Text of the presentation of the National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.
The National Security Framework (NSF) of Spain is in the service of the right of citizens to interact electronically with their government. The NSF establishes the security policy in the scope of eGovernment (Law 11/2007) and consists of basic principles and minimum requirements to allow an adequate protection of information. It is a legal text (Royal Decree 3/2010).
The NSF introduces common elements and concepts that provide guidance to public administrations and that facilitate the communication of information security requirements to Industry. Recommendations of the OECD, EU, standards and experiences from other countries were considered.
This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their associations. Both of them are part of the well known effort of Spain to develop the Information Society and eGovernment.
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
20111010 The National Security Framework of Spain (ENS)
1. The National Security Framework of Spain
Guide Share Europe, 10 October 2011
Good afternoon, Ladies and Gentlemen,
I appreciate very much the invitation of GSE to speak here today.
My talk is a bit different from the others in this event. It is about the National Security
Framework of Spain. This Security Framework introduces common security elements
applicable to eGovernment services and it is in the service of the right of citizens to
interact electronically with their government.
This National Security Framework, as well as the National Interoperability Framework, is
the result of a collective effort of all public administrations and also of the Industry
through their main associations. Both Frameworks are part of the well known effort of
Spain to develop eGovernment.
The aim of the Security Framework would be to ensure that the overall approach to
information security throughout all public administrations is both coherent and efficient, by
identifying synergies and eliminating duplication of work.
Contents
So the contents of my presentation today are the following:
• First of all, the context of the NSF.
• Then, the legal basis: eGoverment services and security.
• Next, the National Security Framework, we will see the main aspects.
• After that, how do we collaborate
• And finally, conclusions.
1
2. The context of the NSF: eGovernment Services
The objective of eGovernment services
Our government has committed to the development of eGovernment services; in fact
the right of the citizens to interact with public administrations by electronic means is
recognized by law.
We all expect that eGovernment will help to improve our quality of life and reduce the
administrative burdens on business in their interaction with public administrations. We
also expect that eGovernment will also contribute to growth and to extend the benefits
of a digital society to all with the idea of no one left behind.
eGoverment services in Spain are provided in a complex scenario which involves the
interaction of the General State Administration, 17 regional governments and 2
autonomous cities, plus over 8,000 municiplalities; together with the relationships with EU
institutions and agencies and other Member States.
Why security is important for eGovernment services
We, as citizens, expect that eGoverment services are provided under conditions of
trust and security comparable to those we find when we go personally to the offices of the
Administration.
As a result of the advance in the development of eGovernment, there is a growing
proportion of electronic versus paper documents or information, and, increasingly,
there is no paper in administrative proceedings. For instance, our Administration can
establish that interactions have to be done by electronic means when certain
collectives of legal or personal entities with professional, technical and economical
capabilities are involved.
Information on electronic means is exposed to potential risks from the threat of
malicious or illegal actions, errors or failures and accidents or disasters. Unfortunately,
these threats are not only due to vulnerabilities associated with technological
developments, they are also due to the fact that these technologies are being used to
attack systems.
ICT is increasingly used in cybercrime and politically motivated attacks, as we have
2
3. seen in recent times. For instance, in 2010 our ministries suffered 30 highly critical attacks;
addressed mainly against the availability of services and to steal data.
And Public Bodies are interconnected and interdependent; information and services
cannot be secured by partial approaches. There is a need for a comprehensive
framework to address security.
International context
The NSF follows the recommendations of the OECD, EU, as well as standards and
experiences from other countries. We have taken into account the international context
so as to be aligned to main security trends and to ensure consistency with
international developments.
The OECD Guidelines for information and network security is a main reference. Let´s
remeber that the principles include “... risk evaluation, security design and implementation,
security management and re-evaluation.”
And also the Implementation Plan for the OECD Guidelines which states that
“Government should develop policies that reflect best practices in security management
and risk assessment... to create a coherent system of security.”
Standards in the field of IT security are obviously another relevant source; their
development has grown considerably in the last decade.
In the European Union, the Digital Agenda for Europe recognizes the rising
cybercrime and low trust as one of the 7 main obstacles to be overcome.
In relation to other countries, the FISMA, Federal Information Security Management
Act, of the USA is a main reference, because of its overall approach from the vision
and legal basis to the provision of standards and guidelines. We have also analysed
the approaches in Germany, the UK and France.
The legal framework: eGovernment Services and security
eGovernment Law 11/2007
We have a strong legal basis for eGovernment. The eGovernment Law 11/2007
3
4. recognises the citizens’ right to interact with Public Administration by electronic means.
In consequence there is an obligation of public administrations to enable electronic
access to their services.
