Fred. Olsen / Information Security Policy

Information Security Policy

OBJETIVE

To expose the Information Security Policy as the set of basic principles and lines of action to which the organisation is committed within the framework of the ISO 27001 Standard.

SCOPE OFE THE PROCEDURE

This Information Security Policy is applicable to all persons, systems and means that access, process, store, transmit or use the information known, managed or owned by the company for the processes described.

The personnel subject to this policy includes all persons with access to the information described, regardless of the automated or non-automated medium on which it is held and whether or not the individual is an employee of the company. It therefore also applies to contractors, customers or any other third parties who have access to company information or systems

RESONSIBILITIES

The Security Officer shall review this policy annually or when significant changes make it appropriate, and resubmit it for management approval.
Reviews shall test the effectiveness of the policy, assessing the effects of technological and business changes.
Management shall be responsible for approving any necessary modifications to the text when a change occurs that affects the risk situations set out in this document.

DEFINITIONS

Information System: organised set of resources so that information can be collected, stored, processed or treated, maintained, used, shared, distributed, made available, presented or transmitted.
Risk: an estimate of the degree of exposure to a threat to one or more assets causing damage or harm to the organisation.
Risk management: coordinated activities to direct and control an organisation with respect to risks.
Information Security Management System (ISMS): management system that, based on the study of risks, is established to create, implement, operate, monitor, review, maintain and improve information security. The management system includes organisational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
Availability: It is necessary to ensure that system resources are available when needed, especially critical information.
Integrity: System information must be available as it was stored by an authorised agent.
Confidentiality: Information should only be available to authorised agents, especially its owner.

LEGAL REFERENCES

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (GDPR).
Organic Law 3/2018, of 5 December, on Data Protection and Guarantee of Digital Rights (LOPDGDD).
Royal Legislative Decree 1/1996, of 12 April, Law on Intellectual Property.
Law 34/2002 of 11 July, on information society services and electronic commerce.

METHODOLOGY/PROCEDURE

1 INTRODUCTION

Information is a critical, essential and highly valuable asset for the development of the company's activity. This asset must be adequately protected, by means of the necessary security measures, against the threats that may affect it, regardless of the formats, supports, means of transmission, systems or persons involved in its knowledge, processing or treatment.

Information security is the protection of this asset, with the aim of ensuring business continuity, minimising risk and maximising the return on investment and business opportunities.

Information security is a process that requires technical and human resources and an adequate management and definition of procedures, and in which the maximum collaboration and involvement of all company personnel is essential.

The company's management, aware of the value of information, is deeply committed to the policy described in this document.

2 PURPOSE

The purpose of this Information Security Policy is to protect the company's information assets, ensuring the availability, integrity, confidentiality, authenticity and traceability of the information and the facilities, systems and resources that process, manage, transmit and store it, always in accordance with the requirements of the business and current legislation.

3 SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM

The scope of the Information Security Management System encompasses the information systems that support the processes of maritime transport of passengers, vehicles, goods and the provision of the Freight Forwarding service and the Consignment service in the following work centres:

Central office located in P.I. Añaza, Edificio Fred. Olsen, s/n. 38111-Santa Cruz de Tenerife
Vessels
- Benchijigua Express
- Bencomo Express
- Bentago Express
- Bocayna Express
- Benchi Express
- Betancuria Express
- Bajamar Express
- Bañaderos Express
- Buganvilla Express
- Bentayga Cargo
- Buganvilla
- Bahía Cargo
- Barlovento Express

4 INFORMATION SECURITY PRINCIPLES

Information must be protected throughout its life cycle, from its creation or receipt, during its processing, communication, transport, storage, dissemination and until its eventual deletion or destruction. Therefore, the following minimum principles are established:

Principle of confidentiality: information systems must be accessible only to those users, bodies and entities or processes expressly authorised to do so, with respect for the obligations of secrecy and professional confidentiality.
Principle of integrity and quality: the integrity and quality of the information must be guaranteed, as well as that of the information processing processes, establishing mechanisms to ensure that the processes of creation, processing, storage and distribution of the information contribute to preserving its accuracy and correctness.
Principle of availability and continuity: a level of availability shall be guaranteed in the information systems and the necessary plans and measures shall be put in place to ensure the continuity of services and recovery in the event of serious contingencies.
Principle of risk management: a continuous process of risk analysis and treatment must be articulated as the basic mechanism on which information systems security management must be based.

