Resolution Of 1St December 2014, Of Puertos Del Estado, Which Publishes The One Of November 6, 2014, Which Approves The Policy Of Information Security.

Original Language Title: Resolución de 1 de diciembre de 2014, de Puertos del Estado, por la que se publica la de 6 de noviembre de 2014, por la que se aprueba la Política de Seguridad de la Información.

Read the untranslated law here: http://www.boe.es/buscar/doc.php?id=BOE-A-2015-3482

With date 6 of November of 2014, this Presidency decided to approve the political of security of the information of ports of the State.

By virtue, publication, are available in the «Official Gazette», of the aforementioned resolution, attached as annex to the present resolution.

Madrid, December 1, 2014.-the President of Puertos del Estado, José Llorca Ortega.

ANNEX resolution by which is approves the policy of security of the information of ports of the State.

In accordance with the provisions of the Royal Decree 3/2010, of January 8, which regulates the national security scheme in the field of eGovernment, and in accordance with the powers conferred in article 22.2. d) the text revised from the law of Puertos del Estado and the merchant marine, approved by Royal Legislative Decree 2/2011 , of 5 of September, agreement approve the political of security of the information of ports of the State, in the terms collected in the document Annex to the present resolution.

INFORMATION SECURITY POLICY (October 2014) index chapter I. ports of the State information security policy.

Article 1. Object and scope of application.

Article 2. Mission.

Article 3. Legislation and regulations of reference.

Article 4. Principles of information security.

Chapter II. The information security organization.

Article 5. The information security management committee.

Chapter III. Roles, functions and responsibilities in the field of security.

Article 6. Responsible for the information.

Article 7. Responsible for those services.

Article 8. Responsible for information security.

Article 9. Responsible of the systems of information.

Article 10. Information systems security managers.

Article 11. Resolution of conflicts.

Article 12. Obligations of staff.

Chapter IV. Specialist security advice.

Article 13. Expert advice.

Article 14. Cooperation between agencies and other public administration.

Article 15. Independent review of information security.

Chapter V. protection of data, training and management.

Article 16. Processing of data of a personal nature.

Article 17. Training and awareness.

Article 18. Analysis and management of risks in information systems.

Chapter VI. Structure rules.

Article 19. Structure of the safety documentation.

Article 20. First level: policy of security.

Article 21. Second level: Standards and safety procedures.

Article 22. Third level: procedures technical of security.

Article 23. Fourth level: Reports, records, and electronic evidence.

Article 24. Other documentation.

Sole additional provision. No increase of the expenditure public.

Available end first. Publicity of a security policy.

Second final provision. Entry in force.

CHAPTER I political of security of the information of ports of the State it law 11 / 2007, of 22 of June, of access electronic of them citizens to them services public, says between their purposes it creation of some conditions of confidence in the use of them media electronic, establishing is for this measures necessary for the preservation of the integrity of them rights fundamental , and especially them related with the privacy and the protection of data of character personal guaranteeing the security of them systems, them data them communications and them services electronic, purposes that have been developed by the Real Decree 3 / 2010, of 8 of January, by which is regulates the scheme national of security (ENS) in the field of the Administration electronic. Also, the information treated in them systems electronic to which is concerned the ENS will be protected having in has them criteria established in the law organic 15 / 1999, of 13 of December, of protection of data of character Personal.

ENS, in turn, establishes the regulatory framework of the policy of information security, which is embodied in a document, accessible and comprehensible for all members, which defines what information security in a particular organization and that governs the way in which an organisation manages and protects information and services deemed critical. The security policy must be according with the requirements contained in the ENS which establishes that all governing bodies of public administrations must formally have a policy of information security approved by the competent superior organ.

By virtue of the above, the policy of security of the information of ports of the State shall be governed by the following rules: article 1. Object and scope of application.

1 it is the object of the present resolution approval of the policy of information security, on political security, agency public ports of the State, and the establishment of an organisational and technological framework.

2 means security, as a comprehensive process consisting of all the technical, human and material and organisational elements related to information systems, being excluded any kind of specific actions or short-term treatment.

