77

We have a set of rules and procedures that help us to manage the security of in- formation processed by the company s IT systems, as well as the as sets that par- ticipate in its processes and business.

This management is structured through the implementation of the Security Ser- vices that the company deploys following the best practices available in the market. As part of the process of continuous im- provement we certify our processes (In- formation and Communication Technolo- gies (ICT) and its security process under the international standards ISO 27001 and ISO 20000. Also, the Cybersecu- rity area is responsible for reporting and managing technological risks in line with corporate ERm (Enterprise Risk manage- ment) methodologies.

In this respect, in 2017 we have launched a global initiative composed of six strate- gic lines in order to adapt our organisation to the new digital context. These lines include: the analysis and design of the evolution of the IT and Industrial Systems security function, regulatory compliance - new general Data Protection Regulation (gDPR) or the Law for the Protection of Critical Infrastructures (LPCI), among oth- ers - a global programme for training and awareness for users, security processes in the contracting of suppliers, and the evolution of various existing Cybersecu- rity technologies.

With regard to the management of Cy- bersecurity incidents, the specific process certified according to the standards has resulted in zero attacks in 2017 with a no- table impact on our business processes.

CybERSECURITy

2017 ANNUAL AND CORPORATE RESPONSIbILITy REPORT