EN




1. Scope of the ISMS

L’abast del sistema de gestió de seguretat de la informació (SGSI) cobreix tots els serveis prestats per Intergrid (Opengea SCCL), incloent:

  • Cloud Hosting, Dedicated Hosting and VPS.
  • Registration and management of domains.
  • Cloud-based web applications.
  • Physical infrastructure hosted in advanced Data Centers in Germany, Finland, United States and Singapore, and fully managed by Intergrid from Barcelona.

2. Information Security Policy

Intergrid is committed to protecting the confidentiality, integrity, and availability of its own information and that of its clients, through appropriate technical and organizational controls, continuous risk assessment, and continuous improvement of the ISMS.

3. Risk Analysis and Treatment Methodology

  • Identificació d’actius, amenaces i vulnerabilitats.
  • Avaluació d’impacte i probabilitat (Alt, Mitjà, Baix, Nul).
  • Assignment of measures and controls to reduce risks.
  • Documentation of residual risk and responsible party.

4. Declaració d’aplicabilitat (SoA)

This statement certifies the commitment and actual implementation of the requirements of the ISO/IEC 27001:2022 standard through a responsible declaration by the organization.

S’han seleccionat i aplicat controls de l’annex A de la norma ISO/IEC 27001 segons l’avaluació de riscos. Incloent:

  • A.5: Polítiques de seguretat
  • A.6: Organització de la seguretat
  • A.8: Gestió d’actius
  • A.9: Control d’accés
  • A.12: Seguretat operativa
  • A.13: Seguretat de les comunicacions
  • A.15: Relacions amb proveïdors
  • A.16: Gestió d’incidents de seguretat
  • A.17: Continuïtat del negoci

5. Security Objectives

  • Prevent data leaks from hosted web services
  • Assegurar l’autenticació i accés legítim a sistemes
  • Ensure complete and available backups
  • Ensure compliance with the GDPR

6. Key Records

  • Registre d’actius i responsabilitats
  • Security Training Record
  • Security incidents
  • Internal audits and management reviews

7. Specific Procedures

Gestió d’incidents de seguretat

Tots els incidents s’han de reportar immediatament al responsable del SGSI. Es documentaran en el registre d’incidents i es realitzarà una anàlisi per identificar causes, impacte i accions correctives.

Control d’accessos

  • Access limited according to roles and needs
  • Strong Authentication: complex keys and 2FA
  • Periodic review of permissions

Backup Policy

  • Automatic daily and weekly backups
  • Replication in Multiple Data Centers (independent physical locations)
  • Regular restoration tests

Política d’ús acceptable

Els usuaris i tècnics només poden utilitzar els recursos d’Intergrid per a finalitats autoritzades. Qualsevol ús abusiu, il·legal o que comprometi la seguretat serà objecte de sanció.

Third-party and supplier management

  • Confidentiality agreements with collaborators
  • Control de l’accés dels proveïdors a sistemes interns
  • Periodic review of subcontracted services

Business continuity

  • Georedundant backups and constant monitoring
  • Disaster recovery procedures
  • Assignment of key roles in crisis situations

Audits and continuous improvement

  • Periodic internal audits of the ISMS
  • Review of policies and procedures
  • Registre d’accions correctives i de millora

Device and equipment management

  • Inventari actualitzat d’equips i dispositius
  • Screen lock policy and disk encryption
  • Limitació de l’ús de dispositius externs (USB, etc.)

Email Security

  • Filtering of suspicious emails (spam, phishing)
  • Configuration of SPF, DKIM, and DMARC
  • Restriccions d’enviament i revisió de campanyes

Classification and handling of information

  • Labeling according to sensitivity (confidential, internal...)
  • Distribution restrictions according to classification
  • Secure destruction of obsolete information

Training and awareness

  • Periodic training sessions on safety
  • Awareness campaigns for all staff
  • Periodic phishing simulation tests

Management of records and evidence

  • Record preservation during the period established by regulations
  • Access control to confidential records
  • Integrity and availability guaranteed through redundant systems

Specific policies for projects and clients

  • Assignment of security managers for project
  • Limited privacy controls and sharing according to contracts
  • Security validation before deploying services to clients

Aquesta documentació és bàsica i extensible segons l’evolució del SGSI. Es recomana revisar-la com a mínim anualment o després d’incidents significatius.

Risk Analysis (ISMS - ISO 27001)

Empresa: Intergrid (Opengea SCCL)
Translation: \"Date:\" 15-10-2024
Scope: Serveis de hosting (cloud, dedicat, VPS), dominis i aplicacions web.