3. must be known and accomplished by all the staff of ports of the State, regardless of the since, charge and responsibility within the same.

Article 2. Mission.

Correspond to ports of the State them powers and functions established in them articles 17 and 18 of the Real Decree legislative 2 / 2011, of 5 of September, by which is approves the text consolidated of the law of ports of the State and the marine merchant.

Article 3. Legislation and regulations of reference.

-Law 11 / 2007, of 22 of June, of access electronic of the citizens to the services public.

-Royal Decree 1671 / 2009, of 6 of November, by which is develops partially the law 11 / 2007, of 22 of June, of access electronic of them citizens to them services public.

-Royal Decree 3 / 2010, of 8 of January, by which is regulates the scheme national of safety in the field of it management electronic.

-Royal Decree 4 / 2010, of 8 of January, by which is regulates the scheme national of interoperability in the field of it management electronic.

-Law organic 15 / 1999, of 13 of December, of protection of data of character Personal.

– Royal Decree 1720 / 2007, of 21 December, which approves the regulation of development of the organic law 15/1999, of 13 December, of protection of personal data.

-Law 30/1992, of 26 November, legal regime of public administrations and common administrative procedure.

-Law 59/2003, of 19 December, electronic signature.

-Royal Decree 1553 / 2005 of 23 December, which regulates the national identity document and electronic signature certificates.

Article 4. The information security principles.

The principles that make up the policy of information security are the following:-the information that owns and is the State's ports has a very important value for the body as well as for citizens, so it is essential to protect it.

-The information must be protected against access and alterations not authorized, keeping it confidential and integral.

-The information must be available, allowing their access authorized, whenever is necessary.

-The security of the information is responsibility of all. All them people that have access to the information of ports of the State should protect it, by what must be properly formed and conscious.

-The security of the information not is something static, must be constantly controlled and regularly revised.

-The information relative to the people and citizens that try ports of the State belongs to them and not to the administration according to the normative in protection of data of character personal.

-All those assets (infrastructure, supports, systems, communications, etc.) where the information resides, travels or is processed, should be adequately protected.

-Security measures that are implemented should be in proportion to the criticality of the information to protect and to any damage or loss which may occur therein. At all times will be a minimum security measures imposed by the national security scheme, as well as CCN-STIC guidelines developed by the National Center National Cryptologic Center of intelligence.

-The treatment of personal data must always be in accordance with the laws applicable in each moment, being especially important the organic law 15/1999, of protection of data of a Personal nature, and Royal Decree 1720 / 2007, which approves the regulations implementing the organic law 15/1999, of protection of data of a Personal nature.

CHAPTER II Organization of the security of the information article 5. Management of the information security Committee.


1. for the management of the security of the information, the Committee of management of the information security, is created on safety Committee, within the scope of this security policy formed by a multidisciplinary team that will coordinate the activities and security controls in ports of the State and that ensures compliance with the regulations in force , internal and external, in matter of protection of data of character personal and security. It is responsible for promoting the implementation of the security policy.

2 the Security Committee shall be composed of the following members: to) President: Rolando Lago Cuervo.

(b) secretariat: Gabriel Argüelles Pintos.

(c) Vocalia: Sebastian Espinar Cerrejon.

(d) Vocalia: Celia Tamarit de Castro.

(e) Vocalia: Jaime Luezas Alvarado.

(f) Vocalia: Alvaro Sanchez Manzanares.

3. the Committee of safety, is meet with character ordinary, unless one time every three months, and may is meet of way extraordinary, by reasons of urgency and cause justified, in periods lower.

4. the Secretary of the Committee of safety rise records of its meetings.

5. to the sessions of the Committee of safety may assist in quality of advisors them people that in each case deems relevant its President.

6 functions of the Security Committee are the following: to) identify the objectives of Puertos del Estado in the field of the security of the information.

(b) develop the political of security, establish them criteria of review of the same, review it, distribute it and ensure by their compliance.

(c) promote and support the action plans and initiatives that will ensure the implementation of the security policy in State ports.

