria established by the Safety Committee.
-Apply the necessary controls and their corresponding monitoring methods.
Comply with the legal, regulatory, client requirements assumed by the Company and the contractual security obligations, especially with regard to the management and privacy of the personal and genetic data of our Clients and Collaborators.
-Guarantee each Client that their information will be processed in accordance with the fundamental requirements of confidentiality, integrity and availability typical of a biomedical information management system.
-Promote awareness and guarantee information security training for all our own personnel, as well as external collaborators involved in the use or management of information systems.
-When workers fail to comply with safety policies, apply disciplinary measures in accordance with the workers’ agreement, within the applicable legal framework and sized to the impact they have on the organization.
-Provide the necessary resources to guarantee the continuity of the Company’s business.

The security objectives of the Company are grouped around the following work blocks:

-Protection of files and databases: stores of personal data including genetic information and clinical data.
-Protection of private information including passwords, certificates and cryptographic keys.
-Protection of the source code repositories of the company’s products and services.
-Protection of communication networks and channels.
-Protection of the IT infrastructure that supports the organization, including facilities, buildings and rooms.
-Protection of the resources located in the cloud through specialized service providers.
-Protection of the company’s passive assets.
-Guarantee business continuity with contingency and redundancy plans at multiple levels.
-Compliance with legal and regulatory standards.
– The Company’s management appoints the Information Security Officer as the direct responsible for maintaining this policy for providing advice and guidance for its implementation.

This policy applies to all Company personnel, as well as to collaborators and suppliers with whom they work together.

The Information Security Policy may be reviewed and modified as provided by the Security Committee in accordance with the review needs established periodically. This policy is communicated to interested parties in order to involve them in the continuous improvement of the system.