Skip to main content
2014 Report

4.5.3. Information security. Access control

The Tax Agency has established an Information Security Policy approved by a Resolution of the Presidency of the Tax Agency of 8 November 2012. The Information Security Policy is the instrument used by the Tax Agency to achieve its objectives using the information and communications systems in a secure manner.

Within the framework established by the Information Security Policy, the Tax Agency has information protection and security mechanisms, one of which is the control of accesses, with an eminently preventive purpose. This control system, driven and supervised by the Internal Audit Service, is based on the registration of accesses. Every time a user accesses the corporate information system for an enquiry or for a management activity, they must declare the reason for access. Any access to tax information of a personal nature is registered together with a series of technical and administrative data which reveal its context and facilitate subsequent control.

Risk analyzes are carried out periodically and the highest risk accesses are selected and audited, in accordance with the guidelines of the Tax IT Security and Control Commission. If the controller considers that it is a serious or very serious improper access, they can initiate a disciplinary proceeding, if applicable. With slight fluctuations, the number of users with some improper access is around one for every 200 users with accesses.

In 2013, justification of some access was required for 82.50& of the total number of users. As a result of this access control, 10 disciplinary proceedings were initiated. In 2014, justification of some access was required for 80.65% of the total number of users of the Tax Agency. As a result of this access control, 17 disciplinary proceedings were initiated.