Law 11/2007, of June 22, of electronic access of citizens to Public Services, points out among its aims to create the conditions of trust in the use of electronic means by establishing the necessary measures for the preservation of the integrity of fundamental rights, in particular those relating to the privacy and protection of personal data by means of the security of systems, data, communications and electronic services.

Article 42 of the Law 11/2007 of 22 June 2007 came to the National Security Scheme (ENS), the purpose of which is to establish the principles and requirements of a security policy in the use of electronic means to enable the appropriate protection of information.

In compliance with that Law, Royal Decree 3/2010 of 8 January, regulated the ENS in the field of electronic administration, in order to substantiate the confidence that the information systems will provide their services and they shall keep the information in accordance with their functional specifications, without interruption or out of control modifications, and without the information being able to come to the knowledge of unauthorised persons.

Royal Decree 3/2010 of 8 January sets out the basic principles for information security (comprehensive security, risk management, prevention, reaction and recovery, lines of defence, periodic reassessment and differentiated function) and establishes the regulatory framework of the Information Security Policy (PSI), which is embodied in a document, accessible and understandable to all members of the organization, which defines what is meant by security of the information in a given organization that governs how an organization manages and protects the information and services you consider critical, providing that:

1. All the higher bodies of the general government must have a formal security policy, which will be approved by the head of the higher body concerned.

2. Security must be committed to all members of the organization. The security policy should identify a clear responsibility to ensure compliance and be known to all members of the administrative organisation.

3. The minimum content of the PSI must clearly specify the objectives or tasks of the organization, the legal and regulatory framework in which it develops its activities, the roles or functions of security, defining for each its duties and responsibilities, as well as the procedure for their designation and renewal, the structure of the committee for the management and coordination of security, detailing their area of responsibility, their members and their relationship with other elements of the organization, and guidelines for structuring the system security documentation, its management and access.

4. In addition, the PSI must be consistent with the provisions of the Security Document required by Article 88 of the Implementing Regulation of the Organic Law 15/1999 of 13 December on the Protection of Personal Data, approved by the Royal Decree 1720/2007 of 21 December, as appropriate, prevailing as regards the protection of personal data in the event of discrepancies.

5. The CCN-STIC guidelines, mainly CCN-STIC 001, 201, 402, 801 and 805 developed by the National Center for Intelligence (CNI), which set out the guidelines of character, are a reference for the elaboration of the PSI. general rules on the security organisation and its responsible persons, as well as on the minimum structure and content of the PSI.

This ministerial order has been informed by the Ministerial Committee of Electronic Administration and the Board of Directors of the Board of Directors.

In its virtue, with the prior approval of the Minister of Finance and Public Administrations, I have:

Article 1. Object and scope of application.

1. The purpose of this order is the adoption of the Information Security Policy (hereinafter the PSI) in the field of the electronic administration of the Ministry of the Interior, as well as the establishment of the organizational and technological framework. of the same.

The PSI will be further developed at other regulatory levels, detailing the particular aspects involved in managing the security of information systems that support electronic services. provided by the Ministry of the Interior to the citizens with whom it relates.

2. The basic principles and minimum requirements set out in Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme (hereinafter 'ENS') in the field of electronic administration, will apply. with the general interest, nature and complexity of the subject matter, allowing for adequate protection of information and services.

3. The PSI shall apply to the information systems and assets used by the Ministry of the Interior in the provision of the electronic administration services, within the framework of its powers. Also, the PSI shall be obliged to comply with all the personnel with access to the information systems of the said Department, regardless of their destination, attachment or relationship.

4. On the other hand, it will be mandatory for all the organs and units of the Ministry of the Interior, as well as for the public bodies that are dependent on it.

5. Direct Centres are empowered to extend the scope of the PSI to the non-electronic administration of information systems in the field of their competences, in a progressive manner.

Article 2. Mission of the Department.

It is up to the Ministry of the Interior as foreseen in the Royal Decree 400/2012 of 17 February, for which the basic organic structure of the same is developed.

Article 3. Regulatory framework.

1. The regulatory framework in which the activities of the Ministry of the Interior are carried out includes the sectoral legislation regulating the performance of the higher and managerial bodies of the Ministry and its public bodies, as well as the Existing rules for electronic administration.

2. Also part of the regulatory framework are the remaining rules applicable to the electronic administration of the Department, derived from the above and published in the electronic venues within the scope of the PSI.

Article 4. Organizational structure of the PSI.

