SlideShare uma empresa Scribd logo

20111010 The National Security Framework of Spain (ENS)

Miguel A. Amutio
Miguel A. Amutio

Text of the presentation of the National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011. The National Security Framework (NSF) of Spain is in the service of the right of citizens to interact electronically with their government. The NSF establishes the security policy in the scope of eGovernment (Law 11/2007) and consists of basic principles and minimum requirements to allow an adequate protection of information. It is a legal text (Royal Decree 3/2010). The NSF introduces common elements and concepts that provide guidance to public administrations and that facilitate the communication of information security requirements to Industry. Recommendations of the OECD, EU, standards and experiences from other countries were considered. This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their associations. Both of them are part of the well known effort of Spain to develop the Information Society and eGovernment.

Tecnologia
1 de 12
Baixar para ler offline
The National Security Framework of Spain Guide Share Europe, 10 October 2011 Good afternoon, Ladies and Gentlemen, I appreciate very much the invitation of GSE to speak here today. My talk is a bit different from the others in this event. It is about the National Security Framework of Spain. This Security Framework introduces common security elements applicable to eGovernment services and it is in the service of the right of citizens to interact electronically with their government. This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their main associations. Both Frameworks are part of the well known effort of Spain to develop eGovernment. The aim of the Security Framework would be to ensure that the overall approach to information security throughout all public administrations is both coherent and efficient, by identifying synergies and eliminating duplication of work. Contents So the contents of my presentation today are the following: • First of all, the context of the NSF. • Then, the legal basis: eGoverment services and security. • Next, the National Security Framework, we will see the main aspects. • After that, how do we collaborate • And finally, conclusions. 1
The context of the NSF: eGovernment Services The objective of eGovernment services Our government has committed to the development of eGovernment services; in fact the right of the citizens to interact with public administrations by electronic means is recognized by law. We all expect that eGovernment will help to improve our quality of life and reduce the administrative burdens on business in their interaction with public administrations. We also expect that eGovernment will also contribute to growth and to extend the benefits of a digital society to all with the idea of no one left behind. eGoverment services in Spain are provided in a complex scenario which involves the interaction of the General State Administration, 17 regional governments and 2 autonomous cities, plus over 8,000 municiplalities; together with the relationships with EU institutions and agencies and other Member States. Why security is important for eGovernment services We, as citizens, expect that eGoverment services are provided under conditions of trust and security comparable to those we find when we go personally to the offices of the Administration. As a result of the advance in the development of eGovernment, there is a growing proportion of electronic versus paper documents or information, and, increasingly, there is no paper in administrative proceedings. For instance, our Administration can establish that interactions have to be done by electronic means when certain collectives of legal or personal entities with professional, technical and economical capabilities are involved. Information on electronic means is exposed to potential risks from the threat of malicious or illegal actions, errors or failures and accidents or disasters. Unfortunately, these threats are not only due to vulnerabilities associated with technological developments, they are also due to the fact that these technologies are being used to attack systems. ICT is increasingly used in cybercrime and politically motivated attacks, as we have 2
seen in recent times. For instance, in 2010 our ministries suffered 30 highly critical attacks; addressed mainly against the availability of services and to steal data. And Public Bodies are interconnected and interdependent; information and services cannot be secured by partial approaches. There is a need for a comprehensive framework to address security. International context The NSF follows the recommendations of the OECD, EU, as well as standards and experiences from other countries. We have taken into account the international context so as to be aligned to main security trends and to ensure consistency with international developments. The OECD Guidelines for information and network security is a main reference. Let´s remeber that the principles include “... risk evaluation, security design and implementation, security management and re-evaluation.” And also the Implementation Plan for the OECD Guidelines which states that “Government should develop policies that reflect best practices in security management and risk assessment... to create a coherent system of security.” Standards in the field of IT security are obviously another relevant source; their development has grown considerably in the last decade. In the European Union, the Digital Agenda for Europe recognizes the rising cybercrime and low trust as one of the 7 main obstacles to be overcome. In relation to other countries, the FISMA, Federal Information Security Management Act, of the USA is a main reference, because of its overall approach from the vision and legal basis to the provision of standards and guidelines. We have also analysed the approaches in Germany, the UK and France. The legal framework: eGovernment Services and security eGovernment Law 11/2007 We have a strong legal basis for eGovernment. The eGovernment Law 11/2007 3
