The development of the Electronic Administration involves the automated processing of large amounts of information by the information and communications technology systems, which is subject to different types of threats and vulnerabilities.

In the context of the Electronic Administration, information security is understood to be the capacity of networks or information systems to resist, with a certain level of confidence, accidents and actions illicit or malicious undertakings that compromise the availability, authenticity, integrity, confidentiality and traceability of the data stored or transmitted and of the services that such networks or systems offer, or through which the access.

Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of the Electronic Administration, seeks to establish the confidence that the information systems will provide their services and they shall keep the information in accordance with their functional specifications, without interruption or out of control modifications, and without the information being able to come to the knowledge of unauthorised persons.

The Information Security Policy of the Ministry of Health, Social Services and Equality, in accordance with the provisions of Article 11 of Royal Decree 3/2010, of 8 January, supports all the requirements of the National Security Scheme, as well as the requirements arising from the Organic Law 15/1999, of 13 December, of Protection of Personal Data and its Implementing Regulation, approved by Royal Decree 1720/2007, of 21 December.

Since information security needs to respond to multiple requirements and encompasses all aspects of an organization, it is critical to address your management using a System of Information Security Management based on in the standard UNE-ISO/IEC 27001. The guidelines for establishing a security control framework for the information included in the Annex are structured according to the standard UNE-ISO/IEC 27002, to facilitate the implementation of the Management System and to use a structure irrespective of the different laws in force.

This standard has been submitted to the Spanish Data Protection Agency's previous report.

In its virtue, with the prior approval of the Minister of Finance and Public Administrations, I have:

Article 1. Object and scope of application.

1. The purpose of this order is the approval of the Information Security Policy (hereinafter the PSI) in the field of the Electronic Administration of the Ministry of Health, Social Services and Equality, as well as the establishment of the organizational and technological of the same.

2. The PSI shall apply to all information systems used by all the central and territorial organs and units of the Ministry of Health, Social Services and Equality and by the public bodies that are dependent on it. The PSI shall also be observed by all staff assigned to such bodies and units, as well as by persons who, although not intended for them, have access to their information systems.

Article 2. Mission of the Department.

Corresponds to the Ministry of Health, Social Services and Equality the Government's policy on health, planning and health care and consumption, as well as the exercise of the administration's powers. State General to assure citizens of the right to health protection.

It also corresponds to the proposal and implementation of the Government's policy on cohesion and social inclusion, family, child protection and care for dependent or disabled persons.

It also corresponds to the government's policies on equality, the fight against all kinds of discrimination and against gender-based violence.

Article 3. Regulatory framework.

1. The normative framework in which the activities of the Ministry of Health, Social Services and Equality are developed includes the sectoral legislation regulating the performance of the higher bodies and managers of the Department and the agencies. (a) public administration of the same, as well as the specific legislation in force on electronic administration, as follows:

(a) The sectoral legislation regulating the performance of the higher bodies and managers of the Ministry of Health, Social Services and Equality and of the dependent public bodies, as well as the Royal Decree 200/2012, January 23, for which the basic organic structure of the Ministry of Health, Social Services and Equality is developed and the Royal Decree 1887/2011 of 30 December 2011, establishing the basic organic structure of the ministerial departments

b) Law 11/2007, of June 22, of electronic access of citizens to Public Services.

c) Royal Decree 1671/2009 of 6 November 2009, for which the Law 11/2007, of 22 June, of electronic access of citizens to public services is partially developed.

d) Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.

e) Royal Decree 4/2010, of 8 January, which regulates the National Interoperability Scheme in the field of Electronic Administration.

f) Organic Law 15/1999 of 13 December on the Protection of Personal Data.

g) Implementing Regulation of the Organic Law 15/1999 of 13 December on the protection of personal data, approved by Royal Decree 1720/2007 of 21 December.

h) Law 59/2003, dated December 19, electronic signature.

i) Royal Decree 1553/2005 of 23 December 2005 regulating the issue of the national identity document and its electronic signature certificates.

