Agreement by the Board of Governors of 26 April 2023

ICTs are an essential element for achieving these objectives. They must be managed diligently and appropriate protective measures must be taken at all times to ensure the availability of services; the integrity, confidentiality and authenticity of the information processed; and the traceability of the procedures carried out.

Article 156.2 of Law 40/2015 of 1 October on the legal system governing the public sector provides that the National Security Framework aims to establish the security policy for the use of electronic media within the scope of this same law and that it is constituted by the basic principles and the minimum requirements that adequately safeguard the security of the information processed.

Article 12 of Spanish Royal Decree 311/2022 of 3 May regulating the National Security Framework (ENS) determines that all higher bodies of public administrations must formally implement their own information security policy that involves the continuous management of security and that this policy will be established in accordance with the basic principles set out in the Royal Decree and will be implemented by applying specified minimum requirements.

Article 1. Purpose

To establish an information security policy that involves the continuous management of security, understood as the ability of computer systems to prevent malicious incidents that may compromise the availability, authenticity, integrity, traceability and confidentiality of information systems.

Article 2. Scope of application

These regulations, as well as the rules and procedures implementing them, are mandatory for members of the university community, any user of the University’s information systems, as well as external companies that provide services to the University, including both contractors and subcontractors.

Likewise, they are applicable to all University facilities and all devices used to gain access to its information systems.

Article 3.  Mission of the University

Article 177.2 of the University Statutes stipulates that the University administration must promote the development of the necessary infrastructures and resources for the application of information and communication technologies (ICT) and must ensure citizens’ right of access to its services by electronic means with full legal and security safeguards. It must promote knowledge management and access to information in accordance with the principles of proximity, transparency and agility.

The 2016-2025 Strategic Plan defines the University’s mission as:

  • To train, by means of a rigorous, innovative and personalized educational model, people with a solid scientific and cultural background, general skills that can be adapted to the changes and challenges of society, and the specific skills they require to successfully carry out their life projects.
  • To become a pre-eminent research university.
  • To promote innovation and social transformation.
  • To promote engagement with culture.

Article 4. Legal framework

The legal framework of the Information Security Policy is formed by Spanish Royal Decree 311/2022 of 3 May regulating the National Security Framework, and these regulations, that include:

a) The Information Security Policy, which establishes the ICT security requirements and criteria in the University environment.

b) Control of access to information systems    

c) Security in data processing centres

d) ICT security incident management

In accordance with the second additional provision of Spanish Royal Decree 311/2022, the National Cryptologic Centre (CCN) drafts information and communication technology security guides (CCN-STIC guides) which, at the same time, must be incorporated into the documents used to carry out security audits. One of the requirements of these CCN-STIC guidelines involves the approval of a three-tier regulatory body: a first tier made up of the present Information Security Policy; a second, consisting of the rules arising from the previous one that must be approved by the Board of Governors at the proposal of the ICT Security Committee, and a third, constituted by procedures, guides and technical instructions.

Within the third tier, the operational management procedures and the documents that explicitly describe, step by step, how to carry out a certain activity, are approved by the ICT Security Committee at the proposal of the ICT security officer; and the technical instructions of the Computing Service are approved by the system officer.

At the same time, this legal framework is complemented by the University’s rules governing electronic administration and personal data protection, so that these regulatory blocks must be applied and interpreted integrally.

When the University provides ICT services to other institutions or bodies, the Computing Service must involve them in the information security policy and other associated ICT regulations and must establish coordination channels and action procedures to react appropriately in the event of any security incidents.

When the University uses the ICT services of other institutions, bodies or companies or transfers information to them, whether by contracting services, collaboration or any other relationship that is not of a contractual nature, it must involve them in the security policy and regulations referred to in these services and in this information. This institution, body or company will be subject to the duties set out in the aforementioned regulations and may implement its own operating procedures to comply with them. Specific procedures must be established to report and resolve incidents. It must be ensured that its personnel is adequately aware of security issues, at least at the same level as established in this policy. When the institution, body or company cannot meet one or more aspects of this policy, as established above, the security officer must draft a report specifying the risks to which it is exposed and how to deal with them. Those responsible for the information and services affected must approve this report in order to use the services.

