Security Policy


Text approved by the Safety Committee of the Instituto Tecnológico de Aragón, hereinafter ITA, on March 3, 2022. This Information Technology Security Policy is effective from that date and until it is replaced by a new Policy. The entry into force of the present Information Security Policy of ITA implies the repeal of any other previously existing in the organization.


Mission: Center for the promotion of research and development, in the general interest, orienting its activities to promote technological innovation in companies.

Vision: We drive, together with companies, organizations and individuals, knowledge and technological innovation to help grow, and to create solutions to the challenges of the digital, green and social world we envision.

Objectives: To achieve this vision, the objectives set out in the strategy are:

  1. To be leaders in knowledge and drivers of technological innovation, providing vision and solutions to the new challenges of society. And in particular, to Aragonese SMEs, developing the business fabric and generating a greater positive impact.
  2. To be collaborators and connectors in the public-private innovation ecosystem, taking advantage of all the opportunities and capabilities in Aragon, Spain and Europe and the Digital Innovation Hub.
  3. Create new relationship models with entrepreneurs, SMEs and companies, making an effort to reach the entire territory.
  4. To be an example and driving force for digital transformation, agility and innovation in public administration, encouraging citizens and the private sector in the process.
  5. To train and empower women and men technologically, so that they are prepared for a new, more digital and sustainable society.
  6. To refocus the communication strategy, providing value and knowledge, attracting technological talent and fostering STEAM vocations, especially among girls and young women.
  7. To be an innovative, digital and open organization, prepared to provide agile responses to any situation in an increasingly technologically changing world.


ITA’s information technology security policy, hereinafter IT Security Policy, pursues the achievement of the following objectives:

  1. Guarantee to the public that the data hosted at ITA will be managed in accordance with IT security standards and best practices.
  2. Increase the level of IT security awareness where this Policy applies, ensuring that the personnel in its service are aware of their obligations and responsibilities.
  3. To establish the basis for an integral IT security management model in the ITA Administration, covering technical, organizational and procedural aspects in a continuous cycle of improvement.
  4. To make clear ITA’s commitment to information security through its support to the Security and Data Protection Committee, hereinafter the Security Committee, providing it with the necessary means and powers to carry out its functions.
  5. Define, develop and implement the technical, organizational and management methodological controls necessary to effectively and measurably guarantee the preservation of the levels of confidentiality, availability and integrity of the information approved by ITA.
  6. To guarantee the continuity of the services offered by ITA to the citizens.
  7. To create and continuously promote a “culture of security” both internally, to all personnel, and externally to the public and suppliers, in order to ensure the efficiency and effectiveness of the controls in place and to increase the confidence of our citizens.


This policy shall be reviewed at least once a year and whenever there are relevant changes in the organization, in order to ensure that it is in line with the organization’s strategy and needs.

The Policy will be proposed and reviewed by the Safety Committee and communicated to the Works Council with the possibility of issuing a report on the modification. Once approved, it will be disseminated by ITA so that all affected parties are aware of it.

In case of conflicts or different interpretations of this policy, the Security Committee will be called upon to resolve them, following a report proposed by the IT Services team.


For the purposes set forth in this Policy, the regulatory framework of reference is that stipulated in the current legislation on IT security.

Due to the personal and reserved nature of the information handled and the services made available to the public, ITA carries out its activities in accordance with the regulations in force in these matters, among which we can highlight the following due to their special relevance:

  1. Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations.
  2. Law 40/2015, of October 1, 2015, on the Legal Regime of the Public Sector.
  3. Royal Decree 3/2010, of January 8, 2010, which regulates the National Security Scheme in the field of Electronic Administration.
  4. Royal Decree 951/2015, of October 23, amending Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration.
  5. Royal Decree 311/2022, of May 3, 2002, regulating the National Security Scheme
  6. Royal Decree 4/2010, of January 8, 2010, which regulates the National Interoperability Scheme in the field of Electronic Administration.
  7. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  8. Law 59/2003, of December 19, 2003, on electronic signature.
  9. Royal Decree 1553/2005, of December 23, 2005, which regulates the issuance of the national identity document and its electronic signature certificates.
  10. Law 9/2017, of November 8, on Public Sector Contracts, transposing into Spanish law the Directives of the European Parliament and of the Council 2014/23/EU and 2014/24/EU, of February 26, 2014.
  11. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation).
  12. Royal Legislative Decree 5/2015, of October 30, which approves the revised text of the Law of the Basic Statute of the Public Employee.
  13. Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights.
  14. Royal Decree-Law 14/2019 of October 31, 2019, adopting urgent measures for reasons of public security in the areas of digital administration, public sector procurement and telecommunications.
  15. Law 6/2020, of November 11, 1920, regulating certain aspects of electronic trust services.
  16. Royal Decree 203/2021, of March 30, which approves the Regulations for the performance and operation of the public sector by electronic means.


