Key Benefits:
On November 6, 2014, this Presidency resolved to approve the State Ports Information Security Policy.
In its virtue, the publication is available, in the "Official State Gazette", of the said resolution, which is attached as an Annex to this resolution.
Madrid, 1 December 2014.-President of Ports of the State, José Llorca Ortega.
ANNEX
Resolution approving the State Ports Information Security Policy.
In accordance with the provisions of Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of the Electronic Administration, and in accordance with the powers conferred on it Article 22.2.d) of the Recast Text of the Law of Ports of the State and of the Merchant Navy, approved by Royal Legislative Decree 2/2011, of 5 September, agreement to approve the Security Policy of the State Ports Information, in the terms set out in the document annexed to this resolution.
INFORMATION SECURITY POLICY
(October 2014)
Index
Chapter I. State Ports Information Security Policy.
Article 1. Object and scope of application.
Article 2. Mission.
Article 3. Reference legislation and legislation.
Article 4. Principles of information security.
Chapter II. Organization of the Security of Information.
Article 5. Information security management committee.
Chapter III. Security roles, roles, and responsibilities.
Article 6. Responsible for the information.
Article 7. Responsible for the services.
Article 8. Responsible for security of information.
Article 9. Responsible for the information systems.
Article 10. Administrators of the security of information systems.
Article 11. Conflict resolution.
Article 12. Staff obligations.
Chapter IV. Specialist security advice.
Article 13. Specialist advice.
Article 14. Cooperation between bodies and other public administrations.
Article 15. Independent review of information security.
Chapter V. Data protection, training, and management.
Article 16. Processing of personal data.
Article 17. Training and awareness-raising.
Article 18. Analysis and risk management of information systems.
Chapter VI. Regulatory Structure.
Article 19. Structure of the security documentation.
Article 20. First level: Security policy.
Article 21. Second Level: Regulations and safety procedures.
Article 22. Third Level: Technical security procedures.
Article 23. Fourth Level: Reports, records and electronic evidence.
Article 24. Other documentation.
Single additional disposition. No increase in public spending.
Final disposition first. Advertising for the security policy.
Final disposition second. Entry into force.
CHAPTER I
State Ports Information Security Policy
Law 11/2007, of June 22, of electronic access of citizens to Public Services, points out among its aims the creation of conditions of trust in the use of electronic means, establishing itself for this purpose. measures necessary for the preservation of the integrity of fundamental rights, and in particular those relating to the privacy and protection of personal data by ensuring the security of systems, data communications and electronic services, which have been developed by Royal Decree 3/2010, of 8 of January, by which the National Security Scheme (ENS) is regulated in the field of the Electronic Administration. Furthermore, the information processed in the electronic systems referred to in the ENS will be protected taking into account the criteria set out in the Organic Law 15/1999 of 13 December on the Protection of Personal Data.
The ENS, for its part, establishes the regulatory framework for the Information Security Policy, which is embodied in a document, accessible and understandable to all members, which defines what is meant by security of the information in a given organization that governs how an organization manages and protects information and services it considers critical. The Security Policy must be in accordance with the requirements contained in the ENS which states that all the higher bodies of the Public Administrations must formally have a Security Policy of the Information approved by the competent higher body.
By virtue of the above, the State Ports Information Security Policy shall be governed by the following rules:
Article 1. Object and scope of application.
1. It constitutes the object of this Resolution the approval of the Security Policy of the Information, in future Security Policy, of the Public Body Ports of the State, and the establishment of an organizational and technological framework of the same.
2. Security shall be understood as an integral process consisting of all the technical, human and material elements and organizational elements related to the information systems, excluding any kind of specific or Conjunctural treatment.
3. It must be known and fulfilled by all State Ports personnel, regardless of position, position and responsibility within the State.
Article 2. Mission.
Correspond to Ports of the State the powers and functions established in Articles 17 and 18 of the Royal Decree of Law 2/2011, of 5 September, for which the Recast Text of the Law of Ports of the State and the Marine Merchant.
Article 3. Reference legislation and legislation.