recognises the citizens’ right to interact with Public Administration by electronic means. In consequence there is an obligation of public administrations to enable electronic access to their services. This eGovernment Law lays down a number of principles; some of them address explicitly security, such as the ones which refer to (I) the protection of personal data; (II) security in the implementation and use of electronic means by public administrations; (III) and proportionality in the implementation of security measures according to the information and services to be protected and their context. Also the rights recognized to the citizens include the notion of security, as the right to security and confidentiality of information in the files, systems and applications of Public Administrations. And finally article 42 of the eGovernment Law creates the National Security Framework. The Royal Decree 3/2010 The Spanish NSF is a legal text, Royal Decree 3/2010, which develops the provisions about security foreseen in the eGovernment Law. The NSF establishes the security policy for eGovernment services. It consists of the basic principles and minimum requirements to enable adequate protection of information, to be followed by all Public administrations. It is also a key element of the Spanish Security Strategy, appoved in June this year. Let's remember that the legal framework has a direct impact in eGovernment quality of service as well as in the perception of the citizens and, at the same time, as a driver of the digital society. OECD highligths it as an important aspect of eGovernment readiness. Objectives of the NSF The objectives of the NSF are the following: • To create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic 4
access to public services. • To facilitate the continuous management of security, regardless of the impulses of the moment or lack thereof. • To provide common languange, concepts and elements of security. this common approach is helpful: ◦ to provide guidance to Public Administrations in the implementation of ICT security, ◦ to enable cooperation to deliver eGoverment services ◦ and to facilitate the interaction between Public Administrations. The NSF complements the National Interoperability Framework. • To facilitate the communication of security requirements to the Industry. Surely, it is easy to imagine what this means in terms of calls for tenders, technical specifications, predictive offer. The Industry finds all Public Administrations speaking the same language. Objectives of the NSF, to stimulate Industry • And, why not? to stimulate the IT Industry. AMETIC, the multi-sector partnership of companies in the fields of electronics of Spain, telecommunications and digital content, is collaborating to promote the adoption of the NSF. The National Security Framenwork The main elements of the NSF Which are the main elements of the NSF? • The basic principles to be taken into account in decisions about security. • The minimum requirements which allow an adequate protection of information. • How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the riks to which they are exposed. • Security audits. • Response to security incidents (CERT). • Security certified products, to be considered in procurement. 5
The security policy Public Administrations will have a security policy on the basis of the basic principles and minimum requirements. How to satisfy the minimum requirements? Proportional security measures will be adopted taking into account: • System category, on the basis of the evaluation of the security dimensions. • Law and rules about personal data protection. • Decisions to manage identified risks. In the end risk analysis is the key element to determine the proporcionate and adequate security meausres according to the information and services to be protected. And regular audits will be carried out (for systems falling under Medium or High categories). Basic principles The following six basic and sound security principles should considered when taking decisions about security: • Security as an integral process: every process is concerned; it involves equipment, facilities, people, and processes. • Risk management: risk analysis and management is essential. • Prevention, reaction and recovery. • Defense in depth: physical, logical, organisational. • Periodic re-evaluation: dynamic and reactive • Segregation of duties: security role is separated from operational role Minimum requirements The security policy will be based on the basic principles and it will be developed to meet the following minimum requirements: 6
These requirements may sound familiar since they are lined with well known standards. Fulfilment of requirements To meet these minimum requirements, security measures will be selected considering the following: • The category of the system, Basic, Medium and High, depending on the evaluation of the security dimensions (availability, authenticity, integrity, confidentiality, traceability). • System categorisation is relevant to modulate the balance between the importance of the information handled, the services provided and the security effort required, depending on the risks to which they are exposed, based on the criterion of the principle of proportionality. • The categorisation is made on the basis of the evaluation of the impact that an incident would have in the security of the information or services with damage to the availability, authenticity, integrity, confidentiality or traceability, as security dimensions. • The evaluation of the consequences of a negative impact on the security is based on their repercussion on the organisation’s capacity to achieve its objectives, the protect assets, to provide its services, and comply with the law and the rights of citizens. • Always taking into account the provisions in the legislation on protection of personal data and decisions taken to manage identified risks. 7
