Advanced Search

Order Itc/110/2009, Of January 28, By Which Determine The Requirements And Technical Specifications That Are Needed For The Development Of Chapter Ii Of Title V Of The Regulation On The Conditions For The Provision Of Service...

Original Language Title: Orden ITC/110/2009, de 28 de enero, por la que se determinan los requisitos y las especificaciones técnicas que resultan necesarios para el desarrollo del capítulo II del título V del reglamento sobre las condiciones para la prestación de servicio...

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

TEXT

The purpose of this order is to develop certain general aspects of Chapter II of Title V of the Regulation on the conditions for the provision of electronic communications services, universal service and protection of users, approved by Royal Decree 424/2005 of 15 April.

The provisions of this order are without prejudice to the ministerial orders relating to the specific obligations arising from the application of a particular telecommunications technology which are approved after the adoption of the interministerial commission set up by Order PRE/1575/2006 of 19 May 2006 for the preparation of the report prior to the approval of the ministerial orders which are issued in accordance with the provisions of the sixth transitional provision of the Regulation on conditions for the provision of electronic communications services, universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April.

Articles 95 and 98 of this Regulation empower the Ministry of Industry, Tourism and Trade to regulate certain technical specifications. Also, the final provision of Royal Decree 424/2005, dated April 15, authorizes the Minister of Industry, Tourism and Commerce to make the necessary provisions for the development and implementation of this royal decree.

In accordance with the provisions of the fifth additional provision of Law 32/2003 of 3 November, General Telecommunications, this order has been known and informed by the Advisory Council of Telecommunications and the The Information Society, which is equivalent to the conduct of the hearing procedure governed by Article 24.1.c) of Law 50/1997 of 27 November of the Government.

Moreover, the order passed has been the subject of the mandatory report of the Telecommunications Market Commission provided for in Article 48.3.h of Law 32/2003 of 3 November, General Telecommunications.

In her virtue, with the prior approval of the Minister of Public Administrations, I have:

Article 1. Object.

1. The purpose of this order is to determine the requirements and technical specifications for the implementation of the provisions of Chapter II of Title V of the Regulation on the conditions for the provision of services of electronic communications, universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April.

2. The provisions of this order are without prejudice to the ministerial orders, relating to the specific obligations arising from the application of a particular telecommunications technology, which are approved after the Commission's report interministerial set up by Order PRE/1575/2006 of 19 May 2006 for the preparation of the report prior to the approval of the ministerial orders which are issued in accordance with the provisions of the sixth transitional provision of the Regulation on conditions for the provision of electronic communications services, universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April, in the field of legal interception of electronic communications.

Article 2. Compliance with the obligations to provide the legal interception of communications and collaboration with the required subjects.

1. Under Article 85 of the Regulation on the conditions for the provision of electronic communications services, universal service and the protection of users, the following rules are laid down:

(a) When the subject is obliged to provide electronic communications services through communications networks of which he is not a holder or through other service providers, and the collaboration of such services is necessary for (a) to comply with its obligations regarding the legal interception of the communications of its subscribers and users, and to agree with them for the fulfilment of these obligations.

(b) A bound subject may agree with another operator for the conduct of the legal intercepts of the communications of its subscribers and users even if their collaboration is not necessary, provided that it is technically possible and meet the requirements laid down in the legislation on the legal interception of communications.

(c) Without prejudice to the provisions of the second transitional provision of this order, where the required subject has the status of a small operator, in accordance with the definition set out in paragraph (dd) of the Appendix; and does not accept the possibility set forth in the preceding paragraph, instead of using a permanent infrastructure to perform the legal interception, may choose to use non-permanent or shared systems with other operators that have the the same condition, depending on the state of the technology at each moment. To this end, the technical characteristics and the interception procedure to be followed must have been approved by the authorised agents.

For the calculation of the capacity that this non-permanent system should have, the formulas set out in Article 15 shall be used, considering the factor "x" equal to the sum of the subscribers and users of the small operators share the technical means that form the aforementioned non-permanent system. This option does not exempt from compliance with the rest of the provisions set out in this order, nor the adoption of the necessary measures to ensure the security of the legal interception of communications.

(d) The agreements referred to in (a) and (b) of this Article shall be notified to the authorised agents within a maximum of 15 days of their adoption. Such agreements shall be concluded under transparent, objective and non-discriminatory conditions.

e) When a subject is required to cease to use any of the powers provided for in rules (b) and (c) of this Article, he must notify the agents at least 15 days in advance. (

)

(f) The obliged subjects and their collaborators shall take the necessary measures to ensure that, in no case, the collaboration between operators for the provision of the legal interception of communications would undermine any of the security of the same.

2. For the purposes of this Article, operators who are authorised to provide telephone information services shall not have the status of subject to the provision of the consultation service on subscriber numbers.

Article 3. Communication of information related to the legal interception between obliged subjects.