Principle of cost proportionality: the implementation of measures to mitigate the security risks of information systems must be based on a proportionality approach to economic and operational costs, without prejudice to ensuring that the necessary resources for the information security management system are available.
Principle of awareness and training: Initiatives will be articulated to enable users to be aware of their duties and obligations with regard to the secure processing of information. Similarly, specific ICT security training will be promoted for all those who manage and administer information and telecommunications systems.
Prevention principle: specific plans and lines of work will be developed to prevent fraud, non-compliance or incidents related to ICT security.

Principle of detection and response: services must continuously monitor the operation to detect anomalies in the levels of service provision and act accordingly by responding effectively, through the mechanisms established for this purpose, to security incidents.
Principle of continuous improvement: the degree of compliance with the security improvement objectives planned annually and the degree of effectiveness of the ICT security controls implemented shall be reviewed in order to adapt them to the constant evolution of the risks and technological environment of the Public Administration.
ICT security principle in the lifecycle of information systems: security specifications shall be included in all phases of the lifecycle of services and systems, accompanied by the corresponding control procedures.
Differentiated role principle: responsibility for the security of information systems shall be differentiated from responsibility for the provision of services.

5 COMPLIANCE

The Information Security Policy is approved by the company's Management and its content and that of the rules and procedures that develop it is mandatory.

All users with access to the information processed, managed or owned by the company have the obligation and duty to safeguard and protect it.

The Information Security Policy and Rules (Asset Use Policies) will be adapted to the evolution of systems and technology and to organisational changes and will be aligned with current legislation and with the standards and best practices of the ISO/IEC 27001:2014 standard.

The applicable physical, administrative and technical security measures and controls shall be detailed in the Applicability Document and a schedule for their implementation and management shall be established.

The security measures and controls established shall be proportionate to the criticality of the information to be protected and its classification.

Users who fail to comply with the Information Security Policy or the complementary rules and procedures may be sanctioned in accordance with the provisions of the contracts covering their relationship with the company and with the current and applicable legislation.

6 CLASSIFICATION OF INFORMATION

The information shall be classified according to the sensitivity required for its processing and the levels of security and protection required.

7 ROLES, RESPONSIBILITIES AND DUTIES

Management assigns and communicates responsibilities, authorities and roles with regard to information security. It shall also ensure that users are aware of, assume and exercise the assigned responsibilities, authorities and roles.

Users
Any person or system accessing information processed, managed or owned by the company is considered a user. Users are responsible for their conduct when accessing information or using the company's computer systems. Users are responsible for all actions performed using their personal identifiers or credentials.

Users are obliged to:

Comply with the Information Security Policy and complementary rules, procedures and instructions.
Protect and safeguard the company's information, preventing its disclosure, external release, modification, accidental or unauthorised deletion or destruction, or misuse, regardless of the medium or means by which it was accessed or known.
Know and apply the Information Security Policy, the Rules for the Use of Information Systems and all other applicable policies, rules, procedures and security measures.

Management

The management of the company is deeply committed to the policy described in this document and is aware of the value of information and the serious economic and image impact that a security incident can have. It assumes the following responsibilities:

Demonstrate leadership and commitment to the information security management system.
Ensure that the information security policy and objectives are established and are consistent with the strategic direction of the organisation.
Approve and communicate the Information Security Policy, the Information Systems Usage Rules and the importance of compliance to all users, internal and external, customers and suppliers.
Meet at least once a year, and whenever any extraordinary event or request demands it, with the Security and Systems Managers, to be informed about the ISMS and to update the Information Security strategy.
Foster a corporate information security culture.
Support the continuous improvement of information security processes.
Ensure that the necessary resources are available for compliance with the information security policy, the rules for use of the systems and for the operation of the information security management system.

Define the approach to the analysis and management of information security risks and the criteria for taking risks and ensure that risks are assessed at least annually.
Ensure that internal information security audits are conducted and their results reviewed to identify opportunities for improvement.
Define and control the information security budget.
Approve training plans and Information Security related improvements and projects.
Approve documentation up to the second level of standards and procedures.
Determine the measures, disciplinary or otherwise, that may be applied to those responsible for security breaches.

