20111010 The National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.


Published on

Presentation about the National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.
The National Security Framework (NSF) of Spain is in the service of the right of citizens to interact electronically with their government. The NSF establishes the security policy in the scope of eGovernment (Law 11/2007) and consists of basic principles and minimum requirements to allow an adequate protection of information. It is a legal text (Royal Decree 3/2010).
The NSF introduces common elements and concepts that provide guidance to public administrations and that facilitate the communication of information security requirements to Industry. Recommendations of the OECD, EU, standards and experiences from other countries were considered.
This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their associations. Both of them are part of the well known effort of Spain to develop the Information Society and eGovernment.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

20111010 The National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.

  1. 1. The National SecurityFramework of Spain10 October 2011 Miguel A. Amutio, CISA, CISM Ministry of Territorial Policy and Public Administration 1
  2. 2. ContentsThe context: eGovernment servicesThe legal basis: eGov services and securityThe National Security FrameworkHow do we collaborateConclusions 2
  3. 3. The context: eGovernment services To improve the quality of life of citizens and reduceadministrative burden on business in their interaction withpublic administrations. To contribute to growth and extend the benefits of adigital society to all (no one left behind). Services are provided in a complex scenario. 3
  4. 4. Why security is important in eGovernment services Citizens expect that eGov services are provided under conditions oftrust and security comparable to those they encounter when they go personally to theoffices of the Administration. There is a growing proportion of electronic versus paper documents,and, increasingly, there is no paper. Information on electronic means has potential risks from the threat ofmalicious or illegal actions, errors or failures and accidents or disasters. Digital Agenda for Europe 4
  5. 5. International contextOECDGuidelines for information and network security:“... risk evaluation, security design and implementation,security management and re-evaluation.”Implementation Plan for the OECD Guidelines:“Government should develop policies that reflect best practices insecurity management and risk assessment... to create a coherentsystem of security.”Standards, in the field of IT security.European Union – Digital Agenda, ENISA.USA, FISMA, Federal Information SecurityManagement ActOther references: DE, UK, FR 5
  6. 6. ContentsThe context: eGovernment servicesThe legal basis: eGov services and securityThe National Security FrameworkHow do we collaborateConclusions 6
  7. 7. eGovernment Law 11/2007 Recognises the citizens’ right to interact with PublicAdministration by electronic means. Obligation to public administrations to enable electronicaccess to their services. The principles pay attention to security: – The right to the protection of personal data. – Security in the implementation and use of electronic means by public administrations. – Proportionality in the implementation of security measures according to the information and services to be protected and their context. Also the rights of citizens: – Right to security and confidentiality of the information contained in the files, systems and applications of Public Administrations. 7
  8. 8. The National Security Framework Law 11/2007, art. 42 → RD 3/2010 The Spanish NSF is a legal text (Royal Decree 3/2010) whichdevelops the provisions about security foreseen in eGovernment Law. The NSF establishes the security policy for eGov services. It consists of the basic principles and minimum requirements to enable adequateprotection of information. To be followed by all Public administrations. It is a key element of the Spanish Security Strategy. The legal framework has a direct impact in eGovernment quality of service as well in the perception of the citizens and, at the same time, as a driver of the digital society. OECD highligths it as an important aspect of eGovernment readiness. 8
  9. 9. Why the National Security Framework is needed Objectives Create the necessary conditions of trust, throughmeasures to ensure IT security for the exercise of rights and the fulfillment of dutiesthrough the electronic access to public services. Provide common languange and elements of security to guide Public Administrations in the implementation of ICT security. to facilitate interaction between Public Administrations and to communicate security requirements to the Industry. Provide an common approach to security whichenables cooperation to deliver eGoverment services. The NSF complementsthe National Interoperability Framework. Facilitate the continuous management of security,regardless of the impulses of the moment or lack thereof. 9
  10. 10. + Stimulate the IndustryAMETIC: multi-sector partnership of companies in the fields of electronics,telecommunications and digital content. http://www.ametic.es/ 10
  11. 11. ContentsThe context: eGovernment servicesThe legal basis: eGov services and securityThe National Security FrameworkHow do we collaborateConclusions 11
  12. 12. National Security Framework Main elements The Basic principles to be taken intoaccount in decision about security. The minimum requirements whichallow an adequate protection ofinformation. How to satisfy the basic principles andminimum requirements by means of theadoption of proportionate securitymeasures according to information andservices to be protected and to the riksto which they are exposed. Security audit. Response to security incidents(CERT). Security certified products, to beconsidered in procurement. 12
  13. 13. National Security Framework Security policy Public Administrations will have a security policyon the basis of the basic principles and minimum requirements. In order to satisfy the minimum requirements, proportionalsecurity measures will be adopted taking into account: System category, on the basis of the evaluation of the security dimensions. Law and rules about personal data protection. Decisions to manage identified risks. Regular audits will be carried out (for systems falling under Medium or Highcategories). 13