(j) Order SSI/2076/2013 of 28 October establishing the electronic headquarters of the Ministry of Health, Social Services and Equality, as well as the other rules which have created or may create other electronic venues within the scope of application of the PSI.

(k) Order SCO/2751/2006 of 31 August establishing the Telematics Register of the Ministry of Health and Consumer Affairs for the submission of letters, applications and communications and laying down general requirements for the telematics processing of certain procedures, as well as the other rules that have been created or can be created by other electronic registers within the scope of the PSI.

l) Law 19/2013, of December 9, of transparency, access to public information and good governance.

2. The other rules applicable to the electronic administration of the Ministry of Health, Social Services and Equality arising from the previous ones and which are published in the electronic venues will also form part of this regulatory framework. within the scope of the PSI.

Article 4. Organizational structure of the PSI.

The organisational structure of information security management in the field of electronic administration of the Ministry of Health, Social Services and Equality is composed of the following agents:

a) The Information Security Committee.

b) Information Security Responsables.

c) The Information Officers.

d) The Services Responsible.

Article 5. The Information Security Committee.

1. The Committee on Information Security (hereinafter referred to as the Committee) is hereby established as a working group within the Department's Ministry of Informatics.

2. The Committee shall be composed of the following members:

(a) President: the holder of the Health, Social Services and Equality Secretariat.

(b) Vice-President: the holder of the General Information Technology Subdirectorate

(c) Vocals: a representative, with a minimum rank of Subdirector General or assimilated, of each of the following senior organs and managers of the Department:

1. Secretary of State for Social Services and Equality.

2. General Secretariat for Health and Consumer Affairs.

3. Deputy Secretary for Health, Social Services and Equality.

In addition, the National Institute of Transplantation (ONT), the National Transplant Organization (ONT) and the Ceuta and Melilla Centers of the National Institute (IMSERSO) will be the members of the National Institute of Transplantation (ONT). Health Management (INGESA).

(d) Secretary: With a voice and without a vote, the Secretary of the Technical Group of the Information Security Officer of the Ministry of Health, Social Services and Equality, who shall implement the decisions of the Committee, shall carry out the call for their meetings and prepare the topics to be discussed.

3. The Committee shall coordinate all activities related to the security of information systems and shall carry out the following

:

a) Develop the proposals for permanent modification and updating of the PSI of the Ministry of Health, Social Services and Equality on an annual basis.

b) Develop proposals for changes in the organizational structure of the PSI of the Ministry of Health, Social Services and Equality.

c) Determine the criteria for risk acceptance and acceptable levels of risk to the organization.

d) Develop and approve second-level secondary security regulations (information security standards) and the Risk Analysis procedure.

e) Provide the resources and resources needed to ensure awareness and training in the security of information for all personnel in the Ministry of Health, Social Services and Equality.

f) Sharing security experiences among its members to ensure compliance with the PSI and its development regulations.

g) Analyze the Annual Management Review Reports provided by each Security Officer, in which each of them will report the outcome of the risk analysis, the audits carried out, the project plan and of the required security improvement initiatives and actions.

h) Review the information provided by the Security Officers regarding security incidents at the Ministry of Health, Social Services and Equality that so require.

i) Coordinate the activity of Security Responsables from each security domain to achieve greater efficiency.

j) Take all decisions that ensure the security of the Department's information and services.

4. The Committee shall meet at least once a year.

Article 6. The Information Security Officer.

1. The Information Security Officer (RSI) determines, in each security domain in which it is competent, decisions to meet the security requirements of the information and services.

Security domain is defined as the set of communications infrastructures, physical and logical equipment and persons that operate on them, interlinked in such a way that it is more efficient to manage security of the information handled by them together.

