Order Aaa/991/2015, Of 21 May, Which Approves Security Policy Of Information In The Field Of The Electronic Administration Of The Ministry Of Agriculture, Food And Environment.

Original Language Title: Orden AAA/991/2015, de 21 de mayo, por la que se aprueba la política de seguridad de la información en el ámbito de la Administración Electrónica del Ministerio de Agricultura, Alimentación y Medio Ambiente.

Read the untranslated law here: http://www.boe.es/buscar/doc.php?id=BOE-A-2015-5937

Law 11/2007, of 22 June, electronic access of citizens to public services, establishes the relationship between the public administration and citizens through eGovernment, composed mainly of both information technology and communications systems and treatment and the automated storage that resides in the same , and determines, in accordance with its article 42, the approval of the national scheme of security (ENS).

Indeed, this consecration of the right to communicate through electronic means involves the correlative obligation of administrations serve many needs are warn to ensure a safe application of these technologies on the basis of the constitutional mandates of promotion conditions so that freedom and equality are real and effective, with removal of the obstacles which prevent or hinder their full.

In its development, the Royal Decree 3/2010, of January 8, which regulates the national security scheme in the field of eGovernment, which aims the establishment of principles and requirements of a policy of safety in the use of electronic media to allow adequate protection of information would be approved.

Article 11 of the Royal Decree requires that all governing bodies of public administrations must formally its security policy, to be approved by the owner of the corresponding upper body. This political of security is established with base in them principles basic collected in the chapter II of the own standard (security integral, management of risks, prevention, reaction and recovery, lines of Defense, reassessment periodic, and function differential) and will develop a series of requirements minimum recorded in the article 11.1.

By virtue, with the prior approval of the Minister of finance and public administration, I have.

Article 1. Object and scope of application.

1. is the object of the present order it approval of the political of security of the information (PSI) in the field of it management electronic of the Ministry of agriculture, power and environment.

2. the PSI will be mandatory for all senior and managerial bodies of the Ministry of agriculture, food and environment, including public organizations linked or dependent on the Department, having no established its own security policy. Those agencies that have their own security policy, it shall prevail in case of discrepancy the defined in this ministerial order.

3. the PSI will be of forced compliance for all the personal that access both to them systems of information as to the own information that is managed by the Department, with independence of what is your destination, affiliation or relationship with the same.

Article 2. Principles of information security.

1. principles Basic.

The basic principles are fundamental guidelines of safety that must be always present in any activity related to the use of information assets. (Besides them planned in the article 4 Real Decree 3 / 2010, of 8 of January, by which is regulates the scheme national of security in the field of it administration electronic, is set them following: to) reach strategic: the security of the information has with the commitment and support of all them levels managers so is coordinated e integrated with the rest of initiatives strategic of the Department for comply an all coherent and effective.

(b) proportionality: measures of protection, detection, and recovery should be proportional to the potential risks and the criticality and value of information and the affected services.

(c) continuous improvement: security measures will re-evaluate and update periodically to adapt its effectiveness to the constant evolution of risks and protection systems. The security of the information will be staffed, reviewed and audited by qualified, trained and dedicated staff.

(d) default security: systems must be designed and configured so that to ensure one sufficient level of security by default.

2. particular principles and specific responsibilities.

Basic safety guidelines are specified in a set of particular principles and specific responsibilities, which are configured as instrumental to ensure compliance with the basic principles of the PSI and objectives that inspire the actions of the Department in this area. (Is established the following: to) management of active of information: them active of information of the Department is will find inventoried and categorized and will be associated to a responsible.

(b) security linked to the people: is implemented them mechanisms necessary for any person that access or can access to them active of information know their responsibilities and of this mode is reduce the risk derived of a use abuse of such active.

(c) physical security: information assets will be located in safe areas, protected by physical access controls appropriate to their level of criticality. Systems and information assets that contain such areas will be sufficiently protected against physical or environmental threats.

(d) security in communications and operations management: the necessary procedures to achieve a proper management of safety, operation and updating of information and communications technologies will be established. Information transmitted through communication networks must be adequately protected, taking into account their level of sensitivity and criticality, through mechanisms that guarantee their safety.

(e) access control: access to information assets by users, processes, and other information systems through the implementation of the mechanisms of identification, authentication and authorization according to the criticality of each asset shall be limited. In addition, the use of the system in order to ensure the traceability of access and audit its proper use, in accordance with the activity of the Organization will be registered.

(f) acquisition, development and maintenance of information systems: will contemplate aspects of information security in all phases of the life cycle of information systems, guaranteeing its security by default.

(g) management of the incidents of security: is implemented them mechanisms appropriate for the correct identification, registration and resolution of them incidents of security.