1. The information relating to the commandment of the legal interception of communications which is exchanged between obliged subjects shall be limited to the strictly necessary to satisfy the needs arising from the obligation to collaborate between operators for the realization of the legal interception of communications. The required subjects shall at all times ensure the confidentiality of the information transmitted or stored, and cannot be used for any other purpose.

2. Interception orders and any other important information for the security of the interception system must be transmitted by a secure channel, as defined in the appendix of this order.

Article 4. Technical specifications.

1. The technical implementation of the systems for the legal interception of the required subjects will be adjusted to the technical specifications on legal interception developed by the European Telecommunications Standards Institute. (ETSI) and the Third Generation Partnership Project (3GPP).

2. The reference to the technical specifications to be applied for each particular technology, together with the determination of the relevant national optional parameters, the relevant observations to facilitate their compliance and the The maximum period for its implementation shall be published by orders of the Ministry of Industry, Tourism and Trade, following the report of the inter-ministerial committee set up by Order PRE/1575/2006 of 19 May 2006.

3. Without prejudice to the provisions of the foregoing paragraphs of this Article, the use of open standards shall be sought in the design and implementation of the interception system in order to ensure interoperability between different equipment. suppliers, and the use of operating systems and open source software in the interception system.

Article 5. Functional blocks and interfaces of the legal interception system.

1. In accordance with the ETSI and 3GPP specifications on the legal interception of communications, the functional blocks and interfaces of the legal interception system to be held by the required subject are shown in the figure in Annex I to this Regulation. this order.

2. The definition of each functional block and each interface is in the appendix of this order.

3. The required subjects shall ensure the availability, installation and maintenance, in the field of this order, of the elements of the legal interception system corresponding to their infrastructure (IIF), the mediation function (MF) and the administration function (ADMF).

4. The required staff shall allow the authorised agents to install and maintain the security features which the authorised agents consider appropriate for the protection of any and all communication interfaces (HI), provided that the total safety of these equipment in the provision of the service by the obliged subjects is guaranteed by them. The installation and maintenance of such equipment shall be carried out at the expense of the authorised agents.

Article 6. Channels for the HI1 interface.

1. The HI1 administration interface is a two-way interface between the authorized agent and the subject bound for the exchange of administration information. It is used to exchange information, diverse and unnormalized, that includes from interception orders to resolution of technical incidents.

2. The bound subject will have the following channels available for the HI1 interface:

(a) Unsecure channels: They may never be used to transmit personal data, communications content, or any other data that may compromise the security of legal communications intercepts, in which The use of a safe channel is mandatory. Where it is necessary to refer to a specific legal interception order, through an unsecured channel, the legal interception identifier (LID) or any other procedure that allows reference to the order shall be used without revealing its content.

b) An electronic secure channel: This channel shall be unique for each authorised agent, without prejudice to the redundancy that may be required by the availability requirement. The electronic secure channel for the HI1 interface shall comply with the specifications set out in Article 7.

c) A secure non-electronic channel: the subject must have a secure non-electronic channel. The ends of this secure channel shall be the coordinators of the reception centres of the authorised agents and the unique partners by the subjects required in the terms defined in the appendix to this order. The interlocutor of the part of the subject must be in Spanish territory. An acknowledgement of receipt shall be returned with the entry of the date and time of receipt of the messages sent by this channel from any of its ends.

3. The exchange of management information between the obliged subjects and the authorised agents requiring the use of a secure channel shall preferably be carried out by means of the electronic secure channel.

4. Administration information may be sent to the agent authorised by the physical channels corresponding to the HI2 interface, provided that the requirements laid down, for the HI1 interface, are satisfied in this ministerial order.

Article 7. Electronic secure channel for the HI1 interface.

1. The electronic secure channel, for the HI1 interface, will be performed using an IPSec virtual private network (IPSec VPN), configured to ensure the requirements of a secure channel, as defined in the appendix. This IPSec VPN will use the Encapsulating Security Payload (ESP) service with the Advanced Encryption Standard (AES) encryption algorithm.

2. The administration information will be sent by encrypted and signed email messages by recognized electronic signature.

3. They shall be notified to the sender, by means of differentiated messages, both the reception and the opening of the message sent from either end of the interface, the date and time of the reception or the opening being recorded. The channel can be configured to send these messages automatically.

4. The electronic secure channel for the HI1 interface may be made through alternative technological solutions to this, provided that they achieve a level of security equal to or higher and are agreed with the authorised agents.

The HI1 interface will be able to share physical channel with the HI2 interface, as long as this channel meets the requirements set for the HI1 interface in paragraph 1 of this article.

Article 8. Managing a legal interception order.

1. The authorised agent shall transmit the order of legal interception, through a secure channel, to the subject bound to provide one or more target services, in accordance with the definition contained in paragraph gg) of the appendix of this order.

Without prejudice to this obligation, once the judicial authority has authorized the order of interception, the authorized agent may send, in advance, a copy of the interception order through a secure channel. In this case, the authorised agent must forward the original legal interception order within a maximum of 15 days, from the date of dispatch of this advance, although the parties (authorized agent and subject) may expressly agree to another period.