2. The following Information Security Officers shall be appointed, according to the security domain in which they are competent:

(a) RSI whose scope of responsibility includes information and services affected by the information systems managed by the Ministry of Health, Social Services and Equality, as well as public bodies which are dependent on the latter and which are not included within the scope of the rest of the IHR. It shall be for the technical group referred to in paragraph 3 of this Article.

b) IMSERSO RSI. The designation shall be the responsibility of the holder of his Directorate-General among any of the members who provide services at that time at the IMSERSO.

c) ONT RSI. The designation shall be the responsibility of the holder of his Directorate-General among any of the members who provide services at the ONT at that time.

d) RSI of the Centres of Ceuta and Melilla (Territorial Addresses, Specialised Care Management and Primary Care Management). The designation shall be the responsibility of the holder of the INGESA Directorate among any of the staff who provide services at that time in INGESA.

3. The technical group of information security at departmental level shall be chaired and coordinated by the holder of the General Information Technology Subdirectorate, and shall be composed of the following members:

a) The holder of the Human Resources Subdirectorate General.

b) The holder of the General Staff Subdirectorate General.

c) The holder of the General Subdirection of Regulations.

d) The holder of the General Subdirectorate of the General Inspection of Services.

e) A representative for each of the public bodies, designated by the holders of the public bodies.

(f) An official of the Information Technology Subdirectorate General and designated by the Information Technology Subdirectorate General, who shall perform the duties of Secretary and coordinate the Information Security Team.

4. The following are the functions of the RSI in its domain:

a) To press and review an Information Security Management System (SGSI), according to the standard UNE-ISO/IEC 27001, for the appropriate security domain.

b) Coordinate the realization of the Annual Risk Analysis on the information systems under their responsibility.

c) Approve third level derived security regulations (general procedures).

d) Coordinate and monitor compliance with security measures as defined in the security documents for all existing personal data files or treatments.

e) Maintain the documentary framework for the security management system of the updated information.

f) Determine the controls of the UNE-ISO/IEC 27002 standard necessary to mitigate the risk resulting from Risk Analysis.

g) Develop the annual project plan and coordinate its execution.

h) Operate the resources provided by the Committee.

i) Maintain the security of managed information and electronic services provided by information systems.

j) Manage information security incidents that occur, reporting the most relevant to the Committee.

k) Perform or promote periodic audits to verify compliance with information security obligations.

l) Designate the internal auditor for information security.

m) Develop the Annual Review Report by Address.

n) Define, review, and adjust the efficiency indicators required to control the state of the SGSI.

o) Coordinate those responsible for information and services.

p) Report on the status of the main security variables in the security domain information systems for the Public Administration Information Security Committee for the elaboration of the of a general profile of the security status of the same.

q) Coordinate communication with the National Critical Center on the use of information security incident response services.

Article 7. Information Security Team.

1. The Information Security Team is constituted as a support group of the corresponding RSI for the performance of its functions.

2. For these purposes, the Information Security Team shall carry out the periodic safety audits (prevention), monitoring and control of the system security (detection), the effective response to security incidents from their notification until resolution (response) and the development of the information systems (recovery) continuity plans.

3. The relevant RSI shall determine the composition of the Information Security Team among the personnel who provide services at that time in the relevant public department or body.

Article 8. The Responsible for Information.

1. The Information Officer is the holder of the organ or unit that manages each administrative procedure.

In cases where a system treats personal data, the Information Officer will also be responsible for the file. Their duties shall be determined by the applicable legislation on the protection of personal data.

2. The Information Officer is entrusted with the task of determining the levels of security of information within the framework set out in Annex I to Royal Decree 3/2010 of 8 January.

3. You will also be liable for any errors or negligence within the administrative procedure you manage and lead to an incident of confidentiality or integrity.

Article 9. The Service Officer.

1. The Service Officer is the head of the organ or unit that manages each service.

2. The Head of the Service is entrusted with the task of determining the levels of service security within the framework set out in Annex I to Royal Decree 3/2010 of 8 January.