-Law 11/2007, of June 22, of electronic access of citizens to Public Services.
-Royal Decree 1671/2009 of 6 November 2009, for which the Law 11/2007, of 22 June, of electronic access of citizens to Public Services is partially developed.
-Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.
-Royal Decree 4/2010 of 8 January, which regulates the National Interoperability Scheme in the field of Electronic Administration.
-Organic Law 15/1999 of 13 December on the Protection of Personal Data.
-Royal Decree 1720/2007, of 21 December, approving the Regulation of the Development of Organic Law 15/1999 of 13 December on the protection of personal data.
-Law 30/1992, of November 26, of Legal Regime of Public Administrations and Common Administrative Procedure.
-Law 59/2003, dated December 19, electronic signature.
-Royal Decree 1553/2005 of 23 December 2005 on the national identity document and its electronic signature certificates.
Article 4. Principles of Information Security.
The principles that make up the Information Security Policy are as follows:
-The information that has and deals with Ports of the State has a very important value for the agency itself as well as for the citizens, so it is essential to protect it.
-Information must be protected from unauthorized access and alterations, keeping it confidential and integrated.
-The information must be available, allowing your authorized access, whenever necessary.
-Security of Information is the responsibility of all. All people who have access to information from State Ports should protect it, so they must be properly trained and aware.
-Information Security is not static, it must be constantly checked and periodically reviewed.
-Information regarding persons and citizens dealing with Ports of the State belongs to them and not to the Administration in accordance with the regulations for the protection of personal data.
-All assets (infrastructure, media, systems, communications, etc.) where the information resides, travels, or processed, must be properly protected.
-Security measures that are implemented must be in proportion to the criticality of the information they protect and the damages or losses that may occur in it. At all times, the security measures imposed by the National Security Scheme, as well as the CCN-STIC guidelines developed by the National Center for National Intelligence, will be followed.
-The processing of personal data must always be in accordance with the laws applicable at any time, especially important the Organic Law 15/1999, of Protection of Personal Data, and the Real Decree 1720/2007, for which the Regulation of the Development of Organic Law 15/1999, of Protection of Personal Data is approved.
CHAPTER II
Organization of Information Security
Article 5. Information Security Management Committee.
1. For the management of Information Security, the Committee for the Management of Information Security, hereinafter the Committee on Security, is hereby established within the scope of this Security Policy, consisting of a multidisciplinary team that coordinate the security activities and controls established in Ports of the State and which ensures compliance with the current, internal and external regulations regarding the protection of personal data and security. He is in charge of driving the implementation of this Security Policy.
2. The Security Committee shall be composed of the following members:
a) President: Rolando Lago Cuervo.
b) Secretariat: Gabriel Argüelles Pintos.
c) Vocalia: Sebastian Espinar Cerrejon.
d) Vocalia: Celia Tamarit de Castro.
e) Vocalia: Jaime Luezas Alvarado.
f) Vocalia: Alvaro Sanchez Manzanares.
3. The Security Committee shall meet on an ordinary basis, at least once every three months, and may meet in an extraordinary manner, for reasons of urgency and justified cause, at lower periods.
4. The Secretary of the Security Committee shall draw up minutes of his meetings.
5. The meetings of the Security Committee may be attended as advisers by the persons in each case deemed relevant by their President.
6. The following are the functions of the Security Committee:
a) Identify the objectives of State Ports in the field of Information Security.
b) Develop the Security Policy, establish the criteria for its review, review it, distribute it, and ensure compliance.
c) Promote and support action plans and initiatives to ensure the implementation of the State Ports Security Policy.
d) Establish the security requirements to be met at the organizational, technical and control level, the State Ports systems and services.
e) Ensuring that security is part of the process of planning information management and as an integral process constituted by all technical, human, material and organizational elements related to the information systems.
f) Approve the appointments of information security officers and responsibilities.
g) Value the degree of compliance of the procedures implemented in Ports of the State with the rules defined in the policy, establishing improvement plans for those requiring modification for their compliance.