Article 5. Structure of responsibilities

1. For the purposes of the ENS, the CIO [Chief Information Officer] is the secretary or secretary-general of UPF or the person to whom they delegate. The following are the functions of the information officer:

  • To establish the requirements of the information processed in terms of information security.
  • To work in collaboration with the CISO [Chief Information Security Officer] and the system in the maintenance of the systems catalogued according to Appendix I of the ENS.
  • Any other function granted by the ENS or current legislation.

2. For the purposes of the ENS, the person responsible for service [the service officer] is the general manager of UPF or the person to whom they delegate. The following are the functions of the service officer:

  • To establish the requirements of the services rendered in terms of ICT security.
  • To work in collaboration with the persons responsible for security and the system in the maintenance of the systems catalogued according to Appendix I of the ENS.
  • To ensure the inclusion of security clauses in contracts with other institutions or bodies and enforce them.
  • Any other function granted by the ENS or current legislation.

3. For the purposes of the ENS, the CISO [Chief Information Security Officer] is the University deputy general manager responsible for ICT or the person to whom they delegate. The ICT security officer cannot be the same person as the service officer, nor the information officer, nor the system officer. The following are the functions of the ICT security officer:

  • To determine the decisions to meet the security requirements for both information and services.
  • To maintain the security of the information stored and processed by UPF ICT infrastructures and the services they render.
  • To carry out or promote periodic audits to verify compliance with UPF’s security obligations.
  • To promote the training and raise the awareness of ICT personnel within their scope of responsibility.
  • To verify that the security measures established are appropriate for the protection of the information processed and the services rendered.
  • To analyse and complete the documentation related to systems security.
  • To monitor the security status of the systems provided by the security event management tools and audit mechanisms implemented in the systems.
  • To support and monitor the investigation of security incidents, from the time they are reported until they are resolved.
  • To draft regular security reports, which must include the most relevant incidents of the period.
  • To approve the security procedures of the University’s ICT systems.
  • To propose updates to UPF ICT security regulations.

For the purposes of the ENS, the system officer is the head of the UPF Computing Service or the person to whom they delegate. The system officer cannot be the same person as the service officer, nor the ICT security officer, nor the information officer. The following are the functions of the system officer:

  • To manage the development, operation and maintenance of information systems throughout their life cycle, their specifications, installation and the verification of their proper operation.
  • To define the topology of information systems, establishing the criteria for use and the available services.
  • To ensure that the security operating procedures developed and approved by the ICT security officer are applied.
  • To agree to suspend the use of certain information or the provision of a certain service if they are informed of serious security shortcomings that might affect meeting the established requirements. Before implementation, this decision must be agreed to with the persons responsible for information and the service concerned and with the ICT security officer.
  • To monitor the security status of information systems and report on it regularly or, in the event of relevant security incidents, to the ICT security officer.
  • To carry out regular exercises and tests of systems continuity plans to keep them up to date and check that they are effective, in coordination with the ICT security officer.
  • In the event of any information security incidents, they will plan the implementation of safeguards in information systems and implement the approved security plan in coordination with the ICT security officer.

Other roles and responsibilities concerning ICT security are set out and regulated in the appendix.

Article 6. ICT Security Committee

1. The UPF ICT Security Committee shall meet at least biannually and shall consist of the following persons:

  • The service officer, who will act as chairperson.
  • The information officer.
  • The ICT security officer, who will act as secretary.
  • The system officer.
  • The data protection officer, with voice but no vote.

Other persons, invited by the chair of the committee depending on the agenda of the session, may also attend.