In the case of using an electronic secure channel to send the order of legal interception or copy thereof, the administration function (ADMF) of the subject, in order to avoid errors and delays of transcription, will be able to load automatically, from the intercept order, the data needed to activate the interception. But in no case will the interception be activated automatically by the system, without the authorization of the subject.

2. The subject shall acknowledge receipt of the receipt, through a secure channel, as soon as it occurs, both of the order of interception and, where appropriate, of the advance thereof, by entering the date and time of the receipt in the form specified in the Articles 6.2.c) or 7.3, depending on the type of secure channel used.

The time limits laid down in Article 99 of the Regulation on the conditions for the provision of electronic communications services, universal service and the protection of users shall be counted from the date and time entered in the acknowledgement of receipt of the receipt of the order of interception or, where appropriate, of the consignment in advance of the interception order.

In order to ensure compliance with the execution of the interception orders outside the working hours, the subject must have a permanent contact point to be communicated to the coordinators of the centres. of receipt of the authorised agents.

3. Where the order of interception has been technically activated by the subject under its interception system, it shall be notified, through a secure channel, to the authorised agent that the order of interception is active, including the date and time at which the interception was activated. This notification can be made through the HI2 interface.

An interception order is understood to be active from the moment the legal interception system can extract the information relating to the interception (IRI) and the communication content (CC) of the communications determined by the legal interception order and may be sent to the receiving centre of the authorised agent's intercepts.

4. The authorized agent shall, through a secure channel, transmit any decision of the judicial authority ordering the extension, modification or cessation of the aforementioned legal interception order. The obligated subject shall notify the compliance of this resolution, stating the date and time from which its legal interception system has been modified, to satisfy the request of the judicial authority.

5. Where the time allowed for the interception or when requested by the judicial authority expires, the subject shall disable the interception mechanisms and notify, through a secure channel, the authorised agent that the order of interception has been deactivated, with the date and time from which the interception was deactivated. This notification can be made through the HI2 interface.

Article 9. Technical incidents, notification of modifications and testing.

1. If there is a period during which the results of an active interception cannot be sent to the authorised agent, the subject must notify it, wherever possible, by means of a secure channel, to the authorised agent. indicating the period during which this was not possible.

If the interruption is prolonged, the obligated subject must notify, through a secure channel, in separate messages, the beginning and end of the interruption, the date and time of each event.

If the period of interruption is foreseeable, either by scheduled maintenance or by any other circumstance, the obligated subject must notify him at least 10 days in advance of the authorized agent through a Secure channel.

2. For the resolution of technical incidents and the testing, non-secure HI1 channels may be used, provided that the requirements for this set out in Article 6 are met.

In certain cases, dealing with incidents involving a subject subject to the measure of interception or an identity, understood to be in the terms of Article 84 of the Regulation on the conditions for the provision of electronic communications services, universal service and the protection of users, such incidents may be notified by the physical channels corresponding to the HI2 interface.

3. Changes to the system of legal interception or any other element of the subject, including the provision of new services, which may affect the legal interception, shall be notified to the authorised agents in advance. Three months.

4. In order to carry out tests of the systems of legal interception, the subject shall allow each authorized agent to hire at least two identities, in accordance with the definition provided for in Article 84 of the said Regulation, approved by Royal Decree 424/2005 of 15 April of each electronic communications service it provides. These identities will not correspond to any natural person, will only be used for testing and may be intercepted without the need for an interception order.

5. The availability of the system of legal interception of the subject, will not be inferior to that of the electronic communications service provided by the subject obliged to its subscribers and users, nor will the deadline to resolve faults of the same will be superior (a) to the one established by the subject in the provision, to its subscribers and users, of the electronic communications service.

6. For very urgent matters, outside the working hours, related to the legal interception, the obliged subjects will have a permanent contact point at the disposal of the coordinators of the reception centres of the agents (

)

Article 10. Legal interception identifier (LIID) format.

1. The format of the LIID is a string of 1 to 25 ASCII characters, belonging to the subset consisting of the characters "a" to "z", "A" to "Z", "-", "_", ".", and "0" to "9".

2. The value of the LIID is agreed between the subject and the authorized agent, satisfying the following conditions:

(a) If multiple authorised agents request the interception of the same subject subject to the measure of the interception, the LIID shall be different for each authorised agent.

(b) The LID shall permit the identification of the subject and the authorised agent.

(c) The LIID shall not contain any information enabling the identification of the intercepted subject, including identity, in accordance with the definition provided for in Article 84 of the Regulation on the conditions for the provision of electronic communications services, universal service and the protection of users.

Article 11. Security measures.

In Annex II of this order, the technical and organizational measures that the required subjects must implement to guarantee the authenticity, confidentiality, integrity and non-repudiation of the data related to the legal interception of the communications and the availability of the interception, as well as preventing its illegal use. These measures are articulated in eight sections:

1. Security document and incident management.

2. Personnel related to the legal interception of communications.

3. Enclosure for the interception system.

4. Document security.

5. Security of the interception system.

6. Security of internal interception functions (IIF).

7. Audit records.

8. Additional security measures.

Article 12. Interception system clock.