Article 10. Conflict resolution.

1. In the event of a conflict between the different persons responsible, the latter will be solved by the superior hierarchy. Failing that, it will be the Committee that resolves.

2. In the resolution of these conflicts, the greatest demands arising from the protection of personal data shall prevail.

Article 11. Risk management.

1. Risk management should be carried out in a continuous manner on the information system, in accordance with the principles of risk-based security management, in accordance with the provisions of Article 6 of Royal Decree 3/2010 of 8 January 2010, and on periodic reassessment.

2. The RSI is in charge of the analysis being carried out in time and form, as well as identifying weaknesses and weaknesses and putting them in the knowledge of the Information and Service Responsables.

3. Risk management, comprising the stages of categorisation of systems, risk analysis and the selection of safety measures to be applied, which shall be proportionate to the risks and be justified, shall be reviewed and approved each year. by the Security Officer for the security domain, by collecting it in an annual Action Plan.

4. In particular, to carry out the risk analysis, the PILLAR or PILLAR tools which facilitate monitoring of the implementation of the selected safety measures and provide a stabilised and comparable residual risk value shall be used. between different information systems.

Article 12. Regulatory development.

1. The regulatory body on information security will be developed in five levels with different scope, level of technical detail and enforcement, but in such a way that each normative element is based on the standards. top level.

All these levels will pay particular attention to the requirements arising from the National Security Scheme, as well as the applicable regulations on personal data protection.

Regulatory development levels are as follows:

a) First level of policy: PSI. It is constituted by this order, which sets out in the Annex the general guidelines for the management of information security, based on the standard UNE-ISO/IEC 27002. The Ministry of Health, Social Services and Equality, public bodies and collaborating entities with these are obliged to comply.

b) Second regulatory level: Security rules. They are enforced throughout the Ministry of Health, Social Services and Equality, in the elements they apply to each security domain. They are as follows:

1. Classification and processing of information.

2. Security roles and responsibilities.

3. Physical security.

4. Management of operations.

5. Access control.

6. Acquisition and development of systems.

7. Security incident management.

8. Business continuity.

9. Compliance with existing legislation.

c) Third regulatory level: General procedures. They describe the actions to be performed in a security-related process, responsibility of multiple organizational units, within the same security domain. They are dependent on the rules.

d) Fourth regulatory level: Specific procedures. They describe the actions to be performed in a security-related process, the responsibility of an organizational unit, within the same security domain. They depend on rules or general procedures.

e) Fifth regulatory level: Reports, records, electronic evidence and templates. The reports are documents of a technical nature which reflect the outcome and conclusions of a study or an evaluation. Activity logs or security alerts are technical documents that collect threats and vulnerabilities to information systems and are the responsibility of the security team. Electronic evidence is generated throughout the life cycle of the information systems, which may include one or more systems according to the treated aspect.

2. The Committee shall establish the mechanisms necessary for the sharing of documentation derived from regulatory development in order to standardise it, as far as possible, across the scope of the PSI.

The following table summarizes the regulatory framework and the responsibility for its approval.

Regulatory Level

Document	Atest
	Security Policy.	Competent top authority
Second.	Security Rules.	Third.
	Procedures.		Fourth.
	Procedures.		.
Fifth.	The_table_to_izq"> Reports, Records, Evidence, and Templates.	Information Security Team.

Article 13. Protection of personal data.

1. The persons defined in Article 8.1 shall be responsible for the files containing personal data.

2. Files containing personal data shall be referenced in the corresponding security document provided for in Article 88 of the Implementing Regulation of Organic Law 15/1999 of 13 December.

3. The safety measures required by the Implementing Regulation of the Organic Law 15/1999 of 13 December will be included in the different levels of regulatory development provided for in Article 12.

Article 14. Training.

In the Ministry of Health, Social Services and Equality, specific activities aimed at the training of its personnel in the field of information security, as well as the dissemination of the PSI and its development will be developed. rules.

