1. Scope of the ISMS
The scope of the Information Security Management System (ISMS) covers all services provided by Intergrid (Opengea SCCL), including:
- Cloud Hosting, Dedicated Hosting and VPS.
- Registration and management of domains.
- Cloud-based web applications.
- Physical infrastructure hosted in advanced Data Centers in Germany, Finland, United States and Singapore, and fully managed by Intergrid from Barcelona.
2. Information Security Policy
Intergrid is committed to protecting the confidentiality, integrity, and availability of its own information and that of its clients, through appropriate technical and organizational controls, continuous risk assessment, and continuous improvement of the ISMS.
3. Risk Analysis and Treatment Methodology
- Identification of assets, threats and vulnerabilities.
- Impact and probability assessment (High, Medium, Low, None).
- Assignment of measures and controls to reduce risks.
- Documentation of residual risk and responsible party.
4. Statement of Applicability (SoA)
This statement certifies the commitment and actual implementation of the requirements of the ISO/IEC 27001:2022 standard through a responsible declaration by the organization.
Controls from Annex A of the ISO/IEC 27001 standard have been selected and applied according to the risk assessment. Including:
- A.5: Polítiques de seguretat
- A.6: Organització de la seguretat
- A.8: Gestió d’actius
- A.9: Control d’accés
- A.12: Seguretat operativa
- A.13: Seguretat de les comunicacions
- A.15: Relacions amb proveïdors
- A.16: Gestió d’incidents de seguretat
- A.17: Continuïtat del negoci
5. Security Objectives
- Prevent data leaks from hosted web services
- Ensure authentication and legitimate access to systems
- Ensure complete and available backups
- Ensure compliance with the GDPR
6. Key Records
- Record of assets and liabilities
- Security Training Record
- Security incidents
- Internal audits and management reviews
7. Specific Procedures
Security Incident Management
All incidents must be reported immediately to the ISMS manager. They will be documented in the incident register and an analysis will be carried out to identify causes, impact and corrective actions.
Access Control
- Access limited according to roles and needs
- Strong Authentication: complex keys and 2FA
- Periodic review of permissions
Backup Policy
- Automatic daily and weekly backups
- Replication in Multiple Data Centers (independent physical locations)
- Regular restoration tests
Acceptable Use Policy
Users and technicians can only use Intergrid resources for authorized purposes. Any abusive, illegal use or that compromises security will be subject to sanction.
Third-party and supplier management
- Confidentiality agreements with collaborators
- Control of suppliers' access to internal systems
- Periodic review of subcontracted services
Business continuity
- Georedundant backups and constant monitoring
- Disaster recovery procedures
- Assignment of key roles in crisis situations
Audits and continuous improvement
- Periodic internal audits of the ISMS
- Review of policies and procedures
- Record of corrective actions and improvements
Device and equipment management
- Updated inventory of equipment and devices
- Screen lock policy and disk encryption
- Limitation of the use of external devices (USB, etc.)
Email Security
- Filtering of suspicious emails (spam, phishing)
- Configuration of SPF, DKIM, and DMARC
- Shipping restrictions and campaign review
Classification and handling of information
- Labeling according to sensitivity (confidential, internal...)
- Distribution restrictions according to classification
- Secure destruction of obsolete information
Training and awareness
- Periodic training sessions on safety
- Awareness campaigns for all staff
- Periodic phishing simulation tests
Management of records and evidence
- Record preservation during the period established by regulations
- Access control to confidential records
- Integrity and availability guaranteed through redundant systems
Specific policies for projects and clients
- Assignment of security managers for project
- Limited privacy controls and sharing according to contracts
- Security validation before deploying services to clients
This documentation is basic and extensible according to the evolution of the ISMS. It is recommended to review it at least annually or after significant incidents.
Risk Analysis (ISMS - ISO 27001)
Company: Intergrid (Opengea SCCL)
Translation: "Date:" 15-10-2024
Scope: Serveis de hosting (cloud, dedicat, VPS), dominis i aplicacions web.