1. The clocks of the elements of the legal interception system shall have a maximum error of less than half a second. These clocks will be the source of time for the date and time consignment of all events related to the legal interception mechanisms.

2. The national time pattern provided by the National Metrology Center will be taken as a reference.

Article 13. Cohabitation with the data retention system.

The interception system will be able to share resources with the data retention system provided for by Law 25/2007 of 18 October on the conservation of data relating to electronic communications and public networks. communications and, where appropriate, their regulatory development standards, provided that this does not prejudice their functions or the security of the legal interception system.

Article 14. Additional information to the interception.

1. Subject to Article 85 of the Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of users, approved by Royal Decree 424/2005, of 15 December 1994, The data referred to in Articles 88.2, 88.3 and 89.2 of that Regulation shall be made available to the authorised agent carrying out the legal interception by means of the procedure described

the following paragraph.

2. The request will be concrete and in no case will massive data requests be exercised. It shall identify the authorised agent which is carrying out the legal interception and which makes the request, the coordinator of which is responsible for the request for data, and the coordinator of the reception centre for the intercepts. identifier or legal interception identifiers (LID) reference corresponding to the legal interception in which the request is made.

3. The request for this information and its response will be made through a secure HI1 channel. The authorised agent shall, through this channel, acknowledge receipt of the reply by entering the date and time of the reply.

The requested information will be submitted by 12:00 hours on the next business day to which the subject will receive the request. Where the request is urgent, the obliged subjects must carry out the application as soon as possible, for which the subject must have a permanent contact point which will be available to the coordinators of the centres. of receipt of the authorised agents.

Article 15. Maximum number of concurrent intercepts.

1. The subject shall have his/her legal interception system in place so that he/she is able to maintain the following number of intercepts simultaneously:

If x 60: MI = x

If x 60: MI = 60 + a (

:

(x-60)

Where:

MI = Maximum number of concurrently active intercepts.

x = Number of subscribers or users (understood as the number of identities, according to the definition given by Article 84 of the Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April, provided by the subject to its subscribers or users.

a = Coefficient that depends on the particular telecommunications technology and will be specified in the corresponding ministerial orders. Its value is bounded to range [0.25-1].

Note: The decimal amounts of "MI" will be rounded to the immediately lower integer.

2. The maximum number of active intercepts simultaneously is calculated for each electronic communications service offered by the obligated subject. In the above formula, therefore, the value x is the total number of identities, in accordance with the definition provided for in Article 84 of that Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of users, provided by the subject to the subscribers or users of each telecommunications service.

3. The number of intercepts which the subject must be capable of simultaneously transmitting to the authorised agents shall be specified in the specific ministerial orders for each telecommunications technology.

Article 16. Access to the registration of numbers transferred between operators.

1. The coordinators of the reception centres of the authorised agents may access the updated register of the numbers transferred between operators as a result of the exercise of the right to the retention of numbers, to which they refer Article 44.5 of the Regulation on electronic communications markets, access to networks and numbering, approved by Royal Decree 2296/2004 of 10 December 2004, in order to collect the data referred to in Articles 88.2, 88.3, Regulation on the conditions for the provision of services for the benefit of the electronic communications, universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April.

2. The coordinators of the reception centres of the authorised agents may be directed, in order to obtain information to identify the operator in charge of a portable telephone number as well as possible portability procedures in course, to the manager in charge of the operation of the reference entity or database that can provide the required information according to the specifications in force and approved by the Telecommunications Market Commission.

3. The data obtained shall be used exclusively for the intended purposes, with the responsibility of the agent having the right to use them which, in any event, shall be subject to the current legislation on the protection of data of a personnel.

Article 17. Statistics.

1. The required subjects shall compile statistics, on the interception measures, on an annual basis. The period counted shall be from 00:00 hours (including) from 1 January to 24:00 hours (excluding) on 31 December of the corresponding year. The interception orders and the modifications and extensions of the same activated during that period, as well as the identities, shall be taken into account (in accordance with the definition provided for in Article 84 of the Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of users) intercepted on the basis of such services. If the same technical identity is intercepted for different interception orders, it will be counted separately.

2. The statistics shall be compiled in accordance with the form set out in Annex III to this order and shall be forwarded to the Secretariat of State for Telecommunications and the Information Society by 15 February of the following year.

First transient disposition. Deadline for compliance.

1. The obligors shall comply with the obligations laid down in paragraphs 5 and 7 of Annex II to this order within 18 months of their entry into force.

2. The other obligations set out in this order shall be met within nine months of their entry into force.

3. If, during the period of the preceding paragraph, it was possible for a subject to have to fulfil an order of legal interception and not yet in a position to take it into effect with his own means, the subject it shall facilitate the access of the authorised agents to their facilities to carry out the interception with the means provided by them, if they are available to them.

4. Those subjects who are obliged to initiate their activity, after these deadlines, must meet the obligations laid down in this order from the start of their activity.