This Policy shall be applicable to and mandatory for all ITA’s Teams and Technologies, understanding by Teams and Technologies its different corporate and technological areas; its resources and processes affected by the ENS and the RGPD, whether internal or external linked to the entity through contracts or agreements with third parties.



ITA’s IT security policy will be developed, in general, according to the following principles:

  1. Principle of confidentiality: IT assets must be accessible only to those users, bodies and entities or processes expressly authorized to do so, with respect for the obligations of secrecy and professional confidentiality.
  2. Principle of integrity and quality: the integrity and quality of the information must be guaranteed, as well as its treatment processes, establishing mechanisms to ensure that the processes of creation, treatment, storage and distribution of the information contribute to preserve its accuracy and correctness.
  3. Principle of availability and continuity: a high level of availability of IT assets will be guaranteed and the necessary plans and measures will be put in place to ensure the continuity of services and recovery in the event of serious contingencies.
  4. Principle of traceability: measures shall be implemented to ensure that at all times it is possible to determine who did what and at what time, in order to be able to analyze the security incidents detected.
  5. Principle of authenticity: measures must be articulated to guarantee the source of information from which the data originate and that the entities from which the information originates are who they claim to be.
  6. Principle of risk management and integral security: a continuous process of risk analysis and treatment should be articulated as the basic mechanism on which IT asset security management should be based.
  7. Principle of cost proportionality: the implementation of measures to mitigate IT asset security risks must be based on a proportionality approach to economic and operational costs.
  8. Principle of awareness and training: initiatives shall be organized to enable users to be aware of their duties and obligations regarding the secure processing of information. Similarly, specific training in IT security will be promoted for all those who manage and administer information and telecommunications systems.
  9. Prevention, reaction and recovery principle: specific plans and lines of work will be developed to prevent fraud, non-compliance or incidents related to IT security.
  10. Principle of continuous improvement or periodic reassessment: the degree of effectiveness of the IT security controls in place shall be reviewed in order to adapt them to the constant evolution of risks and the technological environment.
  11. Principle of security in the life cycle of IT assets or lines of defense: security specifications will be included in all phases of the life cycle of services and systems, accompanied by the corresponding control procedures.
  12. Principle of differentiated function: responsibility for system security shall be differentiated from responsibility for the service, as well as from responsibility for the information. The roles and responsibilities of each of these functions must be duly delimited and documented.

7.2. Minimum Safety Requirements

This security policy shall be established in accordance with the basic principles indicated and shall be developed by applying the following minimum requirements:

  1. Organization and implementation of the security process: The organizational structure for information security management shall be competent to maintain, update and enforce ITA’s Information Security Policy, as well as to ensure the implementation of the security process in the entity.
  2. Risk analysis and management: Risk analysis and management will be an essential part of the security process. Risk management will allow the maintenance of a controlled environment, minimizing risks to acceptable levels. The reduction of these levels will be achieved through the deployment of security measures, which will strike a balance between the nature of the data and processing, the impact and likelihood of the risks to which they are exposed and the effectiveness and cost of the security measures. When assessing risk in relation to data security, the risks arising from the processing of personal data should be taken into account.
  3. Personnel management: The necessary mechanisms shall be implemented so that any person who accesses, or may access, the information assets is aware of his responsibilities, thus reducing the risk derived from the improper use of such assets.
  4. Professionalism: System security will be managed, reviewed and audited by qualified, dedicated and trained personnel at all stages of its life cycle. The personnel who attend, review and audit the security of the systems will receive the specific training necessary to ensure the security of the applicable information technologies. Security service providers shall be required, in an objective and non-discriminatory manner, to have qualified professionals with suitable levels of management and maturity in the services provided.
  5. Access authorization and control: Access to information assets by users, processes and other information systems will be limited by implementing identification, authentication and authorization mechanisms in accordance with the criticality of each asset. In addition, the use of the system will be recorded in order to ensure the traceability of access and audit its proper use, according to the organization’s activity.
  6. Protection of facilities: Information assets will be located in secure areas, protected by physical access controls appropriate to their level of criticality. The systems and information assets contained in these areas shall be sufficiently protected against physical or environmental threats.
  7. Acquisition of products: In the acquisition of security products, certification of the security functionality related to the object of such acquisition shall be required, according to the criteria of the security manager and applying the principle of proportionality. For the contracting of security services, the provisions of the principle of professionalism shall apply.
  8. Safety by default: Safety shall be understood as an integral process consisting of all the technical, human, material and organizational elements related to the system. Information security must be considered as part of normal operations, being present and applied from the initial design of the information systems.
  9. System integrity and updating: ITA’s computer system will be designed and maintained by the person responsible for the service under technical, efficiency and security criteria. Any physical or logical element shall require formal authorization prior to its installation in the system. Any alteration of the hardware and software configuration of the equipment or any uninstallation of programs from the predefined platform of use will also require prior formal authorization. In general, software shall not be installed unless it has the corresponding user license, either because ITA has acquired it or because it is free software with an applicable license. In any case, it will be the system administrator who installs the software once it is authorized.
  10. Protection of information stored and in transit: In the structure and organization of system security, special attention will be paid to information stored or in transit through insecure environments, such as portable equipment (PCs, mobiles or tablets), peripheral devices, information media and communications over open or weakly encrypted networks. Also part of security are the procedures that ensure the recovery and long-term preservation of electronic documents produced by ITA.
  11. Prevention before other interconnected information systems: The necessary procedures will be established to achieve an adequate management of the security, operation and updating of the Information and Communications Technologies. Information transmitted through communications networks must be adequately protected, taking into account its level of sensitivity and criticality, by means of mechanisms that guarantee its security.
  12. Activity log: The activities of the users will be recorded, retaining the information necessary to monitor, analyze, investigate and document improper or unauthorized activities, allowing the identification of the person acting at any time.
  13. Security incidents: appropriate mechanisms will be implemented for the correct identification, recording and resolution of security incidents.
  14. Business continuity: appropriate mechanisms will be implemented to ensure the availability of the information systems and maintain the continuity of its business processes, in accordance with the service level needs of its users.
  15. Continuous improvement of the security process: Security measures will be reevaluated and updated periodically to adapt their effectiveness to the constant evolution of risks and protection systems. Information security will be attended, reviewed and audited by qualified, trained and dedicated personnel.

8. IT security organization

8.1. General liability

The preservation of IT security shall be considered a common objective of all ITA employees, who shall be responsible for the correct use of the information and communication technology assets placed at their disposal.

In case of non-compliance with the security guidelines and regulations indicated in this policy and the obligations derived from them, ITA reserves the right to apply the disciplinary regime established in the Basic Statute of the Public Employee approved by Royal Legislative Decree 5/2015, of October 30 and in the rules that the Civil Service Laws dictate in development of the same.

Due to their importance within the implementation of security, some of the functions of the bodies that ITA considers necessary for the correct management of security are developed in this policy.

ITA’s organizational structure in the area of Security is reviewed at the beginning of each legislative term. Once revised, ITA holds an Extraordinary Safety Committee where the new safety organization is ratified (President, members, secretary, safety officer, …).

8.2. Security Commission

1. The ITA Security Committee is created as a collegiate body of a transversal nature for the coordination and governance of security matters within the entity.

2. The Committee shall consist of the following representatives of ITA: management, management, and head of the IT Services Team.

The functions of the Commission shall be the following:

  1. Definition, approval and follow-up of IT security objectives, initiatives and strategic plans.
  2. Ensure the availability of the necessary resources to develop the initiatives and strategic plans defined.
  3. Submitting proposals for revision of the IT security regulatory framework to the competent body for regulatory processing.
  4. Establishment of common guidelines and monitoring of compliance with IT security regulations.
  5. Monitoring and approval of risk level and decision making in the response to security incidents affecting IT assets.
  6. Definition and approval of the relationship model with the IT Security Committee of the entities included in the scope of application of the Policy.