(h) management of continuity: the appropriate mechanisms to ensure the availability of information systems and maintain the continuity of their business processes, according to the needs of its users service level shall be implemented.

(i) risk management: must be done continuously on information systems and contemplate an advanced risk analysis that assess residual risks and propose appropriate treatments. The realization of the risk analysis shall be taken into account the recommendations published in the field of public administration and in particular the guidelines drawn up by the Centro Criptológico Nacional.

j) compliance: technical, organizational and procedural measures for the fulfillment of the rules on information security shall be adopted.

Article 3. Organizational structure.

It structure organizational for the management of the security of the information in the field described by the PSI of the Ministry of agriculture, power and environment is composed by them following agents: 1. the Committee of address of security of the information, with a Committee technical.

2. the responsible of the information.

3. the responsible of the service.

4. those responsible for security.

5. those responsible for the system.

Article 4. The Committee of direction of information security.

1. is created the Committee of direction of information security (Nonprofits), attached to the Undersecretary of the Ministry of agriculture, food and environment. The Nonprofits will be composed of the following members: to) President: the owner of the Undersecretary of the Ministry of agriculture, food and environment.

(b) Vice President: the head of the General direction of services of the Ministry of agriculture, food and environment.

(c) vowels, which must be level 30 or assimilated: 1 two representatives of the Ministry of environment, appointed by the holder of the superior body.

2. two representatives of the Secretariat, appointed by the holder of the superior body.

3 a representative of the General Secretariat of agriculture and food.

4th a representative of the Secretary General of fishing.

5 a representative of the Agency State of meteorology (AEMET).

6 a representative of the Fund Spanish of warranty agrarian (FEGA).

7th a representative of the Agency autonomous parks national (OAPN) 8th the holder of the Subdirectorate General of technologies of the information and of the communications, that will act as Secretary, with voice and vote.

(2. the Nonprofits will exercise the following functions: to) develop them proposals of modification and update permanent that is do on the PSI.

(b) approve the rest of the rules of safety of first level defined in the article 9.

(c) ensure and boost the compliance of the PSI and of its development policy.


(d) to promote continuous improvement in the management of the security of the information.

(e) approve the Audit Plan and training Plan proposed by the head of security.

(f) resolve the possible conflict that can derive is of the establishment of the cited structure organizational.

3. the Nonprofits will meet on a regular basis at least once a year, and extraordinary when its President so decides.

Without prejudice to the holding of such meetings, in accordance with the authorisation contained in the first additional provision of law 11/2007, of 22 June, of electronic access of citizens to public services, it empowers the Committee carry out its functions assigned by electronic means, by voting in writing and without face-to-face session. In this case, will be sent to all its members, by electronic means and within a maximum of seven days receiving report request, the point or points of the day to discuss and the corresponding documentation, giving a minimum of seven days and maximum of fifteen term so that they manifest the same via its position, will or opinion.

Communications which have taken place, both for the call and for the deliberations and decision-making will be incorporated in the proceedings that are levantaren for proof of these meetings.

4. the Nonprofits may request technical, own or external, personal information relevant for their decision-making.

5. the agreements shall be adopted by a majority of the members. In the event of a tie, the vote of the Chairman will be casting.

Article 5. Technical Committee on information security.

1. on an ongoing basis is created in the bosom of the Nonprofits the technical safety of the information Committee (CTSI), competent to know the technical issues that need to be addressed in relation to the PSI and to ensure coordination in the field of information security with the whole of the Department and with other instances of the General Administration of the State.

2 the CTSI is composed of the following members: to) Presidency: Deputy Director-General of the information and communications technologies.

(b) Vice-President: Deputy Director-General Deputy information and communications technologies.

(c) members: will be responsible of safety defined in article 7.

(d) secretariat: A official of at least level 26, belonging to the Subdirectorate General of systems computer and communications, will have voice but no vote.

3 the CTSI will collaborate with the Nonprofits in matters of this entrusted and, in particular, shall: a) elaborate studies, preliminary analysis and proposals of modification and update of the PSI.

(b) drawing up studies, preliminary analysis and proposals on the regulation of second and third-level security defined in article 9.

(c) analyze compliance with the PSI and its regulatory development.

(d) analyze the measures of security of the information and of the services electronic rendered by them systems of information.

(e) studying the activities of awareness-raising and training in the field of security.

(f) to coordinate communication with the National Cryptologic Center in the use of services in response to security incidents.

(g) monitoring of the measures result from the analysis and management of risks of them active.

4. the CTSI will meet ordinary character with a minimum frequency of twice per year and extraordinary when decides it to the President of the Nonprofits.