Second transient disposition. Special transitional arrangements for those subject to certain conditions.

1. Subject to the definition set out in paragraph (dd) of the Appendix of this order, the subjects who are obliged to do not have the status of small operators, and have their own electronic communications network, through which they are routed. communications from their subscribers, may be subject to the procedure described in Article 2.1.c) of this order if the total number of interception orders received during the previous year has been less than or equal to five.

2. The required subjects, as referred to in the previous paragraph, shall have a period of six months from the moment when the five intercepts are exceeded in one year, in order to implement their own interception system, which satisfies all of the requirements set out in the current legislation on legal interception of communications.

Transitional provision third. Services and technologies not covered by specific ministerial orders.

Those required to operate networks or to provide electronic communications services, the technology of which has not been included in the ministerial orders relating to the specific obligations arising from the application of a In the case of telecommunications technology, they must agree with the authorised agents how to comply with the obligations of Chapter II of Title V of that Regulation on the conditions for the provision of communications services. electronic, universal service and the protection of users, relating to the legal interception of communications, as well as the provisions in this order, until the corresponding specific ministerial orders are approved.

Final disposition first. Competence title.

This order is dictated by the provisions of Article 149.1.21. of the Constitution, which attributes exclusive competence to the State in the field of telecommunications.

Final disposition second. Amendment of Order CTE/711/2002 of 26 March 2002 laying down the conditions for the provision of the telephone consultation service on subscriber numbers.

Order CTE/711/2002 of 26 March 2002 laying down the conditions for the provision of the telephone consultation service on subscriber numbers is amended as follows:

One. In the first paragraph. 3 (d) and (e) are added, with the following wording:

" (d) are authorised to request information prior to the interception pursuant to Article 89.1 of the Regulation on the conditions for the provision of electronic communications services, universal service and protection of users, approved by Royal Decree 424/2005 of 15 April.

(e) are authorised to request additional information from the interception pursuant to Articles 88.2, 88.3 and 89.2 of the Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April. "

Two. Paragraphs 15 and 4 are renumbered as 4 and 5 respectively.

Three. A new paragraph 15 (3) is added, with the following wording:

" 3. The Commission of the Telecommunications Market, upon request, shall provide the authorised agents, the updated information referred to in paragraph 14, with the format established by the Commission of the Market of the Telecommunications.

The data obtained shall be used exclusively for the purposes referred to in Articles 88.2, 88.3, 89.1 and 89.2 of the Regulation on the conditions for the provision of electronic communications services, the service universal and the protection of the users, approved by Royal Decree 424/2005, of April 15, being the responsibility of the authorized agent the proper use of the same ones, which, in any case, will be subject to the current legislation on data protection of a personal nature. "

Final disposition third. Convention on Mutual Assistance in Criminal Matters between the States of the European Union.

The measures set out in this order are also applicable to the fulfilment of the obligations arising from the Convention on Mutual Assistance in Criminal Matters between the States of the European Union of 29 May 2000, with respect to the legal interception of communications.

Final disposition fourth. Entry into force.

This order will take effect the day following your publication in the "Official State Bulletin".

Madrid, January 28, 2009. -Minister of Industry, Tourism and Trade, Miguel Sebastian Gascón.

ANNEX I

Functional Blocks and Interfaces

1. The functional blocks of the legal interception system are as follows:

a) Administration function (ADMF).

b) Mediation function (MF) for interception information (IRI).

c) Mediation function (MF) for Communication Content (CC).

d) Internal interception function (IIF).

2. The interfaces of the legal interception system are as follows:

1. Internal interfaces.

2. Transfer Interfaces (HI), which are composed of three interfaces:

2.1. Handover Interface 1 (HI1).

2.2. Handover Interface 2 (HI2).

2.3. Handover Interface 3 (HI3).

3. The following figure represents the functional block diagram and interfaces of the required subject's legal interception system (source: ETSI ES 201 671 V3.1.1 (2006-10)):

Here are several images in the original. See the official and authentic PDF document.

Notes:

This figure shows a reference configuration, with a logical representation of the entities involved in the legal interception that does not determine separate physical entities.

The mediation function can be transparent, if none of its functions are required.

ANNEX II

Security measures

1. Security and incident management document

1. The subject must carry out the analysis and risk management of its legal interception mechanisms and prepare and keep up to date a security document regarding the legal interception of communications in which the Following aspects:

a) The relationship of personnel with access to interception mechanisms.

b) The functions, duties, and access profiles of the authorized personnel.

c) The identification of the security officer.