Security measures There is a reference in the NSF to security measures. There are three general classes of security measures: • Organisational: includes measures related to global security. • Operational: includes the measures to protect the system's operation as a comprehensive set of components. • Asset protection: includes measures to protect specific assets (facilities, personnel, equipment, communications, information media, applications, information, services), according to their nature and requirements. The NSF tells the WHAT, but there is freedom on HOW to implement them. Implementation of the NSF Organisations providing e-government services will have to: • Prepare and adopt a security policy • Define roles and appoint persons • Evaluate information and services (system categorisation) • Carry out risk analysis • Prepare and adopt a statement of applicability • Implement, operate, and monitor the security • Carry out audits every 2 years (H/M) • Improve security Audits Periodic audits to assess compliance with NSF are to be carried out, using widely recognized audit criteria and standards. Audit reports will be analysed by the security manager that will communicate his conclusions to the operational manager to apply the required changes. Security of information systems shall be audited to examine the following that: • The security policy defines roles and functions. • There are procedures for resolving conflicts. • Persons have been designated for main roles according to the principle of 8
"separation of roles”. • There is a risk analysis, approved, and periodic. • Compliance to security measures, according to system category and security requirements. • There is a formal management system. Implementation support Guidelines and tools There is a big effort ongoing to provide security guidelines: 801 – Roles and responsibilities 802 – Auditing guide 803 – Valuation of systems 804 – Implementation guidance 805 – Information security policy 806 – Security implementation plan 807 – Use of cryptography 808 – Inspection of compliance 809 – Statement of conformity 810 – Creation of a CERT/CSIRT 811 – Networking in the National Security Framework 812 – Security in web applications 814 – Security in e-mail … Together with supporting tools such like the following: Risk analysis methodology and software tools: • MAGERIT – Risk analysis methodology • PILAR – Risk Analysis and Manag. Tool Early warning services in the administrative network Red SARA CERT services Certification services (security certified products) Training Government CERT, CCN-CERT The NSF recognizes the role of the Government CERT, CCN-CERT which provides: 9
• Support and coordination of other national CERTS and international point of contact. • Support and coordination in incident resolution: incident response; the CERT may request audit reports from attacked systems. • Research and dissemination of best practices. • Awareness and training for the public sector. • Reporting of vulnerabilities (Early Warning System). • Support to the building of CERT capabilities in other administrations. Certified products in the NSF The NSF also recognizes the role of certified products to fulfill the minimum requirements proportionately, and the role of the Certification Body (CCN) of the Evaluation and Certification Scheme. Certification is an aspect to be considered when purchasing security products. And depending on the security level, the guideline is to use preferably certified products. It includes an annex with a model clause for Technical Specifications. The National Interoperability Framework Just a short comment about the National Interoperability Framework, also created by the eGovernment law. It has the aim of creating the necessary conditions to ensure an adequate level of organizational, semantic and technical interoperability of systems and applications used by Public Administrations, in the service of the exercise of rights and the fulfillment of duties through the electronic access to public services; it also pursues providing benefits in terms of effectiveness and efficiency. In order to create such conditions, the NIF introduces common elements to guide the action of the Public Administrations regarding interoperability. 10
How do we collaborate The cross-border nature of threats and the associated mitigation mechanisms make it essential to focus on strong cooperation. The NSF is the result of a collaborative effort coordinated by MPTAP + CCN with the participation of all Public Administrations (central, regional, local, universities, justice) plus opinion of Industry through their main associations. During the last three years more than two hundred experts of Public Administrations have contributed to its elaboration providing different profiles (ICT, legal, archives, etc...); together with a wide number of experts who have contributed with their opinion through the main associations of ICT Industry. Conclusions • The NSF provides a legal framework to align security of eGov services across public administrations. • It provides global and coherent approach to security. • It applies proportionality: balance between the minimum requirements, the nature of information and services to be protected and their risks. • It references security measures, it tells the WHAT, but there is freedom on HOW to implement them. • It takes into account the state of the art and principal terms of reference from EU, OECD, standardization, other countries. • The NSF is a key element if the Spanish Security strategy. • It is an success story about cooperation: It was developed with the participation of all Public Administrations; also with input from the private sector. And finally the challenges ahead: • The main challenge now is to make the NSF a reality and to provide guidance, tools and training to facilitate the implementation of the NSF and resolve common issues and difficulties. 11
To know more about IT security in Spain Well, for more information about IT security and Spain: • The NSF is available in English. • There is a quite comprehensive country report made by ENISA. • Also the ePractice factsheet of Spain provides a comprehensive overview of eGovernment in Spain. • And the websites of the CCN, the Certification Body and the eGovernment Portal provide more information. Thank you very much for your attention Miguel A. Amutio 12