Security Manager

The person holding the position of Information Security Officer shall assume the following functions:

Promote the security of the information handled and the electronic services provided by the information systems, with the responsibility and authority to ensure that the Information Security Management System complies with the requirements of the UNE-ISO/IEC 27001 Standard.
Supervise compliance with this Policy, its rules, derived procedures and the security configuration of the systems.
Promote security awareness and training activities in the area of responsibility.
Coordinate and monitor the implementation of projects to adapt to the ISO 27001 standard, in collaboration with the Head of Systems.
Carry out, in collaboration with the System Manager, the mandatory risk analyses, select the safeguards to be implemented and review the risk management process. Likewise, together with the System Manager, accept the residual risks calculated in the risk analysis.
Promote periodic audits to verify compliance with information security obligations and analyse the audit reports, drawing up the conclusions to be presented to the System Manager so that he/she can adopt the appropriate corrective measures.
Sign the Statement of Applicability, which comprises the list of security measures selected for a system.
Verify that the security measures are adequate for the protection of information and services.
Responsible for the direct or delegated execution of management decisions, meet with management and the System Manager at least annually to ensure strategy.
Report Serious Incidents as appropriate, together with Management and the System Manager.

With regard to documentation, and with the support of the System Manager, the functions of the Security Officer are, with the exceptions set out in the documents themselves:

Propose second-level security documentation (ICT Security Standards (ICT Security Standards - ICTS) and General Procedures of the Information Security Management System (ISMS)) to the Management and the System Manager for approval, and sign said documentation.
Approve the third level security documentation (STIC Operating Procedures and STIC Technical Instructions).
Maintain the documentation organised and updated, managing the mechanisms for accessing it.

In order to carry out any of its functions, the Security Manager may request the collaboration of the System Manager.

Data Protection Delegate.

In accordance with the RGPD (General Data Protection Regulation) and the LOPDGDD (Organic Law on Data Protection and the Guarantee of Digital Rights), the Data Protection Officer shall have at least the following functions:

Inform and advise the data controller and its employees of their obligations in relation to the LOPDGDD and other data protection provisions.
Monitoring compliance with the provisions of this Regulation, other Union or Member State data protection provisions and the controller's or processor's policies on the protection of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits;
Provide advice on request on the data protection impact assessment and monitor its implementation in accordance with Article 35;
Cooperate with the supervisory authority (Spanish Data Protection Agency);
Act as a contact point for the supervisory authority on issues relating to processing, including prior consultation as referred to in Article 36, and consult, as appropriate, on any other matter.

System Manager.

The functions of the System Manager shall be as follows:

To develop, operate and maintain the information system throughout its life cycle, its specifications, installation and verification of its correct functioning.
Defining the topology and management system of the Information System, establishing the criteria for its use and the services available in it.
Ensure that specific security measures are properly integrated into the overall security framework.
Conduct exercises and tests on existing security operating procedures and continuity plans.
Monitoring the systems lifecycle: specification, architecture, development, operation, changes.
Implementing the necessary measures to guarantee the security of the system throughout its life cycle, in agreement with the Security Manager.
Approve any substantial modification to the configuration of any element of the system.

Suspend the management of certain information or the provision of an electronic service if informed of serious security deficiencies, after prior agreement with the Security Officer and Management.
Carry out, with the collaboration of the Security Officer, the mandatory risk analyses, the selection of safeguards to be implemented and the review of the risk management process. Likewise, together with the Security Officer, accept the residual risks calculated in the risk analysis.
Develop, in collaboration with the Security Officer, the third-level security documentation (STIC Operational Procedures and STIC Technical Instructions).

The System Security Administrator.
The functions to be performed are the following:

The implementation, management, and maintenance of the security measures applicable to the information system.
The management, configuration, and updating, where appropriate, of the hardware and software on which the security mechanisms and services of the information systems are based.
The management of the authorizations granted to system users in particular, the privileges granted, including monitoring that the activity carried out in the system conforms to what is authorized.
The application of security operating procedures.
Apply configuration changes to the information system.
Ensure that the established security controls are strictly complied with, as well as ensure that the approved procedures for managing the information system are applied.
Supervise the installation of hardware and software, their modifications and improvements to ensure that security is not compromised and that at all times they comply with the relevant authorizations.
Monitor the security status of the system provided by the security event management tools and technical audit mechanisms implemented in the system.
Inform the respective responsible parties of any anomalies, compromises or vulnerabilities related to security.
Collaborate in the investigation and resolution of security incidents, from their detection to their resolution.

