Advanced Search

Order Aaa/991/2015, Of 21 May, Which Approves Security Policy Of Information In The Field Of The Electronic Administration Of The Ministry Of Agriculture, Food And Environment.

Original Language Title: Orden AAA/991/2015, de 21 de mayo, por la que se aprueba la política de seguridad de la información en el ámbito de la Administración Electrónica del Ministerio de Agricultura, Alimentación y Medio Ambiente.

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

TEXT

Law 11/2007, of June 22, of electronic access of citizens to Public Services, establishes the relationship between the Public Administration and the citizens through the Electronic Administration, composed In particular, the information and communications technology systems as well as the processing and automated storage of the information contained therein, and determines, in accordance with Article 42, the approval of the scheme. National Security (ENS).

In fact, this consecration of the right to communicate via electronic means involves the correlative obligation of the Administrations to attend to as many needs are advised to ensure a safe application of these technologies on the basis of constitutional mandates to promote the conditions for freedom and equality to be real and effective and to remove obstacles that impede or hinder their fullness.

In its development, the Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of the Electronic Administration, which aims to establish the principles and requirements of a security policy in the use of electronic means to enable the appropriate protection of information.

Article 11 of the aforementioned royal decree requires that all the higher organs of public administrations must have a formal security policy, which will be approved by the head of the corresponding higher body. This security policy will be established on the basis of the basic principles set out in Chapter II of the standard (comprehensive security, risk management, prevention, reaction and recovery, lines of defence, periodic reassessment, and function (a) and shall develop a series of minimum requirements set out in Article 11.1.

In its virtue, with the prior approval of the Minister of Finance and Public Administrations, I have.

Article 1. Object and scope of application.

1. It is the object of this order for the approval of the Information Security Policy (PSI) in the field of the Electronic Administration of the Ministry of Agriculture, Food and Environment.

2. The PSI shall be enforced for all senior organs and directors of the Ministry of Agriculture, Food and the Environment, including public bodies linked to or dependent on the Department, which do not have their own security policy itself. In those bodies which have their own security policy, it will prevail in case of discrepancy as defined in this ministerial order.

3. The PSI will be enforced for all staff who access information systems as well as information that is managed by the Department, regardless of their destination, membership or relationship with the same.

Article 2. Principles of information security.

1. Basic principles.

Basic principles are fundamental security guidelines that must always be present in any activity related to the use of information assets. In addition to those provided for in Article 4 Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of the Electronic Administration, the following are established:

a) Strategic Scope: Information security has the commitment and support of all management levels in a way that is coordinated and integrated with the other strategic initiatives of the Department to conform a coherent and effective whole.

(b) Proportionality: the establishment of protection, detection and recovery measures shall be proportionate to the potential risks and criticality and value of the information and services concerned.

c) Continuous improvement: security measures will be reassessed and updated regularly to bring their effectiveness into line with the constant evolution of risks and protection systems. Information security will be addressed, reviewed and audited by qualified, trained and dedicated staff.

d) Default security: systems must be designed and configured to ensure a sufficient degree of default security.

2. Particular principles and specific responsibilities.

The fundamental safety guidelines are concretized in a set of particular principles and specific responsibilities, which are set as instrumental objectives that guarantee compliance with the principles of The Commission is also concerned about the need to improve the quality of the services. The following are set:

a) Information Asset Management: Department information assets will be inventoried and categorized and associated with a responsible.

b) Security linked to people: the necessary mechanisms will be put in place so that any person who accesses or can access information assets knows their responsibilities and thus reduces the risk arising an improper use of such assets.

c) Physical security: Information assets will be deployed in secure areas, protected by physical access controls appropriate to their level of criticality. The systems and information assets contained in those areas shall be sufficiently protected against physical or environmental threats.

d) Security in the management of communications and operations: the procedures necessary to achieve adequate management of the security, operation and updating of information and communications technologies will be established. The information transmitted through communications networks shall be adequately protected, taking into account their level of sensitivity and criticality, by means of mechanisms to ensure their safety.

e) Access control: access to information assets by users, processes and other information systems will be limited by the implementation of the mechanisms for identification, authentication and authorization in accordance with the agreement. to the criticality of each asset. In addition, the use of the system shall be recorded in order to ensure the traceability of access and to audit its proper use, in accordance with the activity of the organisation.

f) Acquisition, development and maintenance of information systems: information security aspects will be considered at all stages of the life cycle of information systems, ensuring their security by defect.

g) Managing security incidents: appropriate mechanisms will be put in place for the correct identification, registration and resolution of security incidents.

h) Continuity management: appropriate mechanisms will be put in place to ensure the availability of information systems and maintain the continuity of their business processes, according to the needs of the service of its users.

i) Risk management: It should be carried out continuously on information systems and provide for an advanced risk analysis that assesses residual risks and proposes appropriate treatments. The risk analysis shall take into account the recommendations published for the Public Administration and in particular the guidelines developed by the National Critical Center.

j) Compliance: the technical, organisational and procedural measures necessary for the enforcement of the information security regulations shall be adopted.

