The necessary generalization of the information society is subsidiary, to a great extent, to the confidence generated in citizens by the relationship through electronic means.
The right to communicate with the Public Administrations, through electronic means, entails a correlative obligation of the same, which must contemplate the conditions so that freedom and equality are real and effective, through secure technologies.
To regulate such access of citizens to public services, the National Security Scheme was created, whose purpose is to establish the principles and requirements of a security policy in the use of electronic media that allows adequate protection of information.
The purpose of the National Security Scheme is to create the necessary conditions of trust in the use of electronic means, through measures to guarantee the security of systems, data, communications, and electronic services, which allows citizens and public administrations, the exercise of rights and the fulfillment of duties through these means.
The National Security Scheme seeks to base the confidence that the information systems will provide their services and safeguard the information in accordance with their functional specifications, without interruptions or modifications out of control, and without the information being able to reach the knowledge of unauthorized persons. .
Both from private sectors and from the Public Administration itself, information security poses a challenge that goes beyond the individual assurance of each system. Each system must have a clear perimeter and those responsible for each security domain must coordinate effectively to avoid "no man's land" and fractures that could damage the information or services provided.
In this context, network and information security is understood as the ability of networks or information systems to resist, with a certain level of confidence, accidents or illicit or malicious actions that compromise the availability, authenticity, integrity and confidentiality of the data stored or transmitted and of the services that said networks and systems offer or make accessible. Adding to it the traceability of such data.
The first official regulatory document was Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration
Subsequently, a second Royal Decree of modification was drafted:
Royal Decree 951/2015, of October 23, modifying Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration.
Whose main objective was and continues to be the updating of the regulations derived from RD 3/2010, whose scope and content is aimed at specifying, deepening and contributing to better compliance with the regulatory mandates, clarifies the role of the National Cryptologic Center and the CCN- CERT, explains and relates the technical security instructions, and the Declaration of Applicability, updates Annex II referring to security measures and simplifies and specifies Annex III, referring to the security audit, modifies the Glossary of terms contained in the Annex IV, modifies the wording of the particular administrative clause contained in Annex V and ends by establishing, through a transitory provision, a period of twenty-four months from the entry into force for the adaptation of the systems to the provisions of the modification.
To consider, by way of example, that from the beginning, articles such as:
Section 3 of article 15 is worded as follows:
"3. Public administrations They will require, in an objective and non-discriminatory manner, that the organizations that provide them with security services have qualified professionals and suitable levels of management and maturity in the services provided.”
Three. Article 18 is modified, whose title becomes "Acquisition of security products and contracting of security services" and its sections 1 and 4 are worded as follows:
"1. In the acquisition of information and communications technology security products that are going to be used by the Public Administrations, they will be used, in a manner proportionate to the category of the system and level of security determined, those that have certified security functionality related to the object of their acquisition, except in those cases in which the requirements of proportionality in terms of the risks assumed do not justify it in the opinion of the person in charge of Security.»
"4. For the contracting of security services, the provisions of the previous sections and article 15 shall apply.»
In other words, then, that the Public Administrations have a tool to require their providers of products and services related to information security to be certified with the ENS scheme if their intention is to interact with said Public Administrations.
Current operational status
Currently, a good part of the Public Administrations have already adapted or are adapting their data security structures to the ENS, with security systems that pursue a secure and resilient response to possible violations derived from attacks on their system. A commitment to cybersecurity.
But it is that, in addition, in the contests or public tenders that they prepare, it is already required that the organizations that want to present themselves must accredit security systems that comply with the ENS and that are certified by entities accredited by said body.
And it is in this sense that private organizations must attend, to the extent that it affects or may affect them, the requirements to guarantee (and certify by an independent third party organization), compliance with these, maintaining and continuously updating their information systems. data security.
Basic glossary (not exhaustive)
Active. Component or functionality of an information system that can be deliberately or accidentally attacked with consequences for the organization. Includes: information, data, services, applications (software), equipment (hardware), communications, administrative resources, physical resources and human resources.
Risk analysis. Systematic use of available information to identify hazards and estimate risks.
security audit. Independent review and examination of system logs and activities to verify adequacy of system controls, ensure compliance with established security policy and operating procedures, detect security breaches, and recommend appropriate control modifications , policy and procedures.
Authenticity. Property or characteristic that an entity is who it claims to be or that it guarantees the source from which the data comes.
Category of a system. It is a level, within the Basic-Medium-High scale, with which a system is described in order to select the necessary security measures for it. The category of the system includes the holistic view of the set of assets as a harmonic whole, oriented to the provision of services.
Confidentiality. Property or characteristic where the information is neither made available nor disclosed to unauthorized individuals, entities, or processes.
Availability. Property or characteristic of assets consisting of authorized entities or processes having access to them when required.
Risk management. Coordinated activities to direct and control an organization with respect to risks.
Security incident. Unexpected or unwanted event with consequences detrimental to the security of the information system.
Integrity. Property or characteristic that the information asset has not been altered in an unauthorized manner.
Security measures. Set of provisions aimed at protecting against possible risks to the information system, in order to ensure its security objectives. These can be prevention, deterrence, protection, detection and reaction, or recovery measures.
Security policy. Set of guidelines embodied in a written document, which govern the way in which an organization manages and protects the information and services that it considers critical.
Risk. Estimation of the degree of exposure to a threat materializing on one or more assets causing damage or harm to the organization.
Network and information security, is the ability of networks or information systems to resist, with a certain level of confidence, accidents or illicit or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and services. that said networks and systems offer or make accessible.
Information security management system (SGSI). Management system that, based on the study of risks, is established to create, implement, operate, supervise, review, maintain and improve information security. The management system includes the organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
Information system. Organized set of resources so that information can be collected, stored, processed, maintained, used, shared, distributed, made available, presented or transmitted.
Traceability. Property or characteristic consisting in that the actions of an entity can be attributed exclusively to said entity.
Vulnerability. A weakness that can be exploited by a threat.
It is not a simple scheme but, with specialized support, it can be tackled in a short space of time, provided that the structure and infrastructure of assets, personnel and the capacity and resources of the private organization that wants to be certified, align with the required security requirements.
In future posts we will provide more information about the ENS and the implementation, audit and certification methodology.
Our organization is prepared to provide technical and organizational advice to client organizations that rely on our experience.
For more information, contact here