8 SECURITY RISK ASSESSMENT

Knowing the risks and developing a strategy to manage them adequately is essential for the company, since only by knowing the security status can the appropriate decisions be made to mitigate the risks faced.

For this purpose, a detailed analysis of the risks affecting the assets included in an asset inventory will be carried out, which will be documented in a Risk Analysis document. The entity must determine the risk levels from which it will take treatment actions on them. A Risk is considered acceptable when implementing more security controls is estimated to consume more resources than the possible associated impact.

Once the risk assessment process has been carried out, the company's management will be responsible for approving the residual risks and the risk treatment plans.

9 PROJECTS

All projects related to or affecting information systems must include, in their analysis process, an evaluation of security requirements and define a security model agreed upon with the information security officer. In the design, development, installation, and management of information systems and in projects, security concepts will be considered and applied from the design, secure coding, and security controls and measures that are appropriate according to the approved applicability document.

10 PROCUREMENT AND ACQUISITIONS

All procurements and acquisitions that involve or require access to or processing of information classified as non-public must be covered by a contract that includes clauses designed to guarantee the safeguarding of the confidentiality, integrity, and availability of information.

In those cases where the contracted services involve access or processing by the supplier of personal data, the contract must include the clauses required to comply with the new General Data Protection Regulation (GDPR) and its developments.

Companies and individuals who, by reason of service contracts or acquisitions of any kind, access confidential or internal information, must be aware of the Information Security Policy and the complementary rules and procedures that apply to the purpose of the contract.

External companies and individuals who access the company's information must consider such information, by default, as confidential. The only information that they may consider as non-confidential is that which has been obtained through public media.

11 AWARENESS AND TRAINING

This Information Security Policy must be known to all internal and external users and to companies that access, manage, or process the company's data. The set of Policies, standards, and procedures complementary to this Information Security Policy must also be adequately communicated and made known to the persons, companies, and institutions affected or involved in each case. Communication, awareness, and training programs will be defined periodically, and a copy of the corresponding (Policy of Use of Assets) regulations will be provided to users.

12 SECURITY INCIDENTS AND RESPONSE

Any compromise of the confidentiality, integrity, or availability of the company's information is considered a security incident. This includes, but is not limited to, unauthorized access, deletion, destruction, modification, or interruption of availability. Mere attempts to compromise the aforementioned conditions, to avoid, alter, or modify security measures, or violations or non-compliance with the Information Security Policy or complementary rules and procedures are also considered security incidents.

Users are responsible for immediately reporting any security incident through the channels and procedures defined in the organization for incident communication.

13 REVIEW AND AUDITS

The security officer will review this policy annually or when significant changes warrant it, and will resubmit it for approval by management.

Reviews will verify the effectiveness of the policy, assessing the effects of technological and business changes.

Management will be responsible for approving the necessary modifications to the text when a change occurs that affects the risk situations established in this document.

The security management system will be audited annually, according to an audit plan developed by the security officer.

Review date: December 20, 2024

Designation	Holder	Duration	Purpose
ASP.NET_SessionId_fosapublicsite	Fred. Olsen Express	Per Session	Cookie that Microsoft.NET uses to remember the session identifier to make requests to the server.
ASPXFORMAUTH	Fred. Olsen Express	Per Session	Cookie used by Microsoft.NET to perform the authentication process (profile validation).
IDTPVTrace_IdentificadorDeLaSesión	Fred. Olsen Express	30 minutes	It is used to retrieve a purchase process not completed at the time of making the payment on the payment gateway and give the possibility of reattempting payment for it.
cookiesDirective_	Fred. Olsen Express	1 year	It is used to indicate that the user has accepted the use of cookies.
.BravoReservas.Session	Fred. Olsen Express	Per session	Used by the purchase process to remember the session identifier necessary to identify itself in requests to the server.
bravoReservasJWT	Fred. Olsen Express	Per session	Used by the purchase process to save essential session parameters for its operation on the server.
BravoReservasPayload	Fred. Olsen Express	Per session	Used by the purchase process to store information about the status of the process.
TPVTraceId	Fred. Olsen Express	30 minutes	It is used to retrieve a purchase process not completed at the time of making the payment on the payment gateway and give the possibility of reattempting payment for it.