This eGovernment Law lays down a number of principles; some of them address
explicitly security, such as the ones which refer to
(I) the protection of personal data;
(II) security in the implementation and use of electronic means by public
administrations;
(III) and proportionality in the implementation of security measures
according to the information and services to be protected and their context.
Also the rights recognized to the citizens include the notion of security, as the right
to security and confidentiality of information in the files, systems and applications of
Public Administrations.
And finally article 42 of the eGovernment Law creates the National Security
Framework.
The Royal Decree 3/2010
The Spanish NSF is a legal text, Royal Decree 3/2010, which develops the provisions about
security foreseen in the eGovernment Law. The NSF establishes the security policy for
eGovernment services. It consists of the basic principles and minimum requirements to
enable adequate protection of information, to be followed by all Public administrations.
It is also a key element of the Spanish Security Strategy, appoved in June this year.
Let's remember that the legal framework has a direct impact in eGovernment quality
of service as well as in the perception of the citizens and, at the same time, as a driver of
the digital society. OECD highligths it as an important aspect of eGovernment readiness.
Objectives of the NSF
The objectives of the NSF are the following:
• To create the necessary conditions of trust, through measures to ensure IT
security for the exercise of rights and the fulfillment of duties through the electronic
4
5. access to public services.
• To facilitate the continuous management of security, regardless of the impulses
of the moment or lack thereof.
• To provide common languange, concepts and elements of security. this
common approach is helpful:
◦ to provide guidance to Public Administrations in the implementation of ICT
security,
◦ to enable cooperation to deliver eGoverment services
◦ and to facilitate the interaction between Public Administrations. The NSF
complements the National Interoperability Framework.
• To facilitate the communication of security requirements to the Industry.
Surely, it is easy to imagine what this means in terms of calls for tenders, technical
specifications, predictive offer. The Industry finds all Public Administrations speaking
the same language.
Objectives of the NSF, to stimulate Industry
• And, why not? to stimulate the IT Industry. AMETIC, the multi-sector partnership
of companies in the fields of electronics of Spain, telecommunications and digital
content, is collaborating to promote the adoption of the NSF.
The National Security Framenwork
The main elements of the NSF
Which are the main elements of the NSF?
• The basic principles to be taken into account in decisions about security.
• The minimum requirements which allow an adequate protection of information.
• How to satisfy the basic principles and minimum requirements by means of the
adoption of proportionate security measures according to information and
services to be protected and to the riks to which they are exposed.
• Security audits.
• Response to security incidents (CERT).
• Security certified products, to be considered in procurement.
5
6. The security policy
Public Administrations will have a security policy on the basis of the basic principles and
minimum requirements.
How to satisfy the minimum requirements? Proportional security measures will be adopted
taking into account:
• System category, on the basis of the evaluation of the security dimensions.
• Law and rules about personal data protection.
• Decisions to manage identified risks. In the end risk analysis is the key element
to determine the proporcionate and adequate security meausres according to the
information and services to be protected.
And regular audits will be carried out (for systems falling under Medium or High categories).
Basic principles
The following six basic and sound security principles should considered when taking
decisions about security:
• Security as an integral process: every process is concerned; it involves
equipment, facilities, people, and processes.
• Risk management: risk analysis and management is essential.
• Prevention, reaction and recovery.
• Defense in depth: physical, logical, organisational.
• Periodic re-evaluation: dynamic and reactive
• Segregation of duties: security role is separated from operational role
Minimum requirements
The security policy will be based on the basic principles and it will be developed to
meet the following minimum requirements:
6
7. These requirements may sound familiar since they are lined with well known standards.
Fulfilment of requirements
To meet these minimum requirements, security measures will be selected considering
the following:
• The category of the system, Basic, Medium and High, depending on the evaluation of
the security dimensions (availability, authenticity, integrity, confidentiality, traceability).
• System categorisation is relevant to modulate the balance between the importance
of the information handled, the services provided and the security effort required,
depending on the risks to which they are exposed, based on the criterion of the
principle of proportionality.
• The categorisation is made on the basis of the evaluation of the impact that an
incident would have in the security of the information or services with damage to
the availability, authenticity, integrity, confidentiality or traceability, as security
dimensions.
• The evaluation of the consequences of a negative impact on the security is
based on their repercussion on the organisation’s capacity to achieve its objectives,
the protect assets, to provide its services, and comply with the law and the rights of
citizens.
• Always taking into account the provisions in the legislation on protection of personal
data and decisions taken to manage identified risks.
7
8. Security measures
There is a reference in the NSF to security measures. There are three general
classes of security measures:
• Organisational: includes measures related to global security.
• Operational: includes the measures to protect the system's operation as a
comprehensive set of components.
• Asset protection: includes measures to protect specific assets (facilities,
personnel, equipment, communications, information media, applications,
information, services), according to their nature and requirements.