Recomendados

2016 Thumbtack Small Business Friendliness Survey
2016 Thumbtack Small Business Friendliness Survey2016 Thumbtack Small Business Friendliness Survey
2016 Thumbtack Small Business Friendliness SurveyThumbtack, Inc.
 
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Miguel A. Amutio
 
Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Miguel A. Amutio
 
The National Security Framework of Spain
The National Security Framework of SpainThe National Security Framework of Spain
The National Security Framework of SpainMiguel A. Amutio
 
Código de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónCódigo de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónMiguel A. Amutio
 
El Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadEl Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadMiguel A. Amutio
 
V Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasV Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasMiguel A. Amutio
 
Quien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSQuien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSMiguel A. Amutio
 

Recomendados

2016 Thumbtack Small Business Friendliness Survey
2016 Thumbtack Small Business Friendliness Survey2016 Thumbtack Small Business Friendliness Survey
2016 Thumbtack Small Business Friendliness SurveyThumbtack, Inc.
 
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Miguel A. Amutio
 
Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Miguel A. Amutio
 
The National Security Framework of Spain
The National Security Framework of SpainThe National Security Framework of Spain
The National Security Framework of SpainMiguel A. Amutio
 
Código de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónCódigo de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónMiguel A. Amutio
 
El Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadEl Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadMiguel A. Amutio
 
V Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasV Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasMiguel A. Amutio
 
Quien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSQuien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSMiguel A. Amutio
 
Quien hace el ENI
Quien hace el ENIQuien hace el ENI
Quien hace el ENIMiguel A. Amutio
 
European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity ContextMiguel A. Amutio
 
Contexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadContexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadMiguel A. Amutio
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneMiguel A. Amutio
 
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesCryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesMiguel A. Amutio
 
Medidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMedidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMiguel A. Amutio
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosMiguel A. Amutio
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesMiguel A. Amutio
 
Presente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaPresente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaMiguel A. Amutio
 
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaEl nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaMiguel A. Amutio
 
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadIV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadMiguel A. Amutio
 
Revista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadRevista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadMiguel A. Amutio
 
El nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadEl nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadMiguel A. Amutio
 
Actualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADActualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADMiguel A. Amutio
 
Implementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainImplementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainMiguel A. Amutio
 
Nuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digitalNuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digitalMiguel A. Amutio
 
La desinformación en la sociedad digital
La desinformación en la sociedad digitalLa desinformación en la sociedad digital
La desinformación en la sociedad digitalMiguel A. Amutio
 