4. The Safety Committee shall meet at least once per semester and shall be governed by this policy.

5. The Security Committee shall appoint from among its members an IT incident response group, called the “Crisis Committee”, whose function shall be to take urgent decisions in the event of a serious contingency affecting the security of ITA’s critical information systems.

6. The tasks of support and advice to the Security Committee shall be carried out by the person Responsible for Security and the Security and Data Protection Office.

8.3. IT Security Manager

1. The appointment of the person in charge of security shall be the responsibility of the Security Committee.

2. The person Responsible for Security shall have the following functions, within his/her scope:

  1. Definition and monitoring of actions related to IT security of the entity’s information assets and risk management.
  2. Advice and support on security issues.
  3. Coordination in IT security matters.
  4. Proposal and follow-up of training and awareness programs.
  5. Report to the Security Committee a periodic report on the status of IT Security and related activities.
  6. Assumption of the functions included in articles 10, 27.3, 34.6, Annex II (section 2.3) and Annex III (sections 2.1.b and 2.2.b) of Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration.
  7. Assumption of the functions included in Regulation EU2016-679 governing the Protection of Personal Data, approved on May 25, 2016 and entered into force on May 25, 2017.

8.4. IT Security Office

The IT Security Office will be composed of the persons responsible for ITA’s Teams and Technology Groups, although it may summon those persons that the Office deems necessary for the development of the work entrusted to it.

This IT Security Office will also include the person responsible for ITA’s Security, who will be in charge of reviewing and preparing proposals to be presented and discussed in the IT Security Committee.

  1. The Security and Data Protection Office shall have the following attributions:
    1. Definition of the technical and operational approach to IT security objectives, initiatives and strategic plans, in accordance with the guidelines of the IT Security Committee.
    2. Preparation of proposals for the revision of the IT security regulatory framework.
    3. Preparation of reports and proposals for legal and regulatory compliance.
    4. Reporting on the IT security level of assets.
    5. Report to the IT Security Committee periodic reports on the status of ITA’s IT Security.
  2. The Data Protection and Security Office shall be governed by this Policy.

8.5. Responsible

The person Responsible for the Information determines the security requirements with respect to the information processed in ITA.

The person Responsible for the Service determines the hardware and software infrastructure of the information system, the criteria of use, the services offered, the formats and any other aspect of the operation of the ITA information system.

The person responsible for security determines how to meet the security requirements, both of the information and of the services offered, including the definition of security procedures and, if necessary, the adoption of emergency measures in the event of possible deficiencies or threats in ITA.

The system administrator develops, operates and maintains the ITA information system.

Discrepancies in security matters will be resolved according to the highest ranking criterion.

The attributions of each person in charge, as well as the coordination and conflict resolution mechanisms, are explained in the Security Roles and Responsibilities Policy and the Security Organization Policy.

9. Development of the Security Policy

9.1. Development instruments

ITA’s Information Security Policy will be developed by means of service instructions and circulars that address specific aspects. Such instructions and circulars may take one of the following forms:

The following instruments will be used:

Safety standards: They standardize the use of specific aspects of the system. They indicate the correct use and responsibilities of the users. They are mandatory.

Procedures: They concretize workflows for performing tasks, indicating what needs to be done, step by step, but without going into details (of suppliers, trademarks or technical commands). They are useful in repetitive tasks.

Technical instructions: They develop the Procedures reaching the maximum level of detail, (indicating suppliers, commercial brands and technical commands used to carry out the tasks).

The security regulations will be available on the entity’s Internal Portal for all members of the organization who need to know them. Likewise, the new incorporations will be informed of the same by means of their incorporation to the reception process. Likewise, whenever there is a consensual change to this document, the new version will be published and communicated to the entire organization.

9.2. Approval of regulations

Throughout the organization, the approval of security standards shall be in accordance with the provisions of this policy and specific regulations to be developed by ITA.

9.3. Penalties for non-compliance

Failure to comply with the Information Security Policy and the rules that develop it may result in the consequent disciplinary responsibilities, which will be substantiated in accordance with the provisions of the regulations on disciplinary rules for persons linked to ITA, as well as, where appropriate, the provisions of the Collective Bargaining Agreement in force at any given time.

