Standards and Laws

International standards

Law 15/99 of Protection of Personal Data 

This law is supplemented by the regulations stipulated in the Royal Decree 1720/2007. 

The purpose of this Act is to guarantee and protect, with regard to the processing of personal data (automated or not), civil liberties and fundamental rights of physical and especially their honor and personal and family privacy people. 
The rights under the Data Protection Act are: 

• People from which personal data is stored, have a number of rights under the law: 

or Right to information: When someone gives you data should be informed that they will be stored. 
o Right of access, cancellation, rectification and opposition: the person can see the information that you have it, you can change the data to be correct and accurate, cancel the information stored on it and oppose it is stored. 

Law 34/2002 on Information Society and Electronic Commerce (LSSI) 

This Act regulates the obligations of service providers and the services they provide. The obligations under the Act are: 

• Service providers should provide their contact details. 
• Must cooperate with the authorities, keeping data connection and traffic for 12 months. 
• The hosting information provided by a customer, not liable for the information stored at the request of the recipient, provided that: 

or do not have actual knowledge that the activity or information stored is unlawful or harms property or rights of a third party liable for compensation, or 
or if they do, their best efforts to remove or block all access to them. 

When transmitting information from third parties, service providers will have no responsibility in the matter if: 

• Do not modify the information. 
• Allows access to it only to authorized recipients 
• They update the information correctly. 
• Do not use their position to obtain data on the use of information 
• Withdraw the information they have stored or impossible access to it, once they know who has been removed from the network in which it was, or that a court or responsible administrative authority has ordered such removal or disablement her . 

Law 32/2003, General Telecommunications 

The object of this law is the regulation of telecommunications. Among the objectives of this Act are: 

• Encourage competition. 
• Ensure compliance with the obligations of public service in the operation of networks and the provision of electronic communications services. 
• Promote the development of the telecommunications sector. 
• enable the efficient use of limited telecommunications resources. 
• Defending the interests of users. 
• To promote, as far as possible, technological neutrality in regulation. 
• Promote the development of industry products and telecommunications services. 
• Contribute to the development of the internal market for electronic communications services in the European Union. 

Law 59/2003 on electronic signature 

This Act regulates electronic signatures, the legal effectiveness and the provision of certification services. 
The electronic signature is the set of data in electronic form, attached to or associated with others, which can be used as a means of identifying the signatory. 
The electronic signature shall have in relation to the above information in electronic form, the same value as a handwritten signature in relation to those reported in paper, so that both their generation and their use must be carefully controlled to avoid problems. 

R.D.L, Intellectual Property Law 1/1996 

The copyright in a literary, artistic or scientific work for the author and gives full control over and the exclusive right to exploit the work. The works may be expressed in any media or medium, tangible or intangible, currently known or invented in the future as: 

• Books, pamphlets, forms, correspondence, writings, speeches and addresses, lectures, forensic reports, etc. 
• Projects, plans, models and architectural designs and engineering. 
• Charts, maps and drawings relating to topography, geography and general science. 
• Photographic works. 
• Computer programs. 
Under this Act, organizations protect their knowledge and forces to respect the others. Another relevant in the field of information security point is required to have only the original (proprietary or free) software, since the use of unlicensed software would be a violation of the Act. 

Law 17/2001 of Industrial Property 

It is the governing rights: 
• Marks. 
• Trade names. 
The agency responsible for maintaining the trademark is the Patent and Trademark Office. To have property rights in a mark must register at the Office. 
Law 11/2007 on Electronic Access to Public Services 
The highlights of the Act are: 
• Citizens will be recognized new rights in their relations with public administrations. 
• the Defender User is created. 
• Processes and procedures can be done from anywhere, anytime. 
• The administration will be easier, quicker and more effective. 
• Citizens pass to take the lead in their relations with the administration. 

It will have a National Insurance Scheme and other Interoperability services offered to have a minimum level of security and the various administrations to communicate fluently.

Standards Information Security Policies 

Like other ISO standards, the 27000 is actually a series of standards. Then a relationship with the ISO 27000 series of standards and a description of the most significant features are:


















UNE-ISO 27001 


This standard is the definition of the process safety management, therefore, is a specification for an ISMS and, currently, is the only certifiable standard within the ISO 27000 family.

ISO 27002 

The ISO 27002 becomes a code of practice in which a catalog of security controls and guidance for the implementation of an ISMS is collected.



ISO 27002 (documentation) 

The aim of this policy is the development of an ISMS that minimizes the risks that have been identified in the Risk Analysis to an acceptable level by the organization, always in relation to business objectives. Importantly, any security measure has been implemented must be clearly documented.


Standard guidelines 17799 

ISO / IEC 17799 provides best practice recommendations on the management of information security to all concerned and responsible for initiating, implementing or maintaining systems security management information. The information security is defined in the standard as "the preservation of confidentiality (ensuring that only authorized individuals may access information), integrity (ensuring that information and its processing methods are accurate and complete) and availability (ensuring that authorized users have access to information and associated assets when required). "
The 2005 version of the standard includes the following eleven major sections:

  1. Policy Information Security. 
  2. Organization of Information Security. 
  3. Information Asset Management. 
  4. Safety of Human Resources. 
  5. Physical and Environmental Security. 
  6. Communications Management and Operations. 
  7. Access Control. 
  8. Acquisition, Development and Maintenance of Information Systems. 
  9. Incident Management in Information Security. 
  10. Business Continuity Management. 
  11. Compliance. 

Within each section, the objectives of the various controls for information security are specified. For each of the controls also indicates a guide for implementation. The sum total number of 133 controls among all sections but each organization must first consider how many will actually be applicable to their own needs.
With the adoption of ISO / IEC 27001 in October 2005 and the reservation of numbering 27,000 for information security is expected to ISO / IEC 17799: 2005 becomes renamed ISO / IEC 27002 in the review and updating its contents in 2007.



No hay comentarios:

Publicar un comentario

Suscribirse a: Entradas (Atom)