Isa2 success story: TESTA Network
Isa2 success story: TESTA NetworkIsa2 success story: TESTA Network
Isa2 success story: TESTA NetworkMiguel A. Amutio
 
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativo
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativoXIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativo
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativoMiguel A. Amutio
 
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGAD
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGADModelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGAD
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGADMiguel A. Amutio
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Mais conteúdo relacionado

Mais de Miguel A. Amutio

European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity ContextMiguel A. Amutio
 
Contexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadContexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadMiguel A. Amutio
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneMiguel A. Amutio
 
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesCryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesMiguel A. Amutio
 
Medidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMedidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMiguel A. Amutio
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosMiguel A. Amutio
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesMiguel A. Amutio
 
Presente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaPresente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaMiguel A. Amutio
 
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaEl nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaMiguel A. Amutio
 
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadIV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadMiguel A. Amutio
 
Revista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadRevista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadMiguel A. Amutio
 
El nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadEl nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadMiguel A. Amutio
 
Actualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADActualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADMiguel A. Amutio
 
Implementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainImplementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainMiguel A. Amutio
 
Nuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digitalNuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digitalMiguel A. Amutio
 
La desinformación en la sociedad digital
La desinformación en la sociedad digitalLa desinformación en la sociedad digital
La desinformación en la sociedad digitalMiguel A. Amutio
 
Isa2 success story: TESTA Network
Isa2 success story: TESTA NetworkIsa2 success story: TESTA Network
Isa2 success story: TESTA NetworkMiguel A. Amutio
 
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativo
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativoXIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativo
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativoMiguel A. Amutio
 
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGAD
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGADModelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGAD
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGADMiguel A. Amutio
 

Mais de Miguel A. Amutio (20)

Quien hace el ENI
Quien hace el ENIQuien hace el ENI
Quien hace el ENI
 
European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity Context
 
Contexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadContexto Europeo de Ciberseguridad
Contexto Europeo de Ciberseguridad
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que viene
 
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesCryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
 
Medidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMedidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración Pública
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
 
Presente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaPresente y futuro de la administración electrónica
Presente y futuro de la administración electrónica
 
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaEl nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
 
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadIV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
 
Revista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadRevista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridad
 
El nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadEl nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de Seguridad
 
Actualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADActualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGAD
 
Implementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainImplementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in Spain
 
Nuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digitalNuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digital
 
La desinformación en la sociedad digital
La desinformación en la sociedad digitalLa desinformación en la sociedad digital
La desinformación en la sociedad digital
 
Isa2 success story: TESTA Network
Isa2 success story: TESTA NetworkIsa2 success story: TESTA Network
Isa2 success story: TESTA Network
 
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativo
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativoXIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativo
XIV Jornadas CCN-CERT - Apertura sesión ENS y cumplimiento normativo
 
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGAD
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGADModelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGAD
Modelo de Gobernanza de la Ciberseguridad en España. Perspectiva desde la SGAD
 

