Sorry, you need to enable JavaScript to visit this website.

INFORMATION SECURITY POLICY

 

1.  APPROVAL AND ENTRY INTO FORCE

The Information Security Policy (hereinafter PSI) was approved by the Corporate Information Security Committee of the State Aviation Safety Agency (hereinafter AESA) in the session of 3 June 2024 and signed by the Directorate of the same on 20 June 2024. This Policy is effective from its date of approval by the Management of EASA.

This Policy will be reviewed periodically to ensure its adaptation to new technical, organizational or legal circumstances that may arise, at the discretion of the Corporate Information Security Committee. In case of substantial modifications, it will be proposed again for signature by the Management.

 

2.  OBJECT AND SCOPE

This ISP will apply to all information systems that are under the responsibility of AESA to guarantee the necessary conditions of trust in the information systems used for data processing, which must be protected in accordance with the provisions of current regulations, the people involved in the treatment and the premises in which it is located, which takes the necessary precautions to guarantee the level of security required by the current legal framework on information security, especially regarding the Electronic Administration and the protection of personal data.

Likewise, it establishes the commitment that AESA acquires with the security of information systems, defining the objectives and basic criteria for the treatment of information, laying the pillars of AESA's information security regulatory framework and the organizational and management structure that will ensure compliance.

The main rules that make up the general framework of EASA’s legal regime are published on the Agency’s website: https://www.seguridadaerea.gob.es, being publicly accessible to anyone who wishes to know them.

 

3.  PRINCIPLES OF INFORMATION SECURITY

The basic principles and requirements of information security developed under this ISP are those set out in the ENS regulated by Royal Decree 311/2022 of 3 May 2022, in particular those provided for in Chapters II and III thereof, and its implementing regulations.

The ultimate purpose of information security is to ensure that an organisation can fulfil its objectives, perform its tasks and exercise its powers using information systems. The following basic principles should therefore be taken into account in the area of information security:

Security as an integral process.

Risk-based security management.

Prevention, detection, response and conservation.

Existence of lines of defence.

Continuous monitoring.

Periodic reassessment.

Differentiation of responsibilities.

 

4.  ORGANISATION OF INFORMATION SECURITY

The organisation of information security shall take into account EASA's own organisation. Therefore, coordinated and effective action must be guaranteed, as established in this regard in the National Security Scheme and development guides of the National Cryptological Center.

The roles and responsibilities in the field of information security are designated by the Management of EASA, directly, or through the Management Committee. These roles and responsibilities are automatically renewed on an annual basis, unless otherwise indicated by Management.

Without prejudice to the above, the organisational structure of information security in the Agency is composed of the following main roles and functions:

  • Responsible for the Service and Information, with the power to establish the requirements of the services and information in security matters.

  • Responsible for Information Security, for the supervision and maintenance of the security of the information handled and the services provided by the information systems.

  • Responsible for the Information System, for the development, operation and maintenance of the Information System throughout its life cycle, its specifications, installation and verification of its correct operation.

  • Delegate of Data Protection, for supervision and advice in compliance with the regulations on the protection of personal data.

In addition, the following committees have been established for the development of information security:

  • The Corporate Information Security Committee, with the purpose of managing information security in AESA, aligning the strategic activities of the organization with the security aspects that derive from compliance with the Information Security Regulatory Body, legal, regulatory and contractual requirements.

  • Support Group to the Corporate Information Security Committee, to promote the development, implementation and maintenance of the Information Security Management System (ISMS), as a support body to the Information Security Manager.

 

5.  RISK MANAGEMENT

Risk analysis and management must be carried out on an ongoing basis on information systems in accordance with the principles of security management as required by the ENS, GDPR, or other legislation in the field of information security.

The Information Security Officer is responsible for carrying out the required risk analyses and selecting the safeguards to be implemented.

The Service and Information Managers assume the residual risks derived from the analysis, as well as its monitoring and control.

The risk management process, which includes the phases of categorization of systems and treatments, risk analysis and selection of security measures and controls to be applied, which must be proportional to the risks and justified, must be reviewed each year by the Information Security Officer and reported by the Corporate Information Security Committee.

A risk analysis shall be carried out: 

  • Regularly every year.

  • When there are changes in the essential services provided or significant changes in the infrastructures that support them.

  • When a serious security incident occurs.

  • When severe threats that have not been taken into account or serious vulnerabilities that are not counteracted by the protection measures implemented are identified.

  • When there are legislative changes in the area of information security.

 

6.  DEVELOPMENT OF THE INFORMATION SECURITY POLICY

The regulatory body on information security is developed in regulations, procedures, technical instructions and guides, according to the scope and level of technical detail, which include the Information Security Management System of AESA.

 

7.  OBLIGATIONS OF STAFF AND THIRD PARTIES

All staff who provide services at AESA have the obligation to know and comply with this ISP, and it is the responsibility of the Corporate Information Security Committee to provide the necessary means for the information to reach those affected.

All personnel who join AESA or will have access to any of its information systems or the information managed by them will have the obligation to know and comply, in addition to this Information Security Policy, with all the Information Security Standards and Procedures that may affect their functions.

AESA staff is obliged to report any suspicious behavior they detect in their environment, through the notification of an incident to the User Service Center (CAU), as established in the incident management procedure.

The manifest breach of the policy, or derived information security regulations, may lead to the initiation of appropriate disciplinary measures and, where appropriate, the corresponding legal responsibilities.

Likewise, all personnel related to information, services and information systems must be trained and informed of their duties and obligations regarding information security. To ensure the security of the information technologies applicable to EASA systems and services, the necessary mechanisms will be articulated to implement the awareness and specific training necessary and essential at all levels of the organization.

Additionally, due to the risks inherent in the management of the services by third parties, the information security guidelines to be contemplated in the contracts will be established, incorporating the requirements of the applicable legislation and in particular in terms of protection of personal data.

The information security requirements that must be met by the specifications and contracts made by AESA for the provision of services will be included in the Regulations on Security Management in Relations with Third Parties.

When AESA provides services to other bodies or handles information from other bodies, they will be involved in this PSI, reporting and coordination channels will be established, and action procedures will be established in the event of possible security events that impact on said services.