Article 3. Organizational structure.

The organizational structure for the management of information security in the field described by the PSI of the Ministry of Agriculture, Food and Environment is composed of the following agents:

1. The Information Security Management Committee, with a Technical Committee.

2. The Information Officers.

3. The Service Officers.

4. The Security Officers.

5. The System Officers.

Article 4. The Information Security Management Committee.

1. The Committee of the Directorate for Information Security (CDSI) is set up under the Secretariat of the Ministry of Agriculture, Food and Environment. The CDSI shall be composed of the following members:

(a) President: The holder of the Undersecretary of the Ministry of Agriculture, Food and Environment.

b) Vice-President: The head of the Directorate-General for Services of the Ministry of Agriculture, Food and the Environment.

c) Vocals, which must be level 30 or assimilated:

1. Two representatives of the Secretary of State for the Environment, appointed by the head of that higher body.

2. Two representatives of the Secretariat, appointed by the holder of the higher body.

3. A representative of the General Secretariat of Agriculture and Food.

4. A representative of the General Secretariat for Fisheries.

5. A representative of the State Agency of Meteorology (AEMET).

6. A representative of the Spanish Agrarian Guarantee Fund (FEGA).

7. A representative of the Autonomous Agency (APO)

8. The head of the General Information and Communications Technology Subdirectorate General, who will act as Secretary, with voice and vote.

2. The CDSI shall perform the following functions:

a) Develop the permanent modification and modification proposals that are made on the PSI.

b) Approve the remainder of the first level security regulations defined in Article 9.

c) Velar and drive compliance with the PSI and its regulatory development.

d) Promote continuous improvement in information security management.

e) Approve the Audit Plan and Training Plan proposed by the Security Officer.

f) Resolve any conflicts that may arise from the establishment of the said organizational structure.

3. The CDSI shall meet on an ordinary basis at least once a year, and on an extraordinary basis when decided by its President.

Without prejudice to the holding of such face-to-face meetings, in accordance with the authorization contained in the additional provision of Law 11/2007, of June 22, of electronic access of citizens to the Services Public, the Committee is empowered to carry out the functions assigned to it by electronic means, by means of written and non-face-to-face voting. In this case, it shall be transmitted to all its members, by electronic means and within a maximum of seven days after receiving the request for a report, the item or items of the day to be discussed and the corresponding documentation, giving a minimum period of seven days and maximum of fifteen to manifest by the same way their position, will or opinion.

In the minutes that will be raised for the record of these meetings, the communications that have taken place will be incorporated, both for the call and for the deliberations and the adoption of decisions.

4. The CDSI may collect from its own or external technical staff the relevant information for the decision-making process.

5. The agreements shall be adopted by a majority of the members. In the event of a tie, the president's vote shall be settled.

Article 5. Technical Committee on Information Security.

1. On a permanent basis, the Technical Committee on Information Security (CTSI), which is competent to know the technical issues to be addressed in relation to the PSI and in order to ensure coordination in the field, is established within the CDSI. security of information with the Department as a whole and with other instances of the General Administration of the State.

2. The CTSI shall be composed of the following members:

a) Presidency: the Deputy Director General of Information and Communications Technologies.

b) Vice-Presidency: Deputy Director-General for Information and Communications Technologies.

(c) Vocabulary: Shall be the Security Officers defined in Article 7.

d) Secretariat: An official of at least level 26, belonging to the Subdirectorate General of Computer Systems and Communications, will have a voice but no vote.

3. The CTSI shall collaborate with the CDSI on the issues it entrusts and, in particular, shall be responsible for:

a) Elaborate studies, pre-analysis and proposals for modification and updating of the PSI.

b) Develop studies, pre-analysis and proposals on the second and third level security regulations as defined in Article 9.

c) Analyze the compliance of the PSI and its regulatory development.

d) Analyze the security measures of information and electronic services provided by information systems.

e) Studying security awareness and training activities.

f) Coordinate communication with the National Critical Center on the use of security incident response services.

g) Tracking the measures that result from Asset Risk Analysis and Management.

4. The CTSI shall be held regularly at a minimum frequency of twice a year and shall be extraordinary when the chair of the CDSI so decides.

Without prejudice to the holding of such face-to-face meetings, in accordance with the authorization contained in the additional provision of Law 11/2007, of June 22, of electronic access of citizens to services The Committee shall be empowered to carry out the tasks assigned to it by electronic means, by means of written and non-face-to-face voting. In this case, it shall be transmitted to all its members, by electronic means and within a maximum of seven days after receiving the request for a report, the item or items of the day to be discussed and the corresponding documentation, giving a minimum period of seven days and maximum of fifteen to manifest by the same way their position, will or opinion.