The NSF tells the WHAT, but there is freedom on HOW to implement them.
Implementation of the NSF
Organisations providing e-government services will have to:
• Prepare and adopt a security policy
• Define roles and appoint persons
• Evaluate information and services (system categorisation)
• Carry out risk analysis
• Prepare and adopt a statement of applicability
• Implement, operate, and monitor the security
• Carry out audits every 2 years (H/M)
• Improve security
Audits
Periodic audits to assess compliance with NSF are to be carried out, using widely
recognized audit criteria and standards. Audit reports will be analysed by the security
manager that will communicate his conclusions to the operational manager to apply the
required changes.
Security of information systems shall be audited to examine the following that:
• The security policy defines roles and functions.
• There are procedures for resolving conflicts.
• Persons have been designated for main roles according to the principle of
8
9. "separation of roles”.
• There is a risk analysis, approved, and periodic.
• Compliance to security measures, according to system category and security
requirements.
• There is a formal management system.
Implementation support Guidelines and tools
There is a big effort ongoing to provide security guidelines:
801 – Roles and responsibilities
802 – Auditing guide
803 – Valuation of systems
804 – Implementation guidance
805 – Information security policy
806 – Security implementation plan
807 – Use of cryptography
808 – Inspection of compliance
809 – Statement of conformity
810 – Creation of a CERT/CSIRT
811 – Networking in the National Security Framework
812 – Security in web applications
814 – Security in e-mail
…
Together with supporting tools such like the following:
Risk analysis methodology and software tools:
• MAGERIT – Risk analysis methodology
• PILAR – Risk Analysis and Manag. Tool
Early warning services in the administrative network Red SARA
CERT services
Certification services (security certified products)
Training
Government CERT, CCN-CERT
The NSF recognizes the role of the Government CERT, CCN-CERT which provides:
9
10. • Support and coordination of other national CERTS and international point of
contact.
• Support and coordination in incident resolution: incident response; the CERT
may request audit reports from attacked systems.
• Research and dissemination of best practices.
• Awareness and training for the public sector.
• Reporting of vulnerabilities (Early Warning System).
• Support to the building of CERT capabilities in other administrations.
Certified products in the NSF
The NSF also recognizes the role of certified products to fulfill the minimum requirements
proportionately, and the role of the Certification Body (CCN) of the Evaluation and
Certification Scheme.
Certification is an aspect to be considered when purchasing security products.
And depending on the security level, the guideline is to use preferably certified products.
It includes an annex with a model clause for Technical Specifications.
The National Interoperability Framework
Just a short comment about the National Interoperability Framework, also created by the
eGovernment law.
It has the aim of creating the necessary conditions to ensure an adequate level of
organizational, semantic and technical interoperability of systems and applications used
by Public Administrations, in the service of the exercise of rights and the fulfillment of
duties through the electronic access to public services; it also pursues providing benefits
in terms of effectiveness and efficiency.
In order to create such conditions, the NIF introduces common elements to guide the
action of the Public Administrations regarding interoperability.
10
11. How do we collaborate
The cross-border nature of threats and the associated mitigation mechanisms make it
essential to focus on strong cooperation.
The NSF is the result of a collaborative effort coordinated by MPTAP + CCN with the
participation of all Public Administrations (central, regional, local, universities, justice) plus
opinion of Industry through their main associations.
During the last three years more than two hundred experts of Public Administrations
have contributed to its elaboration providing different profiles (ICT, legal, archives,
etc...); together with a wide number of experts who have contributed with their opinion
through the main associations of ICT Industry.
Conclusions
• The NSF provides a legal framework to align security of eGov services across
public administrations.
• It provides global and coherent approach to security.
• It applies proportionality: balance between the minimum requirements, the nature
of information and services to be protected and their risks.
• It references security measures, it tells the WHAT, but there is freedom on
HOW to implement them.
• It takes into account the state of the art and principal terms of reference from EU,
OECD, standardization, other countries.
• The NSF is a key element if the Spanish Security strategy.
• It is an success story about cooperation: It was developed with the participation
of all Public Administrations; also with input from the private sector.
And finally the challenges ahead:
• The main challenge now is to make the NSF a reality and to provide guidance,
tools and training to facilitate the implementation of the NSF and resolve
common issues and difficulties.
11
12. To know more about IT security in Spain
Well, for more information about IT security and Spain:
• The NSF is available in English.
• There is a quite comprehensive country report made by ENISA.
• Also the ePractice factsheet of Spain provides a comprehensive overview of
eGovernment in Spain.
• And the websites of the CCN, the Certification Body and the eGovernment
Portal provide more information.
Thank you very much for your attention
Miguel A. Amutio
12