10. Awareness and Training

Awareness raising and training aims to achieve several objectives. On the one hand, and fundamentally, the full awareness that information security affects all ITA members and all the activities and services that compose it.

On the other hand, and following the Integral Security Principle, the articulation of the necessary means so that all the people involved in ITA’s day-to-day work and their hierarchical managers have the appropriate sensitivity towards the responsibility involved in managing information from the public and the Administration itself.

11. Risk Analysis and Management

All systems subject to this Policy shall be subject to risk analysis and management, assessing the assets, threats and vulnerabilities to which they are exposed and proposing appropriate countermeasures to mitigate the risks. Although continuous monitoring of the changes made to the systems is required, this analysis will be repeated:

  • At least once a year (by formal review and approval).
  • When a serious security incident occurs.

For risk analysis and management, the MAGERIT methodology (Methodology for Analysis and Risk Management of Information Systems), developed by the Superior Council of Electronic Administration and focused on Public Administrations, will be used.

12. Information security

An ITA Information Classification will be developed to identify the different types of information, based on its sensitivity, establish how to label the media containing it and determine what can and should not be done with each classification level.

13. Personal Data

The provisions of the GDPR and the provisions of national legislation to that effect shall apply.

Each department is responsible for managing and maintaining the security of the personal data included in the processing operations for which it is responsible.

All ITA information systems shall conform to the security levels required by these regulations.

14. Personnel Obligations

All members of the organization and companies and third parties that perform services of any kind contracted by ITA or that in any way are provided under the control and/or management of ITA are obliged to know and comply with this Information Security Policy and the Security Regulations, which will be transferred through the corresponding Teams and Technology Groups who must have the necessary means to ensure that it reaches those affected.

An ongoing awareness program will be established for all ITA members, particularly new recruits.

Personnel should use the security incident notification procedures provided for this purpose, in the event of detecting a possible incident.

Persons with responsibility for the use, operation or administration of information systems shall be trained in the safe use of the systems.

15. Third parties

When ITA provides services to other organizations or handles information from other organizations, they will be made aware of this Information Security Policy, channels will be established for reporting and coordination of the respective with the Information Security Committee and procedures will be established to react to security incidents.

When ITA uses third party services or discloses information to third parties, ITA will make them aware of this Security Policy and the Security Regulations pertaining to such services or information. The third party must agree to be subject to the obligations set forth in said regulations, and may develop its own

operating procedures to satisfy it. Specific reporting and incident resolution procedures will be established. It shall be ensured that third party personnel are adequately security aware to at least the same level as set out in this Policy.

Where any aspect of the Policy cannot be satisfied by a third party as required in the above paragraphs, a report from the Information Security Officer specifying the risks incurred and how they will be addressed is required. Approval of this report will be required from the data controllers and services concerned, as well as from the data controller under the GDPR, before proceeding further.


Glossary of terms

Information security policy: A set of guidelines set out in a written document that governs how an organization manages and protects its information technology assets.

Information technology asset: any information or information system that has value to the organization. It includes data, services, applications, equipment, communications, facilities, processes and human resources.

IT security incident: An event, accidental or intentional, as a result of which the integrity, confidentiality or availability of information is affected.

Serious contingency: IT security incident whose occurrence would cause the significant reduction of the organization’s ability to effectively meet its fundamental obligations, the suffering of significant damage to the organization’s assets, material non-compliance with any law or regulation, or significant harm to individuals that would be difficult to repair.

Security master plan: Strategy and set of planned initiatives, set out in a written document, whose objective is to achieve a certain level of security in the organization.

Risk: Estimate of the degree of exposure to a threat materializing on one or more assets causing damage or harm to the organization. Possibility of a given impact on an asset, a domain or the entire organization.

Information system: An organized set of resources designed to collect, store, process, present or transmit information.

Critical information system: Information system whose proper functioning is indispensable for the operation of the organization and the fulfillment of its fundamental obligations.


InitialCybergobDocument creation
103/03/2022Security CommitteeApproved the document
1.112/06/2023Security CommitteeRevision after opening the works council consultation process
1.220/10/2023Security CommitteeRevision after consultation with the Works Council.
Skip to content