h) Monitor security regulations and procedures that are defined to enforce and develop Security Policy.
i) Agree and approve specific methodologies and processes relating to Information Security.
j) Verify that all actions carried out on Security are compatible or supported by the Security Policy.
k) Promote the performance of periodic audits to verify compliance with the obligations of the Security Administrations.
l) Promote Information Security Training and Awareness to all staff.
m) Maintain regular contacts with groups, other entities, bodies, forums, etc. that are of interest in the field of Information Security, sharing experiences and knowledge that will help to improve and maintain the security of the State Ports systems.
n) Value and evaluate the resources required to support the process of planning and implementing security at State Ports.
CHAPTER III
Security Matters roles, roles, and responsibilities
Article 6. Responsible for Information.
1. Responsible for classifying the information according to the criteria and categories established in the ENS and in each of the known and applicable security dimensions (availability, authenticity, traceability, confidentiality and integrity), within the framework set out in Annex I of the ENS.
2. Together with the Services Responsible and with the participation and advice of the Security Officer and the Information System Officer, they are responsible for carrying out the necessary risk analysis and selecting the safeguards to be implemented.
3. They are responsible, together with the Services Responsible, for accepting the residual risks calculated in the risk analysis, and for carrying out their monitoring and control, without prejudice to the possibility of delegating this task.
4. This responsibility shall lie with the holder of the administrative body or unit managing each administrative procedure, with the same person being able to accumulate the responsibilities of the information in all procedures.
5. In the event that the Information Officers cannot be nominated in persons, it shall be assigned to the Security Committee.
Article 7. Services responsible.
1. Responsible for determining the levels of security of the services in each security dimension within the framework set out in Annex I of the ENS and in each of the known and applicable security dimensions (availability, authenticity, traceability, confidentiality, and integrity).
2. This responsibility shall lie with the holder of the body managing each service.
3. They are responsible, together with the Information Officers and with the participation and advice of the Information Security Officer and the Information Systems Officers, to carry out the required analysis of the risks, and to select the safeguards to implement.
4. Together with the Information Officers, they are responsible for accepting the residual risks calculated in the risk analysis, and for monitoring and monitoring them, without prejudice to the possibility of delegating this task.
5. In the event that the Services Officers cannot be nominated in persons, they shall be assigned to the Security Committee.
Article 8. Responsible for Security of Information.
1. Responsible for the maintenance of the services and information systems of State Ports with the greatest degree of security, taking into account the principles of:
a) Confidentiality: information associated with electronic services to the citizen should only be known to persons authorized to do so.
b) Integrity: Information associated with electronic services to the citizen must not be altered by unauthorized persons.
c) Availability: guarantee that authorized users have access to the information and resources related to it whenever they require, as well as guarantee that the services relating to the Administration Electronics will remain available.
2. They are the functions of the Security Officer:
a) Monitor compliance with this Policy, its rules and procedures.
b) Advise the members of the State Ports who so require in the matter of security.
c) Coordinate interaction with other specialized agencies.
d) Take knowledge and monitor the investigation and monitoring of security incidents.
e) Establish security measures, appropriate and effective to meet the security requirements set by the Services and Information Officers, following the requirements of Annex II of the ENS.
f) Assessor, in collaboration with the Systems Responsible, the Services and Information Officers, in carrying out the analysis and risk management, raising the resulting report to the Security Committee.
g) Promote security awareness and training activities in their area of responsibility, following the guidelines of the Security Committee.
h) Prepare the topics to be discussed at the meetings of the Security Committee, providing timely information for decision-making.
3. Regarding the documentation, they are the functions of the Security Officer:
a) Approve and propose to the Security Committee the second-level security documentation (Regulations and Security Procedures) to be enforced.
b) Monitor third-level documentation (Security Technical Procedures) for compliance.
c) Maintain organized and updated documentation, managing access mechanisms to it.