In the minutes that will be raised for the record of these meetings, the communications that have taken place will be incorporated, both for the call and for the deliberations and the adoption of decisions.

5. The agreements shall be adopted by a majority of the members. In the event of a tie, the president's vote shall be settled.

Article 6. Those responsible for the information and those responsible for the service.

1. Those responsible for the information and those responsible for the service have the power, within their scope of action and their powers, to lay down the security requirements for the information they handle and the services they provide. lend. If this information includes personal data, the requirements resulting from the relevant data protection legislation shall also be taken into account.

2. Each higher or higher body of the Ministry of Agriculture, Food and the Environment and each public body under the Department to which, in accordance with Article 1, this PSI is applicable, shall designate these profiles. in accordance with its own internal organisation, without, under any circumstances, any increase in the appropriations or the remuneration of such staff.

Article 7. The security officers.

1. According to Article 10 of Royal Decree 3/2010 of 8 January, the person responsible for security is the person who determines the decisions to satisfy the security requirements of the information and services. Each higher or higher body of the Ministry of Agriculture, Food and the Environment as well as each public body linked to or dependent on the Department to which this PSI is applicable shall appoint a Security Officer, without that this implies, under no circumstances, an increase in the appropriations or the remuneration of such staff.

2. The scope of action of each security officer shall be limited solely and exclusively to the information and communications systems of information and communications which are the responsibility and direct responsibility of the centre to which This is a security officer.

3. The following shall be the responsibility of each security officer, within the scope of action set out in the previous

:

a) Promote security of managed information and electronic services provided by information systems.

(b) Develop the second and third level security regulations as defined in Article 9 and ensure that they are implemented by the System Officers of Article 8 and any other system agent.

c) To ensure that the security documentation is maintained and updated, and to manage the access mechanisms to it.

d) Promote continuous improvement in information security management.

e) Drive information security awareness and training.

Article 8. Those responsible for the system.

1. The person responsible for the system is the person whose responsibility is to develop, operate and maintain the information system throughout its life cycle.

2. Each higher or higher body of the Ministry of Agriculture, Food and the Environment as well as each public body linked to or dependent on the Department to which, pursuant to Article 1, this PSI is applicable, shall designate (a) this profile, without, in any event, any increase in the appropriations or the remuneration of such staff.

Article 9. Structure of information security requirements.

1. The body of mandatory information security prescriptions is mandatory and is structured at the following related levels hierarchically:

(a) First level: constituted by the PSI and the general safety guidelines applicable to the higher bodies or managers of the Ministry of Agriculture, Food and the Environment to which, in accordance with Article 1, application of this PSI.

b) Second level: constituted by the safety standards developed by each higher or executive board of the Ministry of Agriculture, Food and Environment as well as by each public agency dependent on the Department to which, in accordance with Article 1, this PSI is applicable to them.

c) Third level: Complementary procedures, guidelines and technical instructions. They are documents that, in compliance with the above in the PSI, determine the actions or tasks to perform in the performance of a process.

2. Both the second and third level must:

(a) Limited solely and exclusively to the specific scope of the powers of each of those bodies or bodies attached to this PSI. This area shall be determined by the information and service systems of information and communications technologies which are provided and managed directly by that body or body.

(b) Strictly comply with the requirements of the ENS and with the first and second standard levels set out in this Article.

c) To be approved within the scope of each of the aforementioned organs or bodies attached to this PSI.

3. In addition to the mandatory elements set out in paragraph 1, it may be available, at the discretion of each of the bodies or bodies attached to this PSI, and always within the scope of its powers and responsibilities, of other bodies. documents such as security standards, best practices, technical reports, etc.

4. The staff of each of the bodies or bodies attached to this PSI shall be required to know and comply with, in addition to this PSI, all general guidelines, rules and procedures for the security of information which may be affect their functions.

Additional disposition first. No increase in public spending.

The measures described in this order will not increase spending, being met with the material and human resources available to the Ministry of Agriculture, Food and the Environment.

Also, attendance at meetings will not result in compensation, remuneration or payment of any kind.

Additional provision second. Duty of collaboration in the implementation of the PSI.

All organs and units of the Department will lend their collaboration to the implementation actions of the PSI approved by this order.

Additional provision third. Supplementary rules.

The organs provided for in this order shall be governed, in all other respects, by the provisions of Law No 30/1992 of 26 November 1992 on the Legal Regime of Public Administrations and the Common Administrative Procedure.

Single end disposition. Advertisement of the PSI and entry into force.

1. This order shall enter into force on the day following that of its publication in the Official Gazette of the State.

2. This order will be published in the electronic headquarters of the Ministry of Agriculture, Food and Environment in the field of application.

Madrid, May 21, 2015. -Minister of Agriculture, Food and Environment, Isabel García Tejerina.