⚠️ Actiu Amenaça Vulnerabilitat Impacte Probabilitat Nivell de risc Mesures aplicades Risc residual Responsable
Access to serversUnauthorized accessOpen ports / uncontrolled accessHighNullNullIP filtering, SSH key, 2FA, fail2banVery lowSystems Technician
DatabasesData leakUnparameterized SQLHighBaixaLowORM, access control, auditVery lowBackend Developer
Control PanelService outageDDoS AttackMediumAverageMediumCloudflare, connection limitationLowDevOps
BackupsData lossNon-replicated copiesHighAverageHighRedundant backups in multiple locationsLowSystems Technician
E-commerce serviceFraudulent modificationNonexistent logsHighAverageHighActive monitoring, alerts, auditingMediumWeb development
DNS and domainsManipulation of recordsExposed API KeyHighBaixaMediumKey regeneration and access controlLowDomain Admin
Web d\'usuariIdentity theftWeak authenticationHighAverageHigh2FA, attempt limitation, captchasLowFrontend Developer
EmailSpam / phishingWeak content validationHighAverageHighSPF, DKIM, DMARC, Spamassassin, log reviewLowCorreu
Remote access of staffImproper accessVPN without MFAMediumAverageMediumVPN with MFA, restricted by IPLowSystems Technician
Internal ApplicationsExecution of unauthorized codeAbsence of version controlHighBaixaMediumVersion control, supervised deploymentLowDevOps
Payments Access or manipulation of payment data Delegation to third parties without sufficient control High Baixa Medium Ús de Stripe com a plataforma PCI-DSS compliant; no s’emmagatzemen dades sensibles localment Low Legal / Technical Web Manager
Third-party softwareExecution of malicious codeLack of updatesHighAverageHighPeriodic updates, vulnerability control (CVE)MediumDevOps
Human errorsAccidental deletionLack of training / incorrect permissionsMediumAverageMediumTraining, reviews, limited permitsLowAll employees
Critical configurationsMalicious configuration injectionThere is no automatic validationHighBaixaMediumConfiguration audits, automatic testsLowDevOps
Version control Introduction of insecure code Lack of review of changes or tests High Average High Peer review, continuous integration, automated tests Medium DevOps
Administration Portals Illicit access Publicly exposed interface High Baixa Medium IP-restricted access, 2FA, access logs Low Infrastructure
System updates Exploitation of known vulnerabilities Delay in patch application High Baixa Medium Periodic updates, vulnerability scanners Low Systems Technician
Custom Development Leaks of sensitive data Lack of input validation and sanitation High Average High Application of OWASP guides, training for developers Low Backend Developer
External providers Critical dependence Lack of SLA contracts or agreements Medium Average Medium Service Level Agreements (SLA), continuity analysis Medium Direction
Security logs Omissió de proves en cas d’incident Rotation or premature erasure Medium Average Medium Safe and controlled retention, restricted access, SIEM Low Systems Technician
Digital identities Suplantació d’usuaris Lack of account lifecycle management High Baixa Medium Automated provisioning and deactivation, periodic review Low ISMS Manager
Hiring of staff Breach of confidentiality Absence of NDA or prior training Medium Baixa Low Clàusules NDA, formació de benvinguda, control d’accés inicial Very low Direction
Public DNS server Malicious redirection Incorrect configuration of zones or registers High Baixa Medium Periodic review of areas, restricted access, change log Low Domain Admin
Sessions d’usuari Undue persistence No automatic expiration Medium Alta High Automatic expiration, inactive session logout Low Web development
System updates Exploitation of known vulnerabilities Postponed or incomplete updates High Average High Gestió centralitzada d’actualitzacions, proves abans de desplegar Medium DevOps
API Interfaces Unauthorized access to data Manca de control d’autenticació o quotes High Average High Tokens with expiration, IP limitation and strong authentication Low Backend Developer
Pre-production environments Exhibition of real data Replicated database with sensitive data High Baixa Medium Anònims, entorns separats, restriccions d’accés Low DevOps
Remote technical support Filtració d’informació confidencial Sessions not registered or monitored Medium Baixa Medium Canals segurs, registre d’activitat, limitació d’accés temporal Low Helpdesk
Document Management Unauthorized access to internal documents Uncontrolled shared files Medium Alta High Platform with granular permissions, review of shares Low ISMS Manager

Information Security Policy (ISMS)

Empresa: Intergrid (Opengea SCCL)
Approval date: 15-10-2024
Approved by: Direcció Tècnica

  1. Objective: Garantir la Confidentiality, integrity and availability de la informació, dades de clients i sistemes.
  2. Scope: Tota la infraestructura de hosting i aplicacions desenvolupades o allotjades per Intergrid.
  3. Commitment: Aplicació del marc ISO/IEC 27001.
  4. Responsibility: Compliment per tot el personal.
  5. Key measures:
    • Control d'accés per rol i 2FA
    • Segregated backups
    • Incident Monitoring
    • Annual risk assessment
    • Training and awareness
  6. Translation: \"Review:\" Anual.

Statement of Applicability (SoA) - ISO 27001

Translation: \"Date:\" 15-10-2024
Responsible for the ISMS: Jordi Berenguer / Director tècnic

Control (Annex A)TítolAplicable?EstatComentaris
A.5.1Security policyImplantedPublished and reviewed
A.5.11Data usageImplantedClient dropouts
A.6.1Security organizationImplantedDefined roles
A.6.3Remote workImplantedVPN and encrypted laptops
A.7.1BackupsImplantedRedundant backups
A.8.1Access ControlImplantedACLs and strong authentication
A.8.16Supervision of activitiesPartialIn deployment
A.12.1Security applicationsImplantedOWASP, code review
A.14.1Secure communicationsImplantedHTTPS, SFTP
A.18.2Internal Audit ISMSPlannedQ4 2025

Version: 4.8 — Last review: 15-10-2024