  14. 14. Basic principlesThe following basic principles should considered when takingdecisions about security: Security as an integral process every process is concerned involves equipment, facilities, people, and processes Risk management risk analysis is mandatory; the rest is negotiable Prevention, reaction and recovery Defense in depth defence in depth physical, logical, organisational Periodic re-evaluation dynamic and reactive Segregation of duties Security role is separated from operational role 14
  15. 15. Minimum requirementsThe security policy will be based on the basic principles and it will bedeveloped to meet the following minimum requirements: 74 15
  16. 16. Fulfilment of minimum requirements To meet the minimum requirements, security measures willbe selected considering the following: The category of the system, Basic, Medium and High, depending on the evaluation of the security dimensions (availability, authenticity, integrity, confidentiality, traceability), taking into account the impact of a security breach. Who? higher management: information owner service owner. The provisions in the legislation on protection of personal data. The decisions taken to manage identified risks. 16
  17. 17. Security measuresorganizational operational asset protection – security policy – planning – facilities – security – access control – personnel regulations – operation – equipment – security – external services – communications procedures – continuity – media – authorization – monitoring – software process – information – services + use of common infrastructures and services and security guidelines provided by CCN. 17
  18. 18. How toOrganisations providing e-government services have to ... Evaluate information Prepare and adopt a Define roles and and services (system security policy appoint persons categorisation) Carry out risk Improve security analysis Audit Implement, operate, Prepare and adopt a Every 2 years (H/M) and monitor the statement of security applicability 18
  19. 19. AuditsPeriodic audit to assess compliance with NSF.According to the category of the system: Category LOW: self-evaluation Category MEDIUM – HIGH: periodic (e.g. aligned with personal data audits) Use of widely recognized audit criteria and standards. Audit reports to be analysed by the security manager that will communicate his conclusions to the operational manager to apply the required changes.Security of information systems shall be audited: Security policy defines roles and functions. There are procedures for resolving conflicts. People have been designated for those roles according to the principle of "separation of roles”. There is a risk analysis, approved, and periodic. Compliance to security measures, according to system category and security requirements. There is a formal management system. 19
  20. 20. Implementation supportGuidelines and toolsSecurity Guidelines• 801 – Roles and responsibilities• 802 – Auditing guide• 803 – Valuation of systems• 804 – Implementation guidance• 805 – Information security policy• 806 – Security implementation plan• 807 – Use of cryptography• 808 – Inspection of compliance• 809 – Statement of conformity• 810 – Creation of a CERT/CSIRT• 811 – Networking in the Nat. Security Framework• 812 – Security in web applications• 814 – Security in e-mail• …Risk analysis methodology and software tools • MAGERIT – Risk analysis methodology • PILAR – Risk Analysis and Manag. Tool• Early warning services in admin. network Red SARA• CERT services• Certification services (certified security products)• Training 20
  21. 21. Government CERT CCN-CERT Support and coordination of other national CERTS. International point of contact. Support and coordination in incident resolution: incident response; may request audit reports from attacked systems Research and dissemination. Awareness and training for the public sector. Reporting of vulnerabilities (Early Warning System) Support to the building of CERT capabilities in other administrations.https://www.ccn-cert.cni.es/ 21
  22. 22. National Evaluation and Certification Schemehttp://www.oc.ccn.cni.es/index_en.html The NSF recognizes the role of certified products to fulfill the minimumrequirements proportionately. Recognizes the role of the Certification Body (CCN). Certification is an aspect to consider when purchasing securityproducts. Depending on the security level, preferably use certified products. It includes a model clause for Technical Specifications. 22
  23. 23. National Interoperability Framework (Royal Decree 4/2010)Criteria and recommendations to build and improve interoperability: Integral, multidimensional and multilateral approach. Takes into account dimensions: Organisational, Semantic, Technical Use of standards. Use of common infrastrutures and services for multilateral interactions. Reuse of applications and other information objects. e-Signature and certificates. e-Document: recovery and preservation. + Tecnical Guides & supporting instruments. http://administracionelectronica.gob.es/recursos/pae_000002017.pdf http://www.epractice.eu/en/cases/eni 23
  24. 24. ContentsThe context: eGovernment servicesThe legal basis: eGov services and securityThe National Security FrameworkHow do we collaborateConclusions 24
  25. 25. How do we collaborate?Coordinated by MPTAP + CCN with the collaboration of all Public Administrations +opinion of Industry. *> 200 experts With different profiles (IT, legal, archives, ...) + Justice (EJIS) Universities (CRUE) 25
  26. 26. ContentsThe context: eGovernment servicesThe legal basis: eGov services and securityThe National Security FrameworkHow do we collaborateConclusions 26
  27. 27. Conclusions The NSF provides a legal framework to align securityof eGovernment services across public administrations. A global and coherent approach to security. It applies proportionality: balance between the minimumrequirements, information and services to be protected and theirrisks. It references security measures, the WHAT, butthere is freedom on HOW to implement them. It takes into account the state of the art and principalterms of reference from EU, OECD, standardization, others. The NSF is a key element of the Spanish Securitystrategy. Cooperation: participation of all Public Administrations;and of the private sector through Industry associations. Challenge: Provide guidance, tools and training tofacilitate implementation of the NSF and resolvecommon issues and difficulties. 27
  28. 28. To know more about IT security and Spain www.lamoncloa.gob.es/NR /.../EstrategiaEspanolaDeSeguridad.pdf http://www.epractice.eu/en/factsheets/ http://administracionelectronica.gob.es/ http://www.enisa.europa.eu/act/sr/files/ recursos/pae_000002018.pdf country-reports/?searchterm=country%20reports http://www.oc.ccn.cni.es/index_en.htmlhttps://www.ccn-cert.cni.es/index.php?lang=en http://administracionelectronica.gob.es 28
  29. 29. Thank you verymuch for your attention 29