Security Policy

Protecting access to, processing, safeguarding, and transmitting information — in line with professional, ethical, legal, regulatory, and contractual requirements — is one of eBUPi’s top priorities. It is regarded as essential to the success of the BUPi project and to the expansion of the Simplified Cadastral Information System. The loss or theft of information can have serious legal, administrative, financial, and reputational consequences, and may compromise the pursuit of the public interest entrusted to eBUPi. For this reason, the Mission Structure is fully committed to safeguarding the confidentiality, integrity, and availability of the information under its responsibility — including its own data and intellectual property — whether in physical or digital format.

eBUPi’s Information Security Policy is based on the adoption of recommended international and national standards, such as ISO 27001:2022 and the National Cybersecurity Framework (QNRCS). These standards establish general principles that must be applied to information and supporting assets, in compliance with all relevant legislation and regulations. All stakeholders are responsible for proactively contributing to the protection and security of information.


Principles

This Information Security Policy is intended to uphold the following principles:

  1. Information confidentiality is respected;
  2. Information is protected against unauthorised access;
  3. The integrity of information is maintained;
  4. All applicable legislation, statutes, regulations, and contracts — regardless of their designation — are observed;
  5. Business continuity-related information security is appropriate, maintained, and tested regularly;
  6. The “need-to-know” principle is enforced: access to information is granted only to those who require it to carry out their duties and only to the extent strictly necessary;
  7. All identified or suspected information security breaches are investigated by the competent departments;
  8. The use of information is restricted to fulfilling the core objectives and responsibilities relating to the Simplified Cadastral Information System and the BUPi initiative, as defined in Law No. 78/2017, of 17 August (as currently worded), Law No. 65/2019, of 23 August (as currently worded), and Decree-Law No. 9-A/2017, of 3 November (as currently worded), without prejudice to other applicable legal provisions.


Objectives

The primary objectives of eBUPi in this area are:

  1. To ensure that all directors and staff, as well as contractors and members of external teams, are aware of and comply with existing security policies and procedures;
  2. To define and communicate responsibilities concerning information security;
  3. To foster a positive security culture;
  4. To ensure compliance with all internal and external requirements — legal, regulatory, contractual, or normative — whenever applicable;
  5. To promote continuous awareness of information security, ensuring that all individuals mentioned above understand how information security is part of their role and what responsibilities they hold for protecting confidentiality, integrity, and availability of data;
  6. To incorporate information security requirements into business performance analysis and forecasting;
  7. To adopt a risk-based approach, identifying key risk areas inherent to information security activities, continuously assessing threats, and ensuring they are identified and managed based on risk assessment and the implementation of appropriate measures;
  8. To ensure proper protection of information systems and communications infrastructure against loss, misuse, or unauthorised access;
  9. To ensure access control to information systems complies with established identification, authentication, and authorisation requirements, while allowing for proper auditability;
  10. To restrict access to information exclusively to authorised individuals, within the strict scope of their duties;
  11. To promote a culture of continuous improvement in the field of information security;
  12. To ensure effective and efficient detection, recording, reporting, and investigation of security incidents to minimise their impact;
  13. To promote the integration of information security requirements into business continuity management;
  14. To continuously review security mechanisms and processes to ensure they remain effective, relevant, and aligned with evolving needs.