Último

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 

Último (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 

20111010 The National Security Framework of Spain (ENS)

  • 1. The National Security Framework of Spain Guide Share Europe, 10 October 2011 Good afternoon, Ladies and Gentlemen, I appreciate very much the invitation of GSE to speak here today. My talk is a bit different from the others in this event. It is about the National Security Framework of Spain. This Security Framework introduces common security elements applicable to eGovernment services and it is in the service of the right of citizens to interact electronically with their government. This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their main associations. Both Frameworks are part of the well known effort of Spain to develop eGovernment. The aim of the Security Framework would be to ensure that the overall approach to information security throughout all public administrations is both coherent and efficient, by identifying synergies and eliminating duplication of work. Contents So the contents of my presentation today are the following: • First of all, the context of the NSF. • Then, the legal basis: eGoverment services and security. • Next, the National Security Framework, we will see the main aspects. • After that, how do we collaborate • And finally, conclusions. 1
  • 2. The context of the NSF: eGovernment Services The objective of eGovernment services Our government has committed to the development of eGovernment services; in fact the right of the citizens to interact with public administrations by electronic means is recognized by law. We all expect that eGovernment will help to improve our quality of life and reduce the administrative burdens on business in their interaction with public administrations. We also expect that eGovernment will also contribute to growth and to extend the benefits of a digital society to all with the idea of no one left behind. eGoverment services in Spain are provided in a complex scenario which involves the interaction of the General State Administration, 17 regional governments and 2 autonomous cities, plus over 8,000 municiplalities; together with the relationships with EU institutions and agencies and other Member States. Why security is important for eGovernment services We, as citizens, expect that eGoverment services are provided under conditions of trust and security comparable to those we find when we go personally to the offices of the Administration. As a result of the advance in the development of eGovernment, there is a growing proportion of electronic versus paper documents or information, and, increasingly, there is no paper in administrative proceedings. For instance, our Administration can establish that interactions have to be done by electronic means when certain collectives of legal or personal entities with professional, technical and economical capabilities are involved. Information on electronic means is exposed to potential risks from the threat of malicious or illegal actions, errors or failures and accidents or disasters. Unfortunately, these threats are not only due to vulnerabilities associated with technological developments, they are also due to the fact that these technologies are being used to attack systems. ICT is increasingly used in cybercrime and politically motivated attacks, as we have 2
  • 3. seen in recent times. For instance, in 2010 our ministries suffered 30 highly critical attacks; addressed mainly against the availability of services and to steal data. And Public Bodies are interconnected and interdependent; information and services cannot be secured by partial approaches. There is a need for a comprehensive framework to address security. International context The NSF follows the recommendations of the OECD, EU, as well as standards and experiences from other countries. We have taken into account the international context so as to be aligned to main security trends and to ensure consistency with international developments. The OECD Guidelines for information and network security is a main reference. Let´s remeber that the principles include “... risk evaluation, security design and implementation, security management and re-evaluation.” And also the Implementation Plan for the OECD Guidelines which states that “Government should develop policies that reflect best practices in security management and risk assessment... to create a coherent system of security.” Standards in the field of IT security are obviously another relevant source; their development has grown considerably in the last decade. In the European Union, the Digital Agenda for Europe recognizes the rising cybercrime and low trust as one of the 7 main obstacles to be overcome. In relation to other countries, the FISMA, Federal Information Security Management Act, of the USA is a main reference, because of its overall approach from the vision and legal basis to the provision of standards and guidelines. We have also analysed the approaches in Germany, the UK and France. The legal framework: eGovernment Services and security eGovernment Law 11/2007 We have a strong legal basis for eGovernment. The eGovernment Law 11/2007 3
