The National Security Framework of SpainGuide Share Europe, 10 October 2011Good afternoon, Ladies and Gentlemen,I apprecia...
The context of the NSF: eGovernment ServicesThe objective of eGovernment servicesOur government has committed to the devel...
seen in recent times. For instance, in 2010 our ministries suffered 30 highly critical attacks;addressed mainly against th...
recognises the citizens’ right to interact with Public Administration by electronic means.In consequence there is an oblig...
access to public services.  •   To facilitate the continuous management of security, regardless of the impulses      of th...
The security policyPublic Administrations will have a security policy on the basis of the basic principles andminimum requ...
These requirements may sound familiar since they are lined with well known standards.Fulfilment of requirementsTo meet the...
Security measuresThere is a reference in the NSF to security measures. There are three generalclasses of security measures...
"separation of roles”.   •   There is a risk analysis, approved, and periodic.   •   Compliance to security measures, acco...
•   Support and coordination of other national CERTS and international point of       contact.   •   Support and coordinat...
How do we collaborateThe cross-border nature of threats and the associated mitigation mechanisms make itessential to focus...
To know more about IT security in SpainWell, for more information about IT security and Spain:   •   The NSF is available ...
Upcoming SlideShare
Loading in …5
×

20111010 The National Security Framework of Spain (ENS)

677 views

Published on

Text of the presentation of the National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.
The National Security Framework (NSF) of Spain is in the service of the right of citizens to interact electronically with their government. The NSF establishes the security policy in the scope of eGovernment (Law 11/2007) and consists of basic principles and minimum requirements to allow an adequate protection of information. It is a legal text (Royal Decree 3/2010).
The NSF introduces common elements and concepts that provide guidance to public administrations and that facilitate the communication of information security requirements to Industry. Recommendations of the OECD, EU, standards and experiences from other countries were considered.
This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their associations. Both of them are part of the well known effort of Spain to develop the Information Society and eGovernment.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
677
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