(d) The measures, rules, procedures for action, rules and standards applied to ensure compliance with the security measures laid down in this order and those arising from the requirements laid down in the Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April, in the ministerial orders relating to obligations (i) specific measures resulting from the implementation of a particular telecommunications technology or in other rules of legal or regulatory status that are applicable.

e) The configuration of the operating system and the relationship of applications that need to be installed on the interception system.

f) Measures that are necessary to protect the interception system from malicious programs, intrusions, unauthorized access, and other threats; and to prevent the installation of malicious devices and applications in the interception system.

g) The measures that are necessary to ensure that remote access to the interception system does not compromise the security of the system or the confidentiality of the data, as well as an up-to-date relationship of the authorised persons to remotely access the system.

h) The procedures for the installation, configuration, maintenance and repair of the interception system detailing the measures necessary to ensure that these processes do not endanger the security of the system interception or confidentiality of the data related to the interception.

i) The periodic controls to be performed to verify compliance with the provisions of the document itself.

j) The notification, management, and response procedures for incidents.

2. The code of good practice for the safety management of the UNE-ISO/IEC 17799 standard shall be applied as far as possible.

3. The security document must be maintained at all times up to date and will be reviewed whenever an update or system change is performed.

4. There shall be a procedure for the notification and management of the incidents related to the interception mechanisms and the establishment of a register containing the type of incident, the date and time when the incident occurred or detected, the effects that would have been derived from the same and the corrective measures applied.

2. Personnel related to the legal interception of communications

1. Persons who can access the interception mechanisms as well as any information related to the legal interception of communications shall be the minimum necessary to ensure the execution of the interception orders in the conditions.

2. Their access to the information and other resources related to the interception will be based on the principles of need to know, less privilege, separation of tasks and authorization, understood in their meanings defined in the appendix of this order.

3. The relationship of persons with access to the interception system as well as their functions and obligations in relation to the legal interception of communications, which must be clearly defined, shall be collected in the security document to which refers to paragraph 1 of this Annex.

4. Persons with access to the interception system shall sign a security declaration in the format to be agreed between the subject and the authorised agents, stating that they have received the appropriate training for the performance of their functions and on the operational security procedures, undertakes to keep strict confidentiality on all information related to the legal interception of communications, and declares its knowledge of the consequences of the use misuse of the interception mechanisms.

3. Enclosure for the interception system

1. The entire interception system, with the exception of internal interception functions (IIF) which are distributed in the telecommunications infrastructure of the subject, shall be placed in enclosures to satisfy the following requirements: security requirements:

a) They must be protected by access control mechanisms so that unauthorized access or unauthorized access attempts are detected and immediate action can be taken.

(b) The necessary measures shall be taken to ensure that the presence of staff outside the interception equipment, which is limited to the minimum necessary, does not compromise security. Their presence must be properly recorded in accordance with the procedure laid down for this purpose in the security document.

4. Document security

1. Clear criteria for the classification of electronic and paper information according to the security measures to be applied shall be laid down by each subject, to be collected in the security document.

2. Interception orders, audit records, backups, interception system documentation, and any other paper or electronic documents important to the security of the interception system shall be be stored in safes, cabinets or cabinets fitted with a key opening system or other equivalent device.

3. The documents referred to in the previous paragraph must not be removed from the said warehouse unless strictly necessary, in which case the necessary measures shall be taken to ensure their confidentiality, integrity and availability, and shall be transported by the staff expressly authorised to do so.

4. An entry and exit registration system for paper and electronic documents shall be established for each subject, in which the date and time must also be entered, in addition to the identity of the person who takes them out or introduces them.

When the retention period of these documents expires, the security officer will safely destroy them by taking steps to prevent the subsequent access or recovery of the deleted information. Record destruction of documents will be saved.

5. Interception system security

1. The interception system comprises all the blocks and interfaces referred to in Article 6, as well as any other components necessary to provide the legal interception, including those necessary to ensure the security of the system, as the system of audit records set out in paragraph 7 of this Annex. The measures in this paragraph concern all components of the interception system except the internal interception functions (IIF), the security measures of which are set out in paragraph 6 of this Annex.

2. The interception system can only be accessed by users defined in the system that will be unique to each person. The security document referred to in paragraph 1 of this Annex shall include an up-to-date and historical relationship of users and user profiles and the authorised access to each of them. Access to information and other resources of the interception system shall be strictly in accordance with the responsibility of the person to whom the user is responsible. The access of both persons and processes to the information and other resources of the interception system will be based on the principles of need to know, less privilege, separation of tasks and authorization, understood in their meanings defined in the appendix of this order.

3. Access to the system will only be possible after verifying the identity and authorization of anyone who tries to access, after successfully overcoming the identification, authentication and authorization processes. This check shall be made preferably by means of a strong authentication device according to the definition in paragraph (k) of the Appendix.

A mechanism should be established to limit the possibility of repeatedly attempting unauthorized access to the system, causing the system to be blocked.

System locking mechanisms will be established for events that can be considered potentially dangerous such as the removal of the secure device authentication device from the reader device and/or the downtime of the device. excessively long system.

The security document referred to in paragraph 1 of this Annex shall include a description of these locking mechanisms and the corresponding system reactivation processes.

4. The operating system will be up to date and the necessary applications for detection and protection against malicious programs, intrusions and other threats will be installed. The use of operating systems and, in general, open source software on the interception system is recommended.