The organizational structure of the PSI in the Ministry of Interior is composed of the following agents:

a) The Higher Committee for Information Security.

b) The Working Groups for Information Security.

c) The Working Group of the Security Officers.

d) The Responsible For Information.

e) The Service Manager.

f) The Security Officer.

g) The System Manager.

Article 5. The Higher Committee for Information Security.

1. The Higher Committee for Information Security (hereinafter CSSI), configured as a working group within the Department of the Department of Electronic Administration of the Department, will be responsible for coordinating all the activities related to the security of information systems in the field of the Ministry of the Interior, and shall carry out the following tasks:

a) Approve the modification and permanent update proposals of the PSI.

b) Veloze and drive the fulfillment of the PSI as well as its normative development.

c) Report on the state of the main security variables in the information systems to the Public Administrations Security Committee for the elaboration of a general profile of the state of security of the same.

d) Promote continuous improvement in information security management.

e) Driving training and awareness.

f) Resolve any conflicts that may occur between the different responsible and/or between different areas of the organization, raising those cases where you do not have sufficient authority to decide.

2. The CSSI is composed of the following members, which may be replaced by an alternate with a minimum category of Subdirector General or assimilated:

(a) President: Holder of the Undersecretary of the Ministry of the Interior.

b) Vice President: Head of the Technical General Secretariat.

c) Vocals: Headlines from the following Direct Centers:

i. Directorate-General of the Police.

ii. Directorate General of the Civil Guard.

iii. General Secretariat of Penitentiary Institutions.

iv. Directorate-General for International Relations and Foreign Affairs.

v. Directorate-General for Home Policy.

vi. General Directorate of Traffic.

vii. Directorate-General for Civil Protection and Emergencies.

viii. General Directorate of Support for Victims of Terrorism.

ix. Cabinet of the Secretary of State for Security.

d) Secretary: with voice and vote, the Deputy Director General of Information and Communications Technologies of the Secretariat, who will be the guarantor of the direct or delegated execution of the CSSI decisions. It is responsible for preparing the topics to be discussed at the meetings, holding the call and drawing up the minutes.

3. The CSSI shall meet on an ordinary basis, at least once a year. For reasons of urgency, it may meet whenever the Presidency considers it appropriate.

4. The CSSI meetings may involve as many advisors, internal or external, as may be considered appropriate by the Chair.

Article 6. The Working Groups for Information Security.

1. A Working Group for Information Security (GTSI) is hereby established for each of the following Ministry of the Interior Directives, with competence in information technology management:

a) Secretary of State for Security.

b) Deputy Home Secretary.

c) Directorate General of Police.

d) Directorate General of the Civil Guard.

e) General Secretariat of Prison Institutions.

f) General Traffic Management.

g) Directorate General for Civil Protection and Emergencies.

h) Autonomous Body Labour Prison and Training for Employment.

2. The GTSI shall perform the following functions, which may be extended within its competence:

a) Compose and approve the second-level rules corresponding to the scope of influence of your Steering Center.

b) Veloze and drive compliance with second-level standards and promote the development of the third regulatory level.

c) Approval of documents of correspondence of those responsible in their field of competence, detailed according to the ENS, and the Organic Law 15/1999, of 13 December, of Protection of Data of Personal Character.

d) Approval of security improvement plans in their field of competence, according to available budgets.

e) Report on the state of the main security variables of their information systems, in order to draw up a general profile of the Ministry's security status.

f) Promote continuous improvement in the management of information security in its field of competence.

g) Drive training and awareness in its scope.

h) Resolve any conflicts that may occur between the different responsible and/or between different areas of the Organization, raising those cases where you do not have sufficient authority to decide.

3. The final composition and functioning of each GTSI will be determined by the head of the Steering Center among the officials assigned to it, adapting to the structure of the Steering Center. It shall be composed of at least the following members:

a) Responsible for Information.

b) Responsible for the Service.

c) Responsible for Security

d) Systems Manager

For each Steering Center, one or more Information Officers may be appointed, one or more of the Services Responsible, and one or more Systems Responsables, according to the Organization of the Steering Center, the same holders of the Administrative Units responsible for the management of information, services and computer systems, respectively, in respect of the scope and subject matter of this Order. Those tasks may be entrusted to official staff of the relevant Administrative Unit.

The designation of the Security Officer in each Steering Center shall be made by the Director of the Security Officer, and shall be consistent with the existing organizational structures in relation to the Security of Information and in accordance with the duties they perform at their usual job.

Article 7. The Working Group of Security Officers.

