3.8. Security measures
The processing of personal data has been assessed through a risk analysis that has made it possible to obtain the list of technical and organisational measures necessary to prevent the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised communication or access to such data, likely in particular to cause physical, material or immaterial damage and harm.
The measures adopted take into account the state of technology, the nature of the data and the risks to which they are exposed and are periodically reviewed to ensure their adaptation to new situations or risk scenarios.
These measures have been applied in accordance with the approved adaptation plan and, in summary, cover the following aspects:
Information Security Policy
The Tax Agency has an Information Security Policy that establishes the general provisions and guiding principles regarding Security.
Regulatory and Procedural Framework
The general provisions of the Policy are specified and developed in a Regulatory and Procedural Framework for Security Management that helps to define and implement protection measures and security controls.
Security Governance Model
Security Management is articulated through a Government Model that defines and materializes the necessary roles, functions and responsibilities.
Information Security Management System (ISMS)
In terms of Information Security, the Tax Agency has an ISMS that complies with the requirements of the National Security Scheme (ENS) for the services and physical infrastructures of its data centres.
Data Processing Center (CPD) Infrastructures
The Tax Agency's CPDs guarantee compliance with security requirements regarding physical access and protection of general infrastructures: electricity supply, air conditioning, communications, etc.
Security awareness and training
The Tax Agency has an internal training programme for the dissemination of basic principles of action and security procedures, in order to ensure regulatory and legal compliance by employees.
Security incident management and response procedure
The Tax Agency has an incident management process and an incident response team, through which it covers the complete life cycle of security incidents, from detection and registration to resolution, including analysis, classification, immediate response and notification.