For these purposes, training activities in this field must be included within the Ministry's Training Plans.

Additional disposition first. Permanent update and periodic reviews of the PSI.

1. This order should be kept up to date to bring it into line with the progress of the Electronic Management services, technological developments and the development of the information society, as well as international safety standards.

2. Proposals for successive revisions of the PSI will be made by the Committee.

Additional provision second. No increase in public spending.

The application of this order will not entail an increase in public spending. The measures included in this Regulation shall not, in any event, result in an increase in appropriations or remuneration or other staff expenditure.

Final disposition first. Department and organ collaboration duty of the Department.

All the organs and units of the Department and its public bodies will assist in the implementation of the PSI approved by this order.

Final disposition second. Advertisement of the PSI.

This order will be published, in addition to the "Official State Gazette", in each of the electronic headquarters of the Ministry of Health, Social Services and Equality.

Final disposition third. Entry into force.

This order shall enter into force on the day following that of its publication in the "Official State Gazette".

Madrid, February 26, 2014. -Minister of Health, Social Services and Equality, Ana Mato Adrover.

ANNEX

General guidelines for the establishment of a framework for the control of information security and for the determination of the necessary security control objectives, based on the international standard ISO/IEC 27002:2005

Asset management:

• An appropriate level of protection should be achieved and maintained on the Ministry's assets, with particular attention to those containing personal data.

• All information assets will have an owner, assigning responsibility for maintaining appropriate controls. The implementation of the specific controls can be delegated by the owner as considered but the responsibility for the proper protection of the assets remains in it.

• All information must be inventoried and classified according to established levels based on their sensitivity and criticality.

• Standards for acceptable use of assets (email, Internet, mobile devices, paper documentation, etc.) will be defined.

Human resource-related security:

• It will be ensured that employees, contractors and third parties understand their responsibilities and are appropriate to their assigned roles in order to reduce the risk of theft, fraud or misuse of facilities.

• All staff with access to information must be aware of the threats to the security of information, being aware of their responsibilities and obligations (with particular attention to the requirements set out in the rules on the protection of personal data) and is prepared to implement the security policy and standards in the course of their usual work.

• Ensure that any process of departure of Organization personnel (or change of position) is done in a managed manner, timely communications being performed and controlling the return of assets and the withdrawal of the access rights granted.

Physical and environment security:

• The information and systems that support it will be located in adequately protected areas of physical or environmental threats, whether intentional or accidental. The protection provided must always be proportional to the risk and function of the criticality of the information, with particular attention to the security of personal data. Sufficient physical security guarantees will need to be established in order to reduce the risks of data damage or loss.

• Information and information processing facilities must be protected against the disclosure, modification or theft of information, as well as unauthorized physical access, with the implementation of controls to minimize loss or damage.

• There will be an emergency plan and evacuation of the building for the case of physical or environmental threats, the primary objective of which is the protection of individuals.

Communications and operations management:

• Ensuring the correct and safe functioning of information processing resources, establishing the responsibilities and procedures for the management and operation of all information resources, including the documentation for them.

• To implement a segregation of tasks where appropriate, to reduce the risk of negligence or misuse and intentional use

• You will implement and ensure the maintenance of an appropriate level of information security and service levels in line with agreements signed with third parties.

• Compliance and compliance with agreements will be verified, managing the necessary changes to ensure that the delivered services are in compliance with all the requirements agreed with the third party.

• In order to minimize the risk of system failures, studies will be conducted for future capacity requirements to reduce the risks of systems overload and to ensure capacity availability. The operational requirements of the new systems must be established, documented and tested in advance.

• Exisiting appropriate mechanisms for control of malicious software, paying particular attention to user awareness about the dangers of unauthorized and malicious software.

• The necessary procedures will be created to ensure the integrity and availability of information and information processing resources. Routine data backup and verification procedures will be established for the possible restore through the copies.