1. A Security Responsables Task Force (GTRS) is created, under direct dependency of the CSSI.

2. The functions of the GTRS are:

a) Elaborate the permanent modification and modification proposals of the PSI, and submit them to the approval of the CSSI.

b) Ensure the consistency of sectoral security policies that affect the Department.

c) Elaboration of the overall profile of the Ministry's security status, integrating the state of the main security variables of each Steering Center to submit it to the CSSI.

d) Coordinate the communication of the Department with the National Critical Center (CCN) in the use of security incident response services, without prejudice to communications that, in its field of competence, perform by the Security Officer for each GTSI.

e) Collaboration in the investigation and resolution of information security incidents, both internal and external to the Department.

3. The GTRS is composed of the following members:

a) President: The Deputy Director General of Information and Communications Technologies.

b) Vocals: The Security Officer for each Steering Center.

c) Secretary: An official of the General Information and Communications Technology Subdirectorate.

4. In the GTRS meetings, the members of the GTRS may participate in such meetings.

5. The GTRS shall meet on a regular basis at least quarterly. For reasons of urgency, it may meet whenever the Presidency considers it appropriate.

Article 8. The Responsible for Information.

1. According to Articles 10 and 44 of Royal Decree 3/2010 of 8 January, the Information Officer is the person or corporate body that has the power to set the requirements for information on security or in terminology. of the ENS, the power to determine the levels of information security.

2. The following shall be the functions of the Responsible Information Officer:

a) Determine the security levels of the treated information, assessing the impacts of incidents that affect information security.

b) They are responsible, together with the Service Officers and with the participation of the Security Officer, to carry out the necessary risk analysis and to select the safeguards to be implemented.

c) They are responsible for accepting residual risks with respect to information, calculated in the risk analysis.

d) For the determination of the levels of information security, the Information Officer shall request a report from the Security Officer.

Article 9. The Service Officer.

1. According to Article 10 of Royal Decree 3/2010, of 8 January, the Head of the Service is the person or corporate body that has the power to establish the security service requirements. It is in charge of determining the levels of security of the service in each security dimension, within the framework set out in Annex I of the Royal Decree 3/2010, of January 8.

2. The following shall be the responsibility of the Head of the Service:

a) Determine the security levels of the service, assessing the impacts of incidents that affect the security of the service.

b) They are responsible, together with the Information Officers and with the participation of the security officer, to carry out the necessary risk analysis and to select the safeguards to be implanting.

c) They are responsible for accepting residual risks with respect to the services calculated in the risk analysis.

d) For the determination of the security levels of the service, the Service Officer shall request a report from the Security Officer.

3. The responsibilities of the information and the service may be the same as the person or body. Differentiation will take place when the service handles information from different sources, not necessarily from the same departmental unit as the service provider when the service is not dependent on the unit that is responsible for the service. Information.

Article 10. The Security Officer.

1. According to Article 10 of Royal Decree 3/2010 of 8 January, the Security Officer is the person who determines the decisions to satisfy the security requirements of the information and services.

2. The following shall be the responsibility of the Security Officer, within his/her scope:

a) Develop the guidelines, strategies and objectives dictated by the GTSI.

b) Providing advice and support to GTSI.

c) Develop security regulations.

d) Approve the security operating procedures.

e) Maintain security of managed information and electronic services provided by information systems.

f) Conduct or promote periodic audits to verify compliance with information security obligations.

g) Track and control the security status of the information system.

h) Verify that security measures are appropriate for the protection of information and services.

i) Support and monitor the investigation of security incidents from notification to resolution.

j) Develop periodic security reports for GTSI that include the most relevant incidents for each period.

k) Monitor the asset record.

3. For each Steering Centre a Security Officer shall be appointed among the officials of the Centre. Where the complexity, distribution, physical separation of its elements or the number of users of the information systems so warrant, the holder of the Steering Centre may designate the delegated security officers as it deems necessary. among the officials of the Centre, who shall have direct functional dependence on the Security Officer and shall be responsible in their field for all actions delegated to them.

Article 11. The System Manager.

1. The System Manager is the person who has the responsibility to develop, operate and maintain the Information System throughout its life cycle, its specifications, installation and verification of its proper functioning.

2. They are System Manager functions:

a) Define the topology and management system of the Information System by setting the usage criteria and services available in it.

b) Ensure that specific security measures are properly integrated within the overall security framework.

c) Possibility of agreeing to suspend the handling of certain information or the provision of a certain service if it is informed of serious safety deficiencies that may affect the satisfaction of the requirements established. This decision should be agreed with the Information Officers concerned, the Service concerned and the Security Officer, before being executed.