5. The information on the hard disks will be encrypted.

6. The system shall ensure that the erasure of information is carried out in a safe manner thus avoiding access to or recovery of the information, without prejudice to the audit activity described in paragraph 7 of this Annex.

7. The necessary measures shall be taken to prevent the communication of the system with any direction that is not strictly necessary for the legal interception of communications. Communications via the Internet will only be possible with the relevant addresses of the reception centres for the intercepts of the authorised agents.

8. The necessary measures shall be taken to ensure that remote access to the interception system, which is only possible when strictly necessary and by persons duly authorised by the security officer, does not compromise security. the system or the confidentiality of data related to the interception of communications.

The set of measures and the relationship of authorized persons referred to in the preceding paragraph must be specified in the security document.

9. The necessary measures shall be taken to ensure that the transfer interfaces and the internal interfaces of the interception system cannot compromise security.

The installation, configuration, maintenance and repair of the system shall be carried out, as far as possible, in the enclosures for the interception system and the procedure and the safety measures provided for in the system. security document. The necessary measures shall be taken to ensure that manufacturers, integrators and installers of the interception system cannot compromise the security of the system or access confidential information in connection with the interception. legal.

6. Security of internal interception functions (IIF)

1. The physical access to the internal interception functions (IIF) shall be protected by the security measures of the subject's telecommunications infrastructure according to the state of the art.

2. The location of the internal interception functions will be discrete and any information about them will be secret.

3. Any action on the same (installation or resolution of breakdowns) will be performed with discretion by expressly authorized personnel. An updated and historical relationship of the authorised personnel will be maintained to perform these tasks.

4. The logical access and control of the internal interception functions will only be possible from the administration function (ADMF) of the legal interception system.

7. Audit records

1. The required subjects shall have a centralised system for the management of the audit records of the different components of the interception system. Such a system shall support the generation, transmission, storage, electronic signature, verification and analysis thereof, and shall ensure its authenticity, confidentiality, integrity and availability throughout its life cycle.

2. The format of the audit records, the events on which audit records are to be generated, the procedures for the verification of their authenticity and integrity and the inspection and custody procedures shall be carried out in their Case by ministerial order.

8. Additional security measures

1. The security measures laid down in this order shall apply without prejudice to any other necessary additional security measures to be established to satisfy the requirements laid down in the Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April, in the ministerial orders relating to the specific obligations arising from the application of a particular telecommunications technology or other standards of legal status or regulatory.

2. Security measures shall be updated by the subject under the obligation of the evolution of the technology.

Here are several images in the original. See the official and authentic PDF document.

APPENDIX

Definitions

For the purposes of this order, it is understood by:

a) Authentication: Verifying the declared identity.

b) Authorization: Empower to access certain capabilities to certain resources according to the identity of the requesting access.

c) Channel: Means of communication used for the exchange of information between the subject and the authorized agent. By analogy, channel HI1, channel HI2 and channel HI3 shall be referred to as channels corresponding to interfaces HI1, HI2 and HI3 respectively.

d) Electronic channel: Channel using electronic communications networks, understood in the meaning of Annex II (Definitions) of Law 32/2003 of 3 November, General of Telecommunications.

e) Unsecure channel: Channel that does not require compliance with the requirements set in the secure channel definition.

f) Secure Channel: A channel is defined as secure, for the purposes of this order, if it guarantees, according to the state of the technology at any time, the confidentiality, integrity, availability and non-repudiation of the information by the transmission, as well as the unequivocal authentication of the parties involved in the communication, providing the maximum legal guarantee in accordance with the legislation in force. (A secure channel is not necessarily electronic.)

G) Confidentiality: The property that the information is not made available or disclosed to unauthorized persons, entities, or processes.

h) Content of communication (CC, "Content of communication"): Information exchanged between two or more users of an electronic communications service, excluding information on interception (IRI). It includes information that can, as part of some electronic communications service, be stored by a user for later retrieval by another.

i) Coordinator of the reception centres of the authorised agents: person or group of persons belonging to each of the authorised agents who will be the only valid liaison for the subjects required for the purposes of processing matters related to the legal interception of communications.

j) Availability: The property of being accessible and usable on request by an authorized entity and according to the quality of operation specifications.

k) Strong authentication device: An authentication device based on at least two identification factors of the following three: of knowledge (e.g., a passing word), of possession (e.g., a card cryptographic) and personal characteristics (e.g., biometric recognition).

l) Electronic signature: According to Law 59/2003, of 19 December, electronic signature, is the electronic data set, recorded together with others or associated with them, that can be used as a means of identification of the signer.

m) Advanced electronic signature: According to Law 59/2003, of 19 December, electronic signature, is the electronic signature that allows to identify the signatory and to detect any subsequent changes of the signed data, which is linked to the signer in a unique way and to the data to which it refers and which has been created by means that the signatory can maintain under its exclusive control.

n) Recognized electronic signature: According to Law 59/2003, dated December 19, electronic signature, is the advanced electronic signature based on a certificate recognized and generated by a secure signature creation device. Note that, even if they can use the same technology, the acts of encrypting and signing electronically are different. Note also that the recognized electronic signature also serves to ensure the integrity of the signed data.