• The security management of networks crossing the Ministry's perimeter will require the introduction of additional controls and measures to protect sensitive data circulating through public networks.

• Information storage media will be physically controlled and protected by establishing appropriate operating procedures to prevent unauthorized disclosure, modification, disposal, or destruction.

• The exchange of information and software between organisations will be monitored, being consistent with applicable law. There will also be procedures to ensure the protection of information and means in transit.

• The integrity of information stored on publicly accessible systems will be protected to prevent their integrity and availability.

Access control:

• Procedures for control of access to information systems should cover all stages of the life cycle of a user's access, giving specific attention to access to information systems that contain personal data. Unauthorized access to information systems and services should be avoided by implementing appropriate controls for the management of user rights based on an access control policy.

• Users will be aware of their responsibilities in maintaining access control measures, particularly in the use of credentials and in the security of their regular equipment.

• Access to information and treatment resources will be granted on the basis of the minimum requirements for user access to perform their duties.

• Access to information must be monitored in order to verify the effectiveness of the controls adopted and to detect deviations from the access control policy.

• Information security should be ensured in the use of mobile devices and remote work facilities. The protection required shall be proportionate to the risk involved in the mode of work.

Acquisition, development, and maintenance of information systems:

• Ensuring security is an integral part of information systems. To do this, the security requirements will be identified, justified, agreed and documented during the project requirements phase, considering them from the early stages of the life cycle of the systems.

• Proper processing of applications must be ensured, avoiding errors, losses, unauthorized modifications or misuse of information in applications, introducing data validation controls, audit and the required activity records.

• When information is critical, it will be protected by the use of cryptographic media, being protected in an internal policy of use of these types of controls that regulate its use.

• Project environments and support will be strictly controlled. The owners of the application systems will also be responsible for the safety of the systems, ensuring that all proposed changes are reviewed, in order to verify that they do not compromise the security of the system.

• Security of system files and source code for applications will be ensured, preventing unauthorized access and modification.

• Mechanisms will be implemented to reduce the risk resulting from the likelihood of exploitation of technical vulnerabilities, while maintaining the security of applications and programs.

• The security of information systems will ensure in any event full respect for the guarantees determined by the regulations on personal data.

Information security incident management:

• Media will be available to ensure that events that affect the security of information and weaknesses associated with systems (especially in those cases involving personal data) are communicated in such a way that the corresponding corrective actions are implemented in a timely and appropriate manner.

• There must be formal procedures for communication and escalation of incidents. All workers, contractors and third parties shall be required to know the established procedures and shall be obliged to communicate them to the designated contact.

• There should be responsibilities and procedures to deal with such incidents, with a continuous improvement process for the reaction, monitoring, evaluation and overall management of these incidents. Where evidence is necessary, the evidence must be collected to ensure compliance with the legal requirements.

Managing business continuity:

• A business continuity management process should be implemented to ensure the protection of the Ministry's critical services, with particular attention to those affecting personal data, as well as its recovery in the time required after a major disaster or failure of the information systems.

• The continuation of the Ministry's critical activities will be supported by the existence of a crisis management group, with sufficient decision-making capacity, and adequate preventive and recovery controls at last. to reduce system failures to an acceptable level.

• Business continuity management should include, in addition to the overall risk assessment process, controls to identify and reduce risks, limit the consequences of harmful incidents and ensure that the information required for services is available.

• Business continuity plans should be regularly tested and updated to ensure they are up to date and effective.

Compliance:

• Any breaches of laws or breaches of any legal, regulatory, contractual or any security requirement in relation to the design, operation, use and administration of the information and treatment systems. The applicable rules for the protection of personal data shall be observed in particular.

• In order to achieve the conformity of systems with the Ministry's security policies and standards, regular reviews and audits of information systems will be carried out on the basis of security policies. appropriate, to see the extent of implementation and compliance, with particular regard to the applicable rules for the protection of personal data.