(d) establish the requirements of safety to be met by organizational, technical level and control, systems and services of Puertos del Estado.

(e) ensure that security is part of the planning process for the management of information and as a comprehensive process consisting of all the technical, human, material and organisational elements related to information systems.

(f) approve the appointments of responsible and responsibilities in matter of security of the information.

(g) assess the degree of compliance of procedures implemented in the ports of the State with the standards defined in the policy, setting improvement plans for those that require a modification for compliance.

(h) monitor the rules and safety procedures which are defined to give the security policy compliance and development.

(i) agree on and approve methodologies and processes specific relating to the security of the information.

(j) ensure that all actions carried out in the area of security are compatible or are backed by the security policy.

(k) promote the realization of audits periodic that allow verify the compliance of the obligations of the administrations in matter of security.

(l) promote the training and awareness in matter of security of the information to all the staff.

(m) maintaining regular contacts with groups, institutions, agencies, forums, etc. resulting from interest in the field of the security of information, sharing of experiences and knowledge that will help improve and maintain the security of the systems of Puertos del Estado.

(n) assess and evaluate the resources necessary to support the process of planning and implementation of security in ports of the State.

CHAPTER III Roles, functions and responsibilities of security article 6. Responsible for the information.

1 responsible for classifying information in accordance with the criteria and categories established in the ENS and in each of the dimensions of known and applicable security (availability, authenticity, traceability, confidentiality and integrity), within the framework laid down in annex I to the ENS.

2 are responsible, together with the services responsible for the participation and advice of the Chief of security and responsible of the information system, the prescriptive analysis of risks, and select the safeguards to be implemented.

3 they are responsible, together with the responsible of the services, accept residual risks calculated in risk analysis, and perform its monitoring and control, without prejudice to the possibility of delegating this task.

4. this responsibility will fall on the owner of the body or administrative unit which manages each administrative procedure, and one person can accumulate the responsibilities of the information of all the procedures that you steps.

5. in the event that the responsible of the information may not be nominated in people will be assigned to the Security Committee.

Article 7. Responsible for the services.

1 responsible for determining the levels of safety of services in each dimension of security within the framework laid down in annex I to the ENS and in each of the dimensions of known and applicable security (availability, authenticity, traceability, confidentiality and integrity).

2. this responsibility will fall on the head of the body which manages each service.

3 are responsible, together with the responsible of the information with the participation and advice of the head of information security and responsible of the information systems, the prescriptive analysis of risks, and select the safeguards to be implemented.

4 they are responsible, together with the responsible information, accept residual risks calculated in risk analysis, and perform its monitoring and control, without prejudice to the possibility of delegating this task.

5. where the responsible of them services not can be nominees in people will be assigned to the Committee of safety.

Article 8. Responsible for information security.

1 responsible for that services and ports of the State information systems are maintained with the highest degree of security according to the principles of: a) confidentiality: information associated with electronic services to single citizen must be able to be known by persons authorized to do so.

(b) integrity: information associated with electronic services to the citizen should not be altered by unauthorized persons.

(c) availability: guarantee that authorized users have access to the information and resources related to it whenever they need it, as well as a guarantee that the eGovernment services will remain available.

2 are functions of the Security Chief: to) monitor compliance with this policy, its standards and related procedures.

(b) advise on security to members of the State ports that need it.

(c) coordinate the interaction with other specialized agencies.

(d) taking knowledge and supervise the research and monitoring of them incidents of security.

(e) establish them measures of safety, appropriate and effective to meet them requirements of security established by them responsible of them services and of the information, following in all moment it demanded in the annex II of the ENS.

(f) advise, in collaboration with them responsible of them systems, them responsible of them services and of the information, in the realization of the analysis and management of risks, raising the report resulting to the Committee of safety.

(g) promote them activities of awareness and training in matter of safety in its field of responsibility, following the guidelines of the Committee of safety.

(h) prepare them themes to treat in the meetings of the Committee of safety, providing information timely for the takes of decisions.