  • 4. recognises the citizens’ right to interact with Public Administration by electronic means. In consequence there is an obligation of public administrations to enable electronic access to their services. This eGovernment Law lays down a number of principles; some of them address explicitly security, such as the ones which refer to (I) the protection of personal data; (II) security in the implementation and use of electronic means by public administrations; (III) and proportionality in the implementation of security measures according to the information and services to be protected and their context. Also the rights recognized to the citizens include the notion of security, as the right to security and confidentiality of information in the files, systems and applications of Public Administrations. And finally article 42 of the eGovernment Law creates the National Security Framework. The Royal Decree 3/2010 The Spanish NSF is a legal text, Royal Decree 3/2010, which develops the provisions about security foreseen in the eGovernment Law. The NSF establishes the security policy for eGovernment services. It consists of the basic principles and minimum requirements to enable adequate protection of information, to be followed by all Public administrations. It is also a key element of the Spanish Security Strategy, appoved in June this year. Let's remember that the legal framework has a direct impact in eGovernment quality of service as well as in the perception of the citizens and, at the same time, as a driver of the digital society. OECD highligths it as an important aspect of eGovernment readiness. Objectives of the NSF The objectives of the NSF are the following: • To create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic 4
  • 5. access to public services. • To facilitate the continuous management of security, regardless of the impulses of the moment or lack thereof. • To provide common languange, concepts and elements of security. this common approach is helpful: ◦ to provide guidance to Public Administrations in the implementation of ICT security, ◦ to enable cooperation to deliver eGoverment services ◦ and to facilitate the interaction between Public Administrations. The NSF complements the National Interoperability Framework. • To facilitate the communication of security requirements to the Industry. Surely, it is easy to imagine what this means in terms of calls for tenders, technical specifications, predictive offer. The Industry finds all Public Administrations speaking the same language. Objectives of the NSF, to stimulate Industry • And, why not? to stimulate the IT Industry. AMETIC, the multi-sector partnership of companies in the fields of electronics of Spain, telecommunications and digital content, is collaborating to promote the adoption of the NSF. The National Security Framenwork The main elements of the NSF Which are the main elements of the NSF? • The basic principles to be taken into account in decisions about security. • The minimum requirements which allow an adequate protection of information. • How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the riks to which they are exposed. • Security audits. • Response to security incidents (CERT). • Security certified products, to be considered in procurement. 5
  • 6. The security policy Public Administrations will have a security policy on the basis of the basic principles and minimum requirements. How to satisfy the minimum requirements? Proportional security measures will be adopted taking into account: • System category, on the basis of the evaluation of the security dimensions. • Law and rules about personal data protection. • Decisions to manage identified risks. In the end risk analysis is the key element to determine the proporcionate and adequate security meausres according to the information and services to be protected. And regular audits will be carried out (for systems falling under Medium or High categories). Basic principles The following six basic and sound security principles should considered when taking decisions about security: • Security as an integral process: every process is concerned; it involves equipment, facilities, people, and processes. • Risk management: risk analysis and management is essential. • Prevention, reaction and recovery. • Defense in depth: physical, logical, organisational. • Periodic re-evaluation: dynamic and reactive • Segregation of duties: security role is separated from operational role Minimum requirements The security policy will be based on the basic principles and it will be developed to meet the following minimum requirements: 6
  • 7. These requirements may sound familiar since they are lined with well known standards. Fulfilment of requirements To meet these minimum requirements, security measures will be selected considering the following: • The category of the system, Basic, Medium and High, depending on the evaluation of the security dimensions (availability, authenticity, integrity, confidentiality, traceability). • System categorisation is relevant to modulate the balance between the importance of the information handled, the services provided and the security effort required, depending on the risks to which they are exposed, based on the criterion of the principle of proportionality. • The categorisation is made on the basis of the evaluation of the impact that an incident would have in the security of the information or services with damage to the availability, authenticity, integrity, confidentiality or traceability, as security dimensions. • The evaluation of the consequences of a negative impact on the security is based on their repercussion on the organisation’s capacity to achieve its objectives, the protect assets, to provide its services, and comply with the law and the rights of citizens. • Always taking into account the provisions in the legislation on protection of personal data and decisions taken to manage identified risks. 7