| ⚠️ Actiu | Amenaça | Vulnerabilitat | Impacte | Probabilitat | Nivell de risc | Mesures aplicades | Risc residual | Responsable |
|---|---|---|---|---|---|---|---|---|
| Access to servers | Unauthorized access | Open ports / uncontrolled access | High | Null | Null | IP filtering, SSH key, 2FA, fail2ban | Very low | Systems Technician |
| Databases | Data leak | Unparameterized SQL | High | Baixa | Low | ORM, access control, audit | Very low | Backend Developer |
| Control Panel | Service outage | DDoS Attack | Medium | Average | Medium | Cloudflare, connection limitation | Low | DevOps |
| Backups | Data loss | Non-replicated copies | High | Average | High | Redundant backups in multiple locations | Low | Systems Technician |
| E-commerce service | Fraudulent modification | Nonexistent logs | High | Average | High | Active monitoring, alerts, auditing | Medium | Web development |
| DNS and domains | Manipulation of records | Exposed API Key | High | Baixa | Medium | Key regeneration and access control | Low | Domain Admin |
| User's website | Identity theft | Weak authentication | High | Average | High | 2FA, attempt limitation, captchas | Low | Frontend Developer |
| Spam / phishing | Weak content validation | High | Average | High | SPF, DKIM, DMARC, Spamassassin, log review | Low | Correu | |
| Remote access of staff | Improper access | VPN without MFA | Medium | Average | Medium | VPN with MFA, restricted by IP | Low | Systems Technician |
| Internal Applications | Execution of unauthorized code | Absence of version control | High | Baixa | Medium | Version control, supervised deployment | Low | DevOps |
| Payments | Access or manipulation of payment data | Delegation to third parties without sufficient control | High | Baixa | Medium | Use of Stripe as a PCI-DSS compliant platform; sensitive data is not stored locally. | Low | Legal / Technical Web Manager |
| Third-party software | Execution of malicious code | Lack of updates | High | Average | High | Periodic updates, vulnerability control (CVE) | Medium | DevOps |
| Human errors | Accidental deletion | Lack of training / incorrect permissions | Medium | Average | Medium | Training, reviews, limited permits | Low | All employees |
| Critical configurations | Malicious configuration injection | There is no automatic validation | High | Baixa | Medium | Configuration audits, automatic tests | Low | DevOps |
| Version control | Introduction of insecure code | Lack of review of changes or tests | High | Average | High | Peer review, continuous integration, automated tests | Medium | DevOps |
| Administration Portals | Illicit access | Publicly exposed interface | High | Baixa | Medium | IP-restricted access, 2FA, access logs | Low | Infrastructure |
| System updates | Exploitation of known vulnerabilities | Delay in patch application | High | Baixa | Medium | Periodic updates, vulnerability scanners | Low | Systems Technician |
| Custom Development | Leaks of sensitive data | Lack of input validation and sanitation | High | Average | High | Application of OWASP guides, training for developers | Low | Backend Developer |
| External providers | Critical dependence | Lack of SLA contracts or agreements | Medium | Average | Medium | Service Level Agreements (SLA), continuity analysis | Medium | Direction |
| Security logs | Omission of evidence in case of incident | Rotation or premature erasure | Medium | Average | Medium | Safe and controlled retention, restricted access, SIEM | Low | Systems Technician |
| Digital identities | User Impersonation | Lack of account lifecycle management | High | Baixa | Medium | Automated provisioning and deactivation, periodic review | Low | ISMS Manager |
| Hiring of staff | Breach of confidentiality | Absence of NDA or prior training | Medium | Baixa | Low | NDA clauses, welcome training, initial access control | Very low | Direction |
| Public DNS server | Malicious redirection | Incorrect configuration of zones or registers | High | Baixa | Medium | Periodic review of areas, restricted access, change log | Low | Domain Admin |
| User sessions | Undue persistence | No automatic expiration | Medium | Alta | High | Automatic expiration, inactive session logout | Low | Web development |
| System updates | Exploitation of known vulnerabilities | Postponed or incomplete updates | High | Average | High | Centralized management of updates, testing before deployment | Medium | DevOps |
| API Interfaces | Unauthorized access to data | Lack of authentication control or quotas | High | Average | High | Tokens with expiration, IP limitation and strong authentication | Low | Backend Developer |
| Pre-production environments | Exhibition of real data | Replicated database with sensitive data | High | Baixa | Medium | Anonymous, separate environments, access restrictions | Low | DevOps |
| Remote technical support | Leakage of confidential information | Sessions not registered or monitored | Medium | Baixa | Medium | Secure channels, activity log, temporary access limitation | Low | Helpdesk |
| Document Management | Unauthorized access to internal documents | Uncontrolled shared files | Medium | Alta | High | Platform with granular permissions, review of shares | Low | ISMS Manager |
Information Security Policy (ISMS)
Company: Intergrid (Opengea SCCL)
Approval date: 15-10-2024
Approved by: Direcció Tècnica
- Objective: Garantir la Confidentiality, integrity and availability de la informació, dades de clients i sistemes.
- Scope: Tota la infraestructura de hosting i aplicacions desenvolupades o allotjades per Intergrid.
- Commitment: Aplicació del marc ISO/IEC 27001.
- Responsibility: Compliment per tot el personal.
- Key measures:
- Control d'accés per rol i 2FA
- Segregated backups
- Incident Monitoring
- Annual risk assessment
- Training and awareness
- Translation: "Review:" Anual.
Statement of Applicability (SoA) - ISO 27001
Translation: "Date:" 15-10-2024
Responsible for the ISMS: Jordi Berenguer / Director tècnic
| Control (Annex A) | Títol | Aplicable? | Estat | Comentaris |
|---|---|---|---|---|
| A.5.1 | Security policy | Sí | Implanted | Published and reviewed |
| A.5.11 | Data usage | Sí | Implanted | Client dropouts |
| A.6.1 | Security organization | Sí | Implanted | Defined roles |
| A.6.3 | Remote work | Sí | Implanted | VPN and encrypted laptops |
| A.7.1 | Scheduled backups | Sí | Implanted | Redundant backups |
| A.8.1 | Access Control | Sí | Implanted | ACLs and strong authentication |
| A.8.16 | Supervision of activities | Sí | Partial | In deployment |
| A.12.1 | Security applications | Sí | Implanted | OWASP, code review |
| A.14.1 | Secure communications | Sí | Implanted | HTTPS, SFTP |
| A.18.2 | Internal Audit ISMS | Sí | Planned | Q4 2025 |
Version: 4.8 — Last review: 15-10-2024