(3. regard to the documentation, are functions of the responsible of security: to) approve and propose to the Committee of safety it documentation of security of second level (policy and procedures of security) of forced compliance.

(b) oversee documentation of third level (technical security procedures) must be complied with.

(c) maintain the documentation organized and updated, managing access to the same mechanisms.

4. in those information systems that by its complexity, distribution, physical separation of elements or numbers of users need extra staff to carry out the functions of the Security Chief, the Security Chief may designate many responsible for security delegates considers necessary, including responsible for security relating to the data protection ACT. Makers of safety delegates will be, in its scope, all those actions that delegated security responsible for taking direct functional dependencies with it.

5. the security officer will be appointed and ceased by the Security Committee.

Article 9. Responsible for information systems.

1 designated staff whose responsibilities are: to) development, operation and maintenance of the information system throughout its cycle of life, their specifications, installation, and verification of its correct operation.

(b) ensure that security measures are integrated appropriately within the Framework security general information.

(c) approve any substantial modification of the configuration of any element of the system.

(d) develop technical procedures of security of information systems.

(e) develop information systems continuity plans.


2 you can remember suspension the handling of certain information or the provision of some service if it is informed of serious safety deficiencies that might affect the satisfaction of the requirements. This decision must be agreed with them responsible of the information affected, them responsible of the service and the responsible of security before being executed.

3. in those systems that by its complexity, distribution, physical separation of elements or number of users will need additional staff to carry out systems manager functions, is may designate many responsible systems delegates are considered appropriate. The designation and delegation of functions in them responsible of systems delegates corresponds to the responsible of the system, without prejudice of that the responsibility end follow backslide on the responsible of the system. Those responsible for systems delegates will be in charge in his field of all those actions that delegate the responsibility of the system related to the operation, maintenance, installation and verification of the correct operation of the corresponding information system, and will have direct functional dependence of the responsible system which is to who reports.

Article 10. Administrators of the security of the systems of information.

1 staff appointed, dependent on the head of information security, whose functions are the following: to) implement, manage and maintain the security measures applicable to the information system.

(b) manage, configure, and upgrade, where appropriate, the hardware and software which are based on the information system security services and mechanisms.

(c) manage them authorizations granted to the users of the system, in particular, them privileges granted, including the monitoring of that the activity developed in the system is adjusts to it authorized.

(d) apply the third level documentation.

(e) to approve the changes in the existing information system configuration.

(f) ensure that the controls of security established are met strictly.

(g) monitor the hardware and software facilities, its modifications and improvements to ensure that safety is not compromised and that at all times they comply with the relevant authorizations.

(h) report to the responsible of security of the information and to them responsible of the systems affected of any anomaly, commitment or vulnerability related with it security.

(i) assist in the investigation and resolution of incidents of security, from detection to its resolution.

2. where certain systems of information that by its complexity, distribution, separation physical of their elements or number of users is need personal additional to carry to out them functions of administrator of the security of the system, is may designate administrators of security of the system delegates.

3. the administrators of systems security will be proposed by the head of information security.

Article 11. Resolution of conflicts.

1. in case of conflict between the different leaders, this will be resolved by the hierarchical superior of the same. In the absence of the above, shall prevail the decision of the head of security.

Article 12. Obligations of staff.

1. all the personal of ports of the State, as well as which pay services to the body related with them systems of information, has the obligation of know and meet it present political of security, them policy and procedures derived of it same, such as them relating to the protection of data of character personal, being responsibility of the Committee of security have of them mechanisms necessary so it information reaches to all.

2 manifest breach of information security policy or with the rules and procedures of this may result in the initiation of appropriate disciplinary measures and, where appropriate, corresponding legal responsibilities.

CHAPTER IV expert advice on security article 13. Expert advice.

1 security officer will be responsible for coordinating knowledge and experiences available in ports of the State in order to provide assistance in decision-making in the field of security, and can obtain advice from other agencies.

Article 14. Cooperation between agencies and other public administration.

1. for the purposes of exchange experiences and get advice for it improves of the practices and controls of security, ports of the State will keep contacts periodic with agencies and entities specialized in themes of security.