2. The ICT Security Committee has the following functions:

  • To coordinate the security of UPF information and ICT services.
  • To monitor the information security policy and propose amendments thereto to the Board of Governors if it deems necessary.
  • To evaluate proposals for the creation or amendment of the ICT security regulations that reach it and propose their approval to the Board of Governors if they deem necessary.
  • To disseminate the policy and regulations governing ICT security at UPF.
  • To oversee the ENS compliance audits.
  • To approve the operational management procedures and the documents that explicitly describe, step by step, how to carry out a certain activity, at the proposal of the ICT security manager.

Article 7. Training

1. UPF’s training offer must include security awareness and training courses, both for PDI and for PAS, and must take into account both continuous training and the training of newly incorporated personnel.

The University will determine which training should be mandatory, according to the workpost.

2. The Computing Service must ensure that the personnel of contractor and subcontractor companies that manage the University’s ICT infrastructures are aware of and apply both the University’s security regulations and ICT work procedures.

Article 8. Security implementation

1. Prevention

The University must prevent or, at the very least, take measures to prevent information or services from being harmed by security incidents. Hence, at least the security measures defined by the ENS must be implemented, as well as any other improvement that is noted during a threat assessment or any other inspection. These inspections and the security roles and responsibilities of all personnel must be clearly defined and documented.

In order to ensure compliance with this Information Security Policy:

  • It must be validated that the systems comply with the security measures before they start to operate.
  • System’ security should be regularly assessed, including assessments of configuration changes that are made routinely.
  • Independent bodies or entities must be requested to review them periodically, in order to obtain an independent evaluation.

2. Detection and reaction

In relation to the detection of and reaction to security incidents, the Computing Service is responsible for:

a) Continuously monitoring the functioning of the University’s ICT services, in order to detect anomalies in the levels of service provision and act accordingly, as set out in Article 7.3 of the ENS.

b) Having procedures for restoring information and recovering the service to be able to deal with situations in which a security incident disables them, as set out in Article 7.4 of the ENS.

c) Establishing mechanisms to effectively respond to security incidents and define protocols for the exchange of information concerning incidents with computer emergency response teams.

3. Security management

3.1. Lines of defence

ICT infrastructures must be provided with a protection strategy consisting of several layers of security, which can be physical, logical or organizational, allowing the minimization of the impact of possible security incidents, as set out in Article 8 of the ENS.

3.2. Risks analysis and management

Risks analysis and management are an essential part of the security process and should be kept up to date. Risks management will allow the maintenance of a controlled environment, keeping them to minimally admissible levels.

A risk analysis must be carried out on ICT infrastructures assessing the threats and risks to which they are exposed. This analysis must be repeated when any of the following occur:

  • A change in the information being processed.
  • A change in the services rendered.
  • The existence of a serious security incident.
  • The detection of serious vulnerabilities.

4. ENS compliance audit

Every two years, the University will subject the systems within the scope of application of these regulations to an audit to verify their compliance with the ENS, which will be coordinated by the ICT security officer.
The result of the audit must be submitted to the ICT Security Committee, which may decide on corrective measures in order to remedy possible deficiencies or excessive risks detected during the audit process. These corrective measures will be mandatory.

Appendix. Other roles and responsibilities in ICT security

1. System security administrator

The system security administrator is responsible for implementing the measures derived from security management and applying the measures at the technical level.

This role must be undertaken by University administration and service staff with technical responsibility for the information systems that support the University’s services.

One or more system security administrators can be appointed for each or all of the information systems.

The role cannot be carried out by a collegiate body, nor can the person appointed delegate their functions to other people. If necessary, security administrators can be appointed according to the information system.

The following administrators are appointed for the information systems indicated:

  • Security of information systems related to applications, the role is undertaken by the head of the Development and Operations Unit.
  • Security of information systems related to infrastructures, the role is undertaken by the head of the Infrastructures and ICT Security Unit.
  • Security of information systems related to workposts, the role is undertaken by the heads of the computing units on the campuses.