4. In those systems of information that because of their complexity, distribution, physical separation of elements or numbers of users, additional personnel will be needed to carry out the functions of the Security Officer, the Security Officer may designate as many of the Security Officers as necessary, including the Security Officers in respect of the LOPD. Delegated Security Officers shall take charge, in their field, of all actions delegated by the Security Officer having direct functional dependencies with him.
5. The Security Officer shall be appointed and terminated by the Security Committee.
Article 9. Responsible for Information Systems.
1. Designated personnel whose responsibilities are:
a) Development, operation and maintenance of the information system throughout its life cycle, its specifications, installation and verification of its proper functioning.
b) Ensure that security measures are properly integrated within the overall framework of the Security of Information.
c) Approve any substantial modification of the configuration of any element in the system.
d) Develop technical security procedures for information systems.
e) Develop continuity plans for information systems.
2. It may agree to suspend the handling of certain information or the provision of a certain service if it is informed of serious safety deficiencies which may affect the satisfaction of the established requirements. This decision shall be agreed with the Information Officers concerned, the Service Officers and the Security Officer before being executed.
3. In those systems which, due to their complexity, distribution, physical separation of elements or number of users, additional personnel are required to carry out the functions of Systems Manager, it will be possible to designate how many Systems Delegates are considered appropriate. The designation and delegation of functions in the Responsible Systems Responsible is the responsibility of the System Officer, without prejudice to the fact that the final responsibility continues to fall on the System Manager. The Responsible System Officers will take charge of all those actions delegated by the System Manager related to the operation, maintenance, installation and verification of the correct functioning of the System of Corresponding information, and you will have direct functional dependency on the System Manager who you are reporting to.
Article 10. Information Systems Security Administrators.
1. Designated personnel, dependent on the Information Security Officer, whose duties are as follows:
a) Implement, manage, and maintain security measures applicable to the information system.
b) Manage, configure, and update, if any, the hardware and software on which the information system security mechanisms and services are based.
c) Manage the authorizations granted to system users, in particular, the privileges granted, including monitoring that the activity developed on the system conforms to the authorized.
d) Apply the third-level documentation.
e) Approve changes to the current configuration of the information system.
f) Ensure that the established security controls are strictly enforced.
g) Monitor hardware and software installations, their modifications and enhancements to ensure that security is not compromised and that they are at all times consistent with the relevant authorizations.
h) Inform the Information Security Officer and the Responsables of the affected Systems of any failure, commitment, or security-related vulnerability.
i) Collaborate on security incident investigation and resolution, from detection to resolution.
2. In the event that certain Information Systems that because of their complexity, distribution, physical separation of their elements or number of users are required additional personnel to carry out the functions of Security Administrator of the System, Delegate System Security Administrators may be designated.
3. The Systems Security Administrators will be proposed by the Information Security Officer.
Article 11. Conflict resolution.
1. In the event of a conflict between the different persons responsible, the latter will be solved by the superior hierarchy. In the absence of the above, the decision of the Security Officer shall prevail.
Article 12. Obligations of Personnel.
1. All State Ports personnel, as well as those who provide services to the Agency related to the information systems, have the obligation to know and comply with this Security Policy, regulations and procedures derived from the same, such as those relating to the protection of personal data, being the responsibility of the Security Committee to have the necessary mechanisms for the information to reach all.
2. The manifest non-compliance with the Information Security Policy or the rules and procedures arising therefrom may lead to the initiation of appropriate disciplinary measures and, where appropriate, the relevant legal responsibilities.
CHAPTER IV
Specialized security advice
Article 13. Specialist advice.
1. The Security Officer will be in charge of coordinating the knowledge and experiences available in Ports of the State in order to provide assistance in the decision making in security matters, being able to obtain advice from other organisms.
Article 14. Cooperation between bodies and other public administrations.
1. For the purpose of exchanging experiences and obtaining advice for the improvement of security practices and controls, Ports of the State shall maintain regular contacts with agencies and entities specializing in security matters.
Article 15. Independent review of the Security of Information.
1. The Security Committee will propose the conduct of independent periodic reviews on the validity and implementation of the Security Policy in order to ensure that the practices in State Ports adequately reflect their provisions.