20111010 The National Security Framework of Spain (ENS)

  1. 1. The National Security Framework of SpainGuide Share Europe, 10 October 2011Good afternoon, Ladies and Gentlemen,I appreciate very much the invitation of GSE to speak here today.My talk is a bit different from the others in this event. It is about the National SecurityFramework of Spain. This Security Framework introduces common security elementsapplicable to eGovernment services and it is in the service of the right of citizens tointeract electronically with their government.This National Security Framework, as well as the National Interoperability Framework, isthe result of a collective effort of all public administrations and also of the Industrythrough their main associations. Both Frameworks are part of the well known effort ofSpain to develop eGovernment.The aim of the Security Framework would be to ensure that the overall approach toinformation security throughout all public administrations is both coherent and efficient, byidentifying synergies and eliminating duplication of work.ContentsSo the contents of my presentation today are the following: • First of all, the context of the NSF. • Then, the legal basis: eGoverment services and security. • Next, the National Security Framework, we will see the main aspects. • After that, how do we collaborate • And finally, conclusions. 1
  2. 2. The context of the NSF: eGovernment ServicesThe objective of eGovernment servicesOur government has committed to the development of eGovernment services; in factthe right of the citizens to interact with public administrations by electronic means isrecognized by law.We all expect that eGovernment will help to improve our quality of life and reduce theadministrative burdens on business in their interaction with public administrations. Wealso expect that eGovernment will also contribute to growth and to extend the benefitsof a digital society to all with the idea of no one left behind.eGoverment services in Spain are provided in a complex scenario which involves theinteraction of the General State Administration, 17 regional governments and 2autonomous cities, plus over 8,000 municiplalities; together with the relationships with EUinstitutions and agencies and other Member States.Why security is important for eGovernment servicesWe, as citizens, expect that eGoverment services are provided under conditions oftrust and security comparable to those we find when we go personally to the offices of theAdministration.As a result of the advance in the development of eGovernment, there is a growingproportion of electronic versus paper documents or information, and, increasingly,there is no paper in administrative proceedings. For instance, our Administration canestablish that interactions have to be done by electronic means when certaincollectives of legal or personal entities with professional, technical and economicalcapabilities are involved.Information on electronic means is exposed to potential risks from the threat ofmalicious or illegal actions, errors or failures and accidents or disasters. Unfortunately,these threats are not only due to vulnerabilities associated with technologicaldevelopments, they are also due to the fact that these technologies are being used toattack systems.ICT is increasingly used in cybercrime and politically motivated attacks, as we have 2
  3. 3. seen in recent times. For instance, in 2010 our ministries suffered 30 highly critical attacks;addressed mainly against the availability of services and to steal data.And Public Bodies are interconnected and interdependent; information and servicescannot be secured by partial approaches. There is a need for a comprehensiveframework to address security.International contextThe NSF follows the recommendations of the OECD, EU, as well as standards andexperiences from other countries. We have taken into account the international contextso as to be aligned to main security trends and to ensure consistency withinternational developments.The OECD Guidelines for information and network security is a main reference. Let´sremeber that the principles include “... risk evaluation, security design and implementation,security management and re-evaluation.”And also the Implementation Plan for the OECD Guidelines which states that“Government should develop policies that reflect best practices in security managementand risk assessment... to create a coherent system of security.”Standards in the field of IT security are obviously another relevant source; theirdevelopment has grown considerably in the last decade.In the European Union, the Digital Agenda for Europe recognizes the risingcybercrime and low trust as one of the 7 main obstacles to be overcome.In relation to other countries, the FISMA, Federal Information Security ManagementAct, of the USA is a main reference, because of its overall approach from the visionand legal basis to the provision of standards and guidelines. We have also analysedthe approaches in Germany, the UK and France.The legal framework: eGovernment Services and securityeGovernment Law 11/2007We have a strong legal basis for eGovernment. The eGovernment Law 11/2007 3
  4. 4. recognises the citizens’ right to interact with Public Administration by electronic means.In consequence there is an obligation of public administrations to enable electronicaccess to their services.This eGovernment Law lays down a number of principles; some of them addressexplicitly security, such as the ones which refer to (I) the protection of personal data; (II) security in the implementation and use of electronic means by public administrations; (III) and proportionality in the implementation of security measures according to the information and services to be protected and their context.Also the rights recognized to the citizens include the notion of security, as the rightto security and confidentiality of information in the files, systems and applications ofPublic Administrations.And finally article 42 of the eGovernment Law creates the National SecurityFramework.The Royal Decree 3/2010The Spanish NSF is a legal text, Royal Decree 3/2010, which develops the provisions aboutsecurity foreseen in the eGovernment Law. The NSF establishes the security policy foreGovernment services. It consists of the basic principles and minimum requirements toenable adequate protection of information, to be followed by all Public administrations.It is also a key element of the Spanish Security Strategy, appoved in June this year.Lets remember that the legal framework has a direct impact in eGovernment qualityof service as well as in the perception of the citizens and, at the same time, as a driver ofthe digital society. OECD highligths it as an important aspect of eGovernment readiness.Objectives of the NSFThe objectives of the NSF are the following: • To create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic 4
  5. 5. access to public services. • To facilitate the continuous management of security, regardless of the impulses of the moment or lack thereof. • To provide common languange, concepts and elements of security. this common approach is helpful: ◦ to provide guidance to Public Administrations in the implementation of ICT security, ◦ to enable cooperation to deliver eGoverment services ◦ and to facilitate the interaction between Public Administrations. The NSF complements the National Interoperability Framework. • To facilitate the communication of security requirements to the Industry. Surely, it is easy to imagine what this means in terms of calls for tenders, technical specifications, predictive offer. The Industry finds all Public Administrations speaking the same language.Objectives of the NSF, to stimulate Industry • And, why not? to stimulate the IT Industry. AMETIC, the multi-sector partnership of companies in the fields of electronics of Spain, telecommunications and digital content, is collaborating to promote the adoption of the NSF.The National Security FramenworkThe main elements of the NSFWhich are the main elements of the NSF? • The basic principles to be taken into account in decisions about security. • The minimum requirements which allow an adequate protection of information. • How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the riks to which they are exposed. • Security audits. • Response to security incidents (CERT). • Security certified products, to be considered in procurement. 5