  • 8. Security measures There is a reference in the NSF to security measures. There are three general classes of security measures: • Organisational: includes measures related to global security. • Operational: includes the measures to protect the system's operation as a comprehensive set of components. • Asset protection: includes measures to protect specific assets (facilities, personnel, equipment, communications, information media, applications, information, services), according to their nature and requirements. The NSF tells the WHAT, but there is freedom on HOW to implement them. Implementation of the NSF Organisations providing e-government services will have to: • Prepare and adopt a security policy • Define roles and appoint persons • Evaluate information and services (system categorisation) • Carry out risk analysis • Prepare and adopt a statement of applicability • Implement, operate, and monitor the security • Carry out audits every 2 years (H/M) • Improve security Audits Periodic audits to assess compliance with NSF are to be carried out, using widely recognized audit criteria and standards. Audit reports will be analysed by the security manager that will communicate his conclusions to the operational manager to apply the required changes. Security of information systems shall be audited to examine the following that: • The security policy defines roles and functions. • There are procedures for resolving conflicts. • Persons have been designated for main roles according to the principle of 8
  • 9. "separation of roles”. • There is a risk analysis, approved, and periodic. • Compliance to security measures, according to system category and security requirements. • There is a formal management system. Implementation support Guidelines and tools There is a big effort ongoing to provide security guidelines: 801 – Roles and responsibilities 802 – Auditing guide 803 – Valuation of systems 804 – Implementation guidance 805 – Information security policy 806 – Security implementation plan 807 – Use of cryptography 808 – Inspection of compliance 809 – Statement of conformity 810 – Creation of a CERT/CSIRT 811 – Networking in the National Security Framework 812 – Security in web applications 814 – Security in e-mail … Together with supporting tools such like the following: Risk analysis methodology and software tools: • MAGERIT – Risk analysis methodology • PILAR – Risk Analysis and Manag. Tool Early warning services in the administrative network Red SARA CERT services Certification services (security certified products) Training Government CERT, CCN-CERT The NSF recognizes the role of the Government CERT, CCN-CERT which provides: 9
  • 10. Support and coordination of other national CERTS and international point of contact. • Support and coordination in incident resolution: incident response; the CERT may request audit reports from attacked systems. • Research and dissemination of best practices. • Awareness and training for the public sector. • Reporting of vulnerabilities (Early Warning System). • Support to the building of CERT capabilities in other administrations. Certified products in the NSF The NSF also recognizes the role of certified products to fulfill the minimum requirements proportionately, and the role of the Certification Body (CCN) of the Evaluation and Certification Scheme. Certification is an aspect to be considered when purchasing security products. And depending on the security level, the guideline is to use preferably certified products. It includes an annex with a model clause for Technical Specifications. The National Interoperability Framework Just a short comment about the National Interoperability Framework, also created by the eGovernment law. It has the aim of creating the necessary conditions to ensure an adequate level of organizational, semantic and technical interoperability of systems and applications used by Public Administrations, in the service of the exercise of rights and the fulfillment of duties through the electronic access to public services; it also pursues providing benefits in terms of effectiveness and efficiency. In order to create such conditions, the NIF introduces common elements to guide the action of the Public Administrations regarding interoperability. 10
  • 11. How do we collaborate The cross-border nature of threats and the associated mitigation mechanisms make it essential to focus on strong cooperation. The NSF is the result of a collaborative effort coordinated by MPTAP + CCN with the participation of all Public Administrations (central, regional, local, universities, justice) plus opinion of Industry through their main associations. During the last three years more than two hundred experts of Public Administrations have contributed to its elaboration providing different profiles (ICT, legal, archives, etc...); together with a wide number of experts who have contributed with their opinion through the main associations of ICT Industry. Conclusions • The NSF provides a legal framework to align security of eGov services across public administrations. • It provides global and coherent approach to security. • It applies proportionality: balance between the minimum requirements, the nature of information and services to be protected and their risks. • It references security measures, it tells the WHAT, but there is freedom on HOW to implement them. • It takes into account the state of the art and principal terms of reference from EU, OECD, standardization, other countries. • The NSF is a key element if the Spanish Security strategy. • It is an success story about cooperation: It was developed with the participation of all Public Administrations; also with input from the private sector. And finally the challenges ahead: • The main challenge now is to make the NSF a reality and to provide guidance, tools and training to facilitate the implementation of the NSF and resolve common issues and difficulties. 11
  • 12. To know more about IT security in Spain Well, for more information about IT security and Spain: • The NSF is available in English. • There is a quite comprehensive country report made by ENISA. • Also the ePractice factsheet of Spain provides a comprehensive overview of eGovernment in Spain. • And the websites of the CCN, the Certification Body and the eGovernment Portal provide more information. Thank you very much for your attention Miguel A. Amutio 12