CHAPTER V
Data protection, training, and management
Article 16. Processing of personal data.
1. For the processing of personal data in the information system, it shall be followed at all times as developed in the security document and its associated documentation in accordance with the requirements of Title VIII of the security measures in the The treatment of personal data of Royal Decree 1720/2007 of 21 December, for which the Regulation of the Development of the Organic Law 15/1999, of 13 December, of Protection of Personal Data is approved.
Article 17. Training and awareness-raising.
1. The objective is to achieve full awareness of the fact that the Security of Information affects all the staff of Ports of the State and all the activities according to the principle of integral safety contained in article 5 of the ENS. To these effects, Ports of the State, will propose and organize training and awareness sessions so that all the people involved in the process and their hierarchical leaders have a sensitivity towards the risks that are running.
2. The Safety Committee shall adopt a training and awareness-raising policy in the safe treatment of information with the following objectives:
a) Training on the protection of personal data information, oriented to the files responsible and to users with privileges on the data.
b) Training on developed procedures.
Article 18. Analysis and risk management of information systems.
1. Ports of the State assume the commitment to control the security risks, as well as to comply with the legislation and internal rules in force under a continuous improvement process according to the existing frameworks and methodologies in risk analysis and management.
2. For the purpose of knowing the level of exposure of risk information assets and security threats, the Information Systems Officers shall carry out, at least annually, a risk analysis, the conclusions of which shall be translate into actions to address and mitigate risk, and even rethink the security of systems if necessary.
3. A risk analysis of information systems will be performed in periods of less than one year when:
a) Modify the managed information.
b) The services provided are modified.
c) Serious security incidents occur.
d) Severe vulnerabilities are reported.
4. The conclusions of the risk analyses shall be elevated to the Security Officer and be to the Security Committee.
CHAPTER VI
Regulatory structure
Article 19. Structure of the security documentation.
1. The documentation relating to the security of the information shall be classified in four levels, so that each document of a level is based on the higher level:
a) First level: Information Security Policy.
b) Second level: Regulations and Security Procedures.
c) Third level: Technical Security Procedures.
d) Fourth level: Reports, records and electronic evidence.
Article 20. First level: Security Policy.
1. Document of mandatory compliance by all the staff, internal and external, of Ports of the State, collected in this document and approved by Resolution of the Presidency of Ports of the State.
Article 21. Second Level: Regulations and Safety Procedures.
2. Mandatory compliance with the appropriate organizational, technical or legal scope.
3. The responsibility for the approval of documents drawn up at this level shall be the responsibility of the Security Officer under the supervision of the Security Committee.
Article 22. Third Level: Technical Security Procedures.
1. Technical documents aimed at solving the tasks, which are considered to be critical for the damage caused by inadequate performance, security, development, maintenance and exploitation of the information systems.
2. The responsibility for the approval of these technical procedures is from the Responsible Information System, under the supervision of the Security Officer. In case the procedures will affect various information systems it will be the responsibility of the Security Officer to approve them.
Article 23. Fourth Level: Reports, records and electronic evidence.
1. Documents of a technical nature that reflect the outcome and conclusions of a study or an assessment; technical documents that collect threats and vulnerabilities of information systems, as well as electronic evidence generated during all phases of the information system lifecycle.
2. The responsibility for these types of documents is for each of the Responsible Information Systems in their field.
Article 24. Other documentation.
1. STIC procedures, STIC rules, STIC technical instructions, as well as CCN-STIC guides in the 400, 500 and 600 series, can be followed at all times.
Single additional disposition. No increase in public spending.
The application of this order/resolution shall not entail an increase in public expenditure, in accordance with the functioning of the Security Committee and the other responsible persons mentioned in this document with human resources and materials available to the State Ports.
Final disposition first. Advertisement of the Security Policy.
This Resolution will be published, in addition to the "Official State Gazette", at the State Ports website.
Final disposition second. Entry into force.
The Security Policy that is approved in this Resolution shall apply from the day following that of its publication in the "Official State Gazette".