  6. 6. The security policyPublic Administrations will have a security policy on the basis of the basic principles andminimum requirements.How to satisfy the minimum requirements? Proportional security measures will be adoptedtaking into account: • System category, on the basis of the evaluation of the security dimensions. • Law and rules about personal data protection. • Decisions to manage identified risks. In the end risk analysis is the key element to determine the proporcionate and adequate security meausres according to the information and services to be protected.And regular audits will be carried out (for systems falling under Medium or High categories).Basic principlesThe following six basic and sound security principles should considered when takingdecisions about security: • Security as an integral process: every process is concerned; it involves equipment, facilities, people, and processes. • Risk management: risk analysis and management is essential. • Prevention, reaction and recovery. • Defense in depth: physical, logical, organisational. • Periodic re-evaluation: dynamic and reactive • Segregation of duties: security role is separated from operational roleMinimum requirementsThe security policy will be based on the basic principles and it will be developed tomeet the following minimum requirements: 6
  7. 7. These requirements may sound familiar since they are lined with well known standards.Fulfilment of requirementsTo meet these minimum requirements, security measures will be selected consideringthe following: • The category of the system, Basic, Medium and High, depending on the evaluation of the security dimensions (availability, authenticity, integrity, confidentiality, traceability). • System categorisation is relevant to modulate the balance between the importance of the information handled, the services provided and the security effort required, depending on the risks to which they are exposed, based on the criterion of the principle of proportionality. • The categorisation is made on the basis of the evaluation of the impact that an incident would have in the security of the information or services with damage to the availability, authenticity, integrity, confidentiality or traceability, as security dimensions. • The evaluation of the consequences of a negative impact on the security is based on their repercussion on the organisation’s capacity to achieve its objectives, the protect assets, to provide its services, and comply with the law and the rights of citizens. • Always taking into account the provisions in the legislation on protection of personal data and decisions taken to manage identified risks. 7
  8. 8. Security measuresThere is a reference in the NSF to security measures. There are three generalclasses of security measures: • Organisational: includes measures related to global security. • Operational: includes the measures to protect the systems operation as a comprehensive set of components. • Asset protection: includes measures to protect specific assets (facilities, personnel, equipment, communications, information media, applications, information, services), according to their nature and requirements.The NSF tells the WHAT, but there is freedom on HOW to implement them.Implementation of the NSFOrganisations providing e-government services will have to: • Prepare and adopt a security policy • Define roles and appoint persons • Evaluate information and services (system categorisation) • Carry out risk analysis • Prepare and adopt a statement of applicability • Implement, operate, and monitor the security • Carry out audits every 2 years (H/M) • Improve securityAuditsPeriodic audits to assess compliance with NSF are to be carried out, using widelyrecognized audit criteria and standards. Audit reports will be analysed by the securitymanager that will communicate his conclusions to the operational manager to apply therequired changes.Security of information systems shall be audited to examine the following that: • The security policy defines roles and functions. • There are procedures for resolving conflicts. • Persons have been designated for main roles according to the principle of 8
  9. 9. "separation of roles”. • There is a risk analysis, approved, and periodic. • Compliance to security measures, according to system category and security requirements. • There is a formal management system.Implementation support Guidelines and toolsThere is a big effort ongoing to provide security guidelines: 801 – Roles and responsibilities 802 – Auditing guide 803 – Valuation of systems 804 – Implementation guidance 805 – Information security policy 806 – Security implementation plan 807 – Use of cryptography 808 – Inspection of compliance 809 – Statement of conformity 810 – Creation of a CERT/CSIRT 811 – Networking in the National Security Framework 812 – Security in web applications 814 – Security in e-mail …Together with supporting tools such like the following: Risk analysis methodology and software tools: • MAGERIT – Risk analysis methodology • PILAR – Risk Analysis and Manag. Tool Early warning services in the administrative network Red SARA CERT services Certification services (security certified products) TrainingGovernment CERT, CCN-CERTThe NSF recognizes the role of the Government CERT, CCN-CERT which provides: 9
  10. 10. • Support and coordination of other national CERTS and international point of contact. • Support and coordination in incident resolution: incident response; the CERT may request audit reports from attacked systems. • Research and dissemination of best practices. • Awareness and training for the public sector. • Reporting of vulnerabilities (Early Warning System). • Support to the building of CERT capabilities in other administrations.Certified products in the NSFThe NSF also recognizes the role of certified products to fulfill the minimum requirementsproportionately, and the role of the Certification Body (CCN) of the Evaluation andCertification Scheme.Certification is an aspect to be considered when purchasing security products.And depending on the security level, the guideline is to use preferably certified products.It includes an annex with a model clause for Technical Specifications.The National Interoperability FrameworkJust a short comment about the National Interoperability Framework, also created by theeGovernment law.It has the aim of creating the necessary conditions to ensure an adequate level oforganizational, semantic and technical interoperability of systems and applications usedby Public Administrations, in the service of the exercise of rights and the fulfillment ofduties through the electronic access to public services; it also pursues providing benefitsin terms of effectiveness and efficiency.In order to create such conditions, the NIF introduces common elements to guide theaction of the Public Administrations regarding interoperability. 10
  11. 11. How do we collaborateThe cross-border nature of threats and the associated mitigation mechanisms make itessential to focus on strong cooperation.The NSF is the result of a collaborative effort coordinated by MPTAP + CCN with theparticipation of all Public Administrations (central, regional, local, universities, justice) plusopinion of Industry through their main associations.During the last three years more than two hundred experts of Public Administrationshave contributed to its elaboration providing different profiles (ICT, legal, archives,etc...); together with a wide number of experts who have contributed with their opinionthrough the main associations of ICT Industry.Conclusions • The NSF provides a legal framework to align security of eGov services across public administrations. • It provides global and coherent approach to security. • It applies proportionality: balance between the minimum requirements, the nature of information and services to be protected and their risks. • It references security measures, it tells the WHAT, but there is freedom on HOW to implement them. • It takes into account the state of the art and principal terms of reference from EU, OECD, standardization, other countries. • The NSF is a key element if the Spanish Security strategy. • It is an success story about cooperation: It was developed with the participation of all Public Administrations; also with input from the private sector.And finally the challenges ahead: • The main challenge now is to make the NSF a reality and to provide guidance, tools and training to facilitate the implementation of the NSF and resolve common issues and difficulties. 11
  12. 12. To know more about IT security in SpainWell, for more information about IT security and Spain: • The NSF is available in English. • There is a quite comprehensive country report made by ENISA. • Also the ePractice factsheet of Spain provides a comprehensive overview of eGovernment in Spain. • And the websites of the CCN, the Certification Body and the eGovernment Portal provide more information.Thank you very much for your attentionMiguel A. Amutio 12

×