Designation	Holder	Duration	Purpose
www.fredolsen.es_CulturaPref	Fred. Olsen Express	100 years	Used to remember the language selected by the user
www.fredolsen.es_cfg	Fred. Olsen Express	Per Session	Used to save user settings during the session: - Remember if the user receives the notice about the "Canarian Resident Discount" and clicks on "Do not show again". - In the Login, remember the authentication mode: if it is by user name, nif or email. - In the My Bookings section, remember the dates from/to and show or not cancelled bookings.
cookieExpired	Fred. Olsen Express	60 days	It is used to remind you that the opinion form "Opinat" has been answered.
foSuggestions	Fred. Olsen Express	1 day	It is used to remember that the user has clicked on ratings of our opinion system (which displays the form Opinat).
foAlertasClose	Fred. Olsen Express	1 day	It is used to remind that the user has hidden the web alerts.
lang	Fred. Olsen Express	10 years	Used by the purchase process to remember the user's language for future access.
opinat	Fred. Olsen Express	60 days	It is used to remind you that the opinion form "Opinat" has been answered.

Designation	Holder	Duration	Purpose
_utma	Google Analytics	Two years from configuration or update	It is used to distinguish users and sessions. The cookie is updated each time data is sent to Google Analytics.
__utmt	Google Analytics	10 minutes	Used to limit the percentage of requests.
__utmt_web1	Google Analytics	10 minutes	Used to limit the percentage of requests.
__utmt_web2	Google Analytics	10 minutes	Used to limit the percentage of requests.
__utmb	Google Analytics	30 minutes from configuration or update	It is used to determine new sessions or visits. The cookie is updated each time data is sent to Google Analytics.
__utmc	Google Analytics	Per Session	Configured to determine if the user was in a new session or visit.
__utmz	Google Analytics	Six months from configuration or update	Stores the source of traffic or the campaign that explains how the user got to the site. The cookie is updated each time data is sent to Google Analytics.
__zlcmid	Zendesk	Two years	Used to identify the device in the chat service.
__cfduid	Zendesk	One year	Used to identify the device in the chat service.
_clck	Microsoft Clarity	One year	It is used to distinguish users and sessions. The cookie is updated each time data is sent to Microsoft Clarity.
_clsk	Microsoft Clarity	One day	It is used to limit the percentage of requests by creating unique sessions per user.
CLID	Microsoft Clarity	One year	Used to determine new sessions or visits. The cookie is updated every time data is sent to Microsoft Clarity.
ANONCHK	Microsoft Clarity	10 minutes	Used for advertising purposes. Microsoft Clarity sets it to 0 to not send.
MR	Microsoft Clarity	One week	Used to determine if the MUID cookie needs to be updated.
MUID	Microsoft Clarity	One year	Identifies unique web browsers that visit Microsoft sites for analysis and operational purposes.
SM	Microsoft Clarity	Per Session	Used to sync the MUID cookie across Microsoft domains

Designation	Holder	Duration	Purpose
Conversion	Google Adwords	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
Global Site Tag Fred. Olsen	Bing Ads	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
Mobile Purchase Fred Olsen	Bing Ads	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
Mobile Purchase Fred Olsen	Bing Ads	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
Advertising	Appnexus	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
Advertising	Mediamath	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
Advertising	Doubleclick	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
Analytics	Weborama	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
PageView	Facebook	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.
Purchase	Facebook	Persistent	These cookies have an advertising purpose. They contain a unique randomly generated value that allows the platform to distinguish browsers and devices. This information is used to measure ad performance and provide product recommendations based on statistical data.

Keep browsing

Locate my reservation

Quick access

Keep browsing

Information Security Policy

OBJETIVE

SCOPE OFE THE PROCEDURE

RESONSIBILITIES

DEFINITIONS

LEGAL REFERENCES

METHODOLOGY/PROCEDURE

Buy tickets

Destinations

Fred.Olsen Experience

About Fred. Olsen

My booking

I am already a customer of Fred.Olsen