o) Administration function (ADMF, "Administration Function"): Function that controls the legal interception system of the bound subject. Among other tasks, it receives the legal interception orders and generates the instructions for the system to execute a legal interception. This function prevents the control of the system of legal interception of the subject by the authorised agents.

p) Delivery Function (DF, "Delivery Function"): In a broad sense, it is equivalent to the mediation function. Strictly speaking, part of the MF/DF gateway responsible for sending the content of the communication (CC) and the information correlating to the interception (IRI) to the reception centre of the intercepts. By default it will be understood in a broad sense.

q) Internal interception function (IIF, "Internal Interception Function"): Network point or network element where communication content (CC) and/or interception information (IRI) are obtained.

r) Mediation function (MF, "Mediation Function"): In broad sense, the mechanism that transforms the information obtained in the internal interception function (IIF) and transfers it to the transfer interface (HI). It also receives the MF/DF gateway name (MF/DF Gateway). Strictly speaking, the function that transforms the formats of the information relating to the interception (IRI) and the content of the communication (CC) of its format in the internal network interface (INI) to the standard format of the interface of the transfer (HI). In some cases this transformation may not be necessary. By default it will be understood in a broad sense.

s) Legal Interception Identifier (LIID, "Lawful Interception IDentifier"): It is a code that serves to correlate the various information that, transmitted through the HI interfaces, corresponds to the same subject the interception or the same identity, understood to be in the terms of Article 84 of the Regulation on the conditions for the provision of electronic communications services, universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April.

t) Additional information to the interception: It is the information defined in paragraphs 88.2, 88.3, and 89.2 of the Regulation on the conditions for the provision of electronic communications services, the service universal and the protection of users, approved by Royal Decree 424/2005, of April 15.

u) Information on interception (IRI, Intercept Related Information): The information defined in Article 88.1 of the Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April.

v) Integrity: The property that the information is not modified or destroyed without authorization.

w) Internal network interface (INI, "Internal Network Interface"): In strict sense, interface between the internal interception function and the mediation function. In a broad sense, synonymous with internal interface. By default it shall be understood in the strict sense.

x) Transfer Interface (HI, "Handover Interface)": Physical and logical interface between the subject domain and the domain of the authorized agent. Through the HI the authorized agent requests the subject to execute the measures of legal interception and this gives the results of the interception to the center of reception of the intercepts. This interface is composed, in turn, of three distinct interfaces:

Transfer Interface 1 (HI1): Interface for the exchange of administration information between the receiving center of the authorized agent intercepts and the required subject's Administration Function (ADMF). It is used to exchange diverse and unnormalized information that includes from interception orders to resolution of technical incidents.

Transfer Interface 2 (HI2): Interface for the delivery of information associated with the interception (IRI) to the receiving center of the intercepts.

Transfer Interface 3 (HI3): Interface for delivery of communication content (CC) to the reception center of the intercepts.

This is a logical distinction. In their realization, they can sometimes share the physical interface.

y) Internal Interface (X): Any interface of the legal interception system of the bound subject except the transfer interface. Includes the interfaces between the elements of the interception system.

z) Single Interbroadcaster: Person or group of persons belonging to each of the bound subjects who will be the only valid link for the agents empowered to deal with matters related to the legal interception of the communications.

aa) Minor privilege: Security principle that requires the least number of powers to be granted for access to and use of resources and information to enable those tasks to be performed for those expressly provided authorized.

bb) Need to know: Principle of security that requires that only information or resources that are strictly necessary for the performance of those tasks for which it is being held are accessible or held. expressly authorized.

cc) Do not repudiate: The property of being able to prove that an action or event has taken place, so that such an action or event cannot be subsequently denied.

dd) Small operator: The subject, as set out in Article 85 of the Regulation on the conditions for the provision of electronic communications services, the universal service and the protection of the users, approved by Royal Decree 424/2005 of 15 April, which also complies with each and every one of the following requirements, without prejudice to other additional requirements which may be laid down in the ministerial orders relating to the specific obligations arising from the application of a particular telecommunications technology:

Have your own electronic communications network through which you are directed to the communications of your subscribers.

Fulfil all requirements for the classification of micro-enterprises in accordance with the provisions of Title I of the Annex to Commission Recommendation No 2003 /361/EC of 6 May 2003 on the definition of micro, small and medium-sized enterprises (DOUE L 124 of 20 May 2003); or their possible revision in accordance with Article 9 of the Annex to the Recommendation itself.

ee) The result of the interception (result of interception): Information regarding an objective service, including the content of the communication (CC) and/or the information relating to the interception (IRI), which the subject must delivery to the reception center of the intercepts.

ff) Task Separation: The security principle that requires processes to be divided into stages assigned to different people so that it is not possible for a single person to subvert the process.

gg) Target service: Electronic communications service that can be used by a subject to interception. There may be more than one target service related to the same subject to the interception.