Article 15. Independent review of information security.

1. the safety Committee will propose conducting independent periodic reviews on the entry into force and implementation of the security policy in order to ensure that practices in ports of the State properly reflect its provisions.

CHAPTER V protection of data, training and management article 16. Processing of data of a personal nature.

1. for the treatment of data in the information system will be constantly developed in the Security document and its associated documentation in accordance with the requirements in title VIII of the security measures in the processing of data of a personal nature of Royal Decree 1720 / 2007, of 21 December, which approves the regulation of development of the organic law 15/1999 , of 13 December, of protection of data of a Personal nature.

Article 17. Training and awareness.

1. the objective is to achieve the full awareness that the information security affects all personnel of Puertos del Estado and the activities according to the principle of comprehensive security contained in article 5 of the ENS. For these purposes, Puertos del Estado, propose and organize training and awareness sessions to ensure everyone involved in the process and its hierarchical sensitivity to risks that are run.

2 the Security Committee will adopt a policy of training and awareness in the safe treatment of the information with the following objectives: to) training on the protection of personal data information, oriented to those responsible for the files and users with privileges on the data.

(b) training on the developed procedures.

Article 18. Analysis and management of risks in information systems.

1 ports of the State is committed to control security risks, as well as to comply with the legislation and internal regulations under a process of continuous improvement in accordance with existing methodologies and frameworks currently in analysis and management of risks.

2. with the objective of know the level of exposure of them active of information to them risk and threats in security, them responsible of systems of information will be, with periodicity at least annual, an analysis of risks whose conclusions is translate in performances for treat and mitigate the risk, e even rethink the security of them systems in case necessary.

(3. is held an analysis of risks of the systems of information in periods lower to a year when: to) is modify the information handled.

(b) is modifying the services provided.

(c) occurring incidents serious of safety.

(d) is to report vulnerabilities serious.

4. the conclusions of the analysis of risks will be high to the responsible of security and this to the Committee of safety.

CHAPTER VI structure regulations article 19. Structure of the safety documentation.

1 the documentation relating to the security of the information will be rated on four levels, so that each document of a level is based on the top level: to) first level: the information security policy.

(b) second level: standards and safety procedures.

(c) third level: technical security procedures.

(d) fourth level: reports, records, and electronic evidence.

Article 20. First level: security policy.

1 document mandatory for all personnel, internal and external, of Puertos del Estado, collected in the present document and approved by a resolution of the President of Puertos del Estado.

Article 21. Second level: Standards and safety procedures.

2. of forced compliance with the organizational, technical or legal field concerned.

3. the responsibility for approval of documents drawn up at this level will be competition from the Security Chief under the supervision of the Committee of safety.

Article 22. Third level: procedures technical of security.

1. documents technical oriented to solve the tasks, considered critical by the prejudice that would cause a performance inadequate, of security, development, maintenance and exploitation of the systems of information.

2. the liability of approval of these procedures technical is of the responsible of the system of information corresponding, under the supervision of the responsible of security. Where the procedures affected to several systems of information will be responsibility of the responsible of security the approve them.

Article 23. Fourth level: reports, records and evidence e.


1. technical documents collecting the results and conclusions of a study or assessment; documents of a technical nature collecting threats and vulnerabilities of information systems, as well as electronic evidence generated during all phases of the life cycle of the information system.

2. the responsibility that such documents exist is of each of the responsible of the information systems in its scope.

Article 24. Other documentation.

1 can be followed at all times procedures STIC, STIC standards, STIC technical instructions as well as 400, 500 and 600 series guides CCN-STIC.

Sole additional provision. No increase in public spending.

The implementation of this order/resolution will not lead to increase in public spending, following the operation of the safety Committee and the rest of the officials referred to in the present document with the human and material resources available to the State ports.

First final provision. Advertising of the policy of security.

This resolution will be published, in addition to in the «Official Gazette», in the electronic office of Puertos del Estado.

Second final provision. Entry in force.

The security policy that is adopted in this resolution shall apply as from the day following its publication in the "Official Gazette".