Without prejudice to the holding of such meetings, in accordance with the authorisation contained in the first additional provision of law 11/2007, of 22 June, of electronic access of citizens to public services, it empowers the Committee carry out its functions assigned by electronic means, by voting in writing and without face-to-face session. In this case, will be sent to all its members, by electronic means and within a maximum of seven days receiving report request, the point or points of the day to discuss and the corresponding documentation, giving a minimum of seven days and maximum of fifteen term so that they manifest the same via its position, will or opinion.

Communications which have taken place, both for the call and for the deliberations and decision-making will be incorporated in the proceedings that are levantaren for proof of these meetings.

5. the agreements shall be adopted by a majority of the members. In the event of a tie, the vote of the Chairman will be casting.

Article 6. Information managers and service managers.

1 information managers and service managers have the authority, within its sphere of action and their skills, establish the requirements in terms of security of the information they handle and the services provided. If this information includes personal data, also must be taken into account requirements derived from the relevant legislation on data protection.

2. each body top or management of the Ministry of agriculture, food and environment as well as every public body under the Department which, in accordance with article 1, will be of application this PSI, will designate these profiles in accordance with its own internal organization, without implying, in any case, allowance or remuneration of effective such increase.

Article 7. Those responsible for security.

1. in accordance with article 10 of the Royal Decree 3/2010 of 8 January, security officer is the person who determines the decisions to meet the requirements of security of information and services. Each organ top or management of the Ministry of agriculture, food and environment as well as each public agency linked or dependent of the Department which is the present PSI shall designate a Security Manager, without implying, in any case, allowance or remuneration of effective such increase.

2. the sphere of action of each security officer shall be limited only and exclusively to information systems and technologies of information and communications services competition and direct responsibility of the Centre to which belong security officer said.

3 shall each security officer, within the scope set forth in the previous paragraph, the following: to) promote the safety of managed information and electronic services provided by the information systems.

(b) draw up the rules of second and third-level security defined in article 9 and ensure and promote compliance by responsible of the system article 8 and any other agents of the system.

(c) be in charge keep safety documentation organized and updated, and manage access to the same mechanisms.

(d) promote it improves continuous in the management of the security of the information.

(e) promote the training and awareness in matter of security of the information.

Article 8. Those responsible for the system.

1. the responsible of the system is the person whose responsibility is develop, operate and maintain the system of information during all its cycle of life.

2. each body top or management of the Ministry of agriculture, food and environment as well as every public body under the Department which, in accordance with article 1, will be of application this PSI, or linked means this profile, without implying, in any case, allowance or remuneration of effective such increase.

Article 9. Structure of information security requirements.

1 the body of binding on information security rules is mandatory and is divided into the following levels hierarchically related: to) first level: constituted by the PSI and general safety guidelines applicable to managers of the Ministry of agriculture or higher organs, food and environment which, pursuant to article 1, is this PSI.

(b) second level: consisting of safety standards developed by each body top or management of the Ministry of agriculture, food and environment as well as by each public body under the Department which, in accordance with article 1, will be of application this PSI.

(c) third level: procedures, guides and instructions technical complementary. Are documents that, complying with it exposed in the PSI, determine the actions or tasks to perform in the performance of a process.

(2. both the second as the third level must: to) limit is only and exclusively to the field specific of them skills of each one of such organs u organisms attached to the present PSI. This field will come given by them systems of information and services of technologies of the information and of the communications that are provided and managed directly by said organ u body.

(b) comply strictly with what indicated in the ENS and with the first and second level policy set forth in the present article.

(c) be approved within the scope of each of the above-mentioned organs or organisms attached to this PSI.


3. in addition to the mandatory elements set forth in paragraph 1, it may stipulate, at the discretion of each of the organs or bodies attached to this PSI, and always within the scope of their powers and responsibilities, of other documents such as standards of security, best practices, technical reports, etc.

4. the personal of each one of them organs u organisms attached to it present PSI will have the obligation of know and meet, besides the present PSI, all them guidelines General, standards and procedures of security of the information that can affect to their functions.

Provision additional first. No increase in public spending.

The measures described in this order will not result in increased expenditure, being served with the human and material resources available to the Ministry of agriculture, food and environment.

Also, the attendance at meetings will not result in compensation, remuneration or payment of any kind.

Second additional provision. Duty of collaboration in the implementation of the PSI.

All organs and units of the Department will lend its collaboration in the actions of implementation of PSI approved this order.

Provision additional third. Extra rules.

Them organs provided in this order is governed, in all it others, by it planned in the law 30 / 1992, of 26 of November, of regime legal of the administrations public and of the procedure administrative common.

Sole final provision. Advertising of the PSI and entry into force.

1. the present order will enter in force the day following to the of your publication in the «Bulletin official of the State».

2. this order will be published in the electronic headquarters of the Ministry of agriculture, food and environment in which area does apply.

Madrid, 21 of mayo's 2015.-the Minister of agriculture, food and environment, Isabel García Tejerina.