Article 12. Conflict resolution.

In case of conflict between the different responsible, this will be solved by the superior hierarchical of the same ones. In the absence of the above, the CSSI decision will prevail.

Article 13. Risk management.

1. Risk management should be carried out in a continuous manner on the information system, in accordance with the principles of risk-based security management (Article 6 of Royal Decree 3/2010 of 8 January) and periodic reassessment (Article 9). of Royal Decree 3/2010 of 8 January).

2. The Information and Service Officers are responsible for the risks to the information and the services, respectively, and therefore, to accept the residual risks calculated in the analysis, as well as to carry out their monitoring and control, without prejudice to the possibility of delegating this task.

3. The selection of the security measures to be applied shall be proposed by each Security Officer to the relevant GTSI.

4. The risk management process, comprising the stages of categorisation of systems, risk analysis and the selection of safety measures to be applied, which should be proportionate to the risks and be justified, should be reviewed every year. by the Security Officer, who will report to the relevant GTSI.

Article 14. Normative development of the PSI. Security documentation.

1. The regulatory body on information security is mandatory and will be developed at three levels, according to the scope and level of technical detail, so that each standard of a certain level of development is based on the top-level rules. These levels of regulatory development are as follows:

a) First regulatory level: Information Security Policy and general safety guidelines and standards for the entire Ministry of the Interior.

b) Second regulatory level: Specific Standards for Information Security and ICT Security Standards (STIC Standards). They develop and detail the Information Security Policy, focusing on a particular area or aspect of information security.

c) Third regulatory level: STIC processes and procedures and STIC technical instructions. They are documents that answer, including details of implementation and technology, how a certain task can be performed in compliance with what is exposed in the PSI.

Processes, STIC Procedures, and STIC Technical Instructions for a given scope of action are approved by the corresponding Security Officer.

2. In addition to the documents referred to in paragraph 1, the security documentation of the system may, on the basis of the relevant Security Officer, be provided with other non-binding documents: recommendations, best practices, reports, records, electronic evidence, etc.

3. Each Security Officer shall maintain the updated and organized security documentation, and manage the access mechanisms to it.

4. The GTSI will establish the necessary mechanisms to share documentation derived from regulatory development in order to normalize it, as far as possible, across the scope of the PSI.

Article 15. Protection of personal data.

1. Personal data which are the subject of treatment in the provision of the electronic administration services offered by the Ministry of the Interior shall be protected by the implementation of the security measures in accordance with the provisions of:

(a) Title VIII of the Implementing Regulation of the Organic Law 15/1999 of 13 December on the Protection of Personal Data, approved by Royal Decree 1720/2007 of 21 December.

b) Annex II to Royal Decree 3/2010 of 8 January.

2. In relation to information systems which, in order to support the provision of electronic administration services, will handle personal data, the greatest requirements contained in Title VIII of the Implementing Regulation will prevail. the Organic Law 15/1999, of December 13.

Article 16. Third parties.

1. When the Ministry of the Interior uses services or handles information from other agencies, they will be involved in this Information Security Policy, channels for reporting and coordination of the respective Committees will be established. ICT security and action procedures will be established for the reaction to security incidents.

2. When the Ministry of the Interior provides services or transfers information to third parties, they will be involved in this Policy and the Security Regulations that address these services and information. They will be subject to the obligations set out in that regulation, and may develop their own operational procedures to satisfy it. Specific reporting and incident resolution procedures shall be established and shall ensure that third-party personnel are adequately aware of security.

3. Where any aspect of the PSI cannot be satisfied by a third party as set out in the preceding paragraphs, a report by the Security Officer shall be required to specify the risks and the manner of treatment. This report shall be approved by the persons responsible for the information and services concerned.

Article 17. Awareness and training.

All staff related to information, services and information systems shall be trained and informed of their duties and obligations in the field of information security. In order to ensure the security of information technologies applicable to the systems and services of the Ministry of the Interior, the necessary mechanisms will be used to carry out the necessary awareness and training. and must be at all levels of the organization.

Single additional disposition. No increase in public spending.

The measures provided for in this order will be met with the material and human resources available to the Ministry of the Interior, so it will not increase any public expenditure.

Final disposition first. Advertisement of the PSI.

This order will be published, in addition to the "Official State Gazette", in each of the Ministry of Interior's electronic headquarters.

Final disposition second. Entry into force.

This order shall enter into force on the day following that of its publication in the "Official State Gazette".

Madrid, 19 November 2013.-The Minister of the Interior, Jorge Fernández Díaz.