Their functions are as follows:

  • To implement, manage and maintain the security measures applicable to information systems.
  • To ensure that the security controls established are configured correctly.
  • To ensure that the required traceability, logs and other security records are enabled and stored as regularly as desired, in accordance with the established Security Policy.
  • To apply security operating procedures to systems, users and in general to all assets.
  • To oversee hardware and software installations, modifications, upgrades, and updates to ensure that security is not compromised.
  • To inform the ICT security officer and the system officer of any security-related anomaly, compromise or vulnerability.
  • To monitor the system’s security status.

In the event of information security incidents, they must:

  • Coordinate and supervise the registry, and the management of security incidents in the systems under their responsibility.
  • Implement the approved security plan.
  • Isolate the incident to prevent it from spreading to elements outside the risk situation.
  • Make short-term decisions if the information has been compromised in such a way that it could have serious consequences (these actions must be set out in a documented procedure to reduce the discretion of the system security administrator to the minimum number of cases). These decisions must always be reported to the ICT security officer and the system officer.
  • Ensure the integrity of critical system elements if their availability has been affected.
  • Maintain and retrieve the information stored by the system and associated services.
  • Investigate the incident: Establish the manner, means, reasons for, and source of the incident.

Compatibility with other roles

This role cannot overlap that of information officer, service officer or ICT security officer.

Delegated administrators

For certain information systems in which, due to the complexity, the distribution, the physical separation of their elements or the number of users, additional personnel are needed to carry out their functions, delegated system security administrators may be appointed.

The delegated system security administrators are responsible, according to their attributes, for all actions delegated by the system security administrator related to the implementation, management and maintenance of the security measures applicable to the information system.

The delegated security administrators are appointed at the proposal of the system security administrator, to whom they will report.

2. Data Protection Officer (DPO)

In accordance with the National Security Framework (ENS), the functions of Data Protection Officer as set out in Art. 39 of the General Data Protection Regulation (EU) 2016/679, that is:

  • To oversee compliance with current legislation on personal data protection
  • To advise the data controller or processor in the preparation of risk analyses and impact assessments relating to data protection that determine the risks and the level of security to be applied in the information systems.
  • To act as a point of contact for data subjects in all matters related to the processing of personal data.

3. Employees

Employees are responsible for properly safeguarding the information and technical resources assigned.

4. Personnel of contractors and subcontractors

The personnel of contractors and subcontractors must comply with the regulations of the University when working at University facilities or accessing its information systems, and must apply the configuration and security requirements stipulated in the procurement of the service.

5. Hierarchy in the decision-making process and coordination mechanisms

The different information security roles are related hierarchically. The ICT Security Committee determines security-related actions. The ICT security officer is responsible for ensuring compliance therewith, ensuring that the system security administrators implement the security measures as established in the Information Security Policy.

The system security administrator reports incidents related to system security and necessary configuration, update or corrective actions to the system officer.

The system officer informs the ICT security officer of the functional problems and needs detected as well as their possible impact, including:

  • Actions in terms of security, in particular with regard to system architecture decisions.
  • Consolidated summary of security incidents.
  • Effectiveness of the protection measures to be implemented.
  • The ICT security officer informs the information officer of security-related decisions and incidents that affect the information under their responsibility, in particular of the estimation of residual risk and significant risk deviations with respect to the approved limits.
  • The ICT security officer informs the service officer of security-related decisions and incidents that affect the service under their responsibility, in particular of the estimation of residual risk and significant risk deviations with respect to the approved limits.

The ICT security officer reports the following information to the ICT Security Committee:

  • A consolidated summary of actions in the field of ICT security.
  • A consolidated summary of information security incidents.
  • The security status of information systems, in particular the residual risk to which the system is exposed. Residual risk is understood as a risk that, evaluated on the basis of the initial risk estimate, remains in force after the application of security measures to the systems.