The National Security
Framework of Spain
10 October 2011




 Miguel A. Amutio, CISA, CISM
 Ministry of Territorial Policy and Public Administration


                                                            1
Contents


The context: eGovernment services
The legal basis: eGov services and security
The National Security Framework
How do we collaborate
Conclusions




                                              2
The context:
                       eGovernment services
 To improve the quality of life of citizens and reduce
administrative burden on business in their interaction with
public administrations.
  To contribute to growth and extend the benefits of a
digital society to all (no one left behind).
 Services are provided in a complex scenario.




                                                     3
Why security is important in
                                       eGovernment services
  Citizens expect that eGov services are provided under conditions of
trust and security comparable to those they encounter when they go personally to the
offices of the Administration.

 There is a growing proportion of electronic versus paper documents,
and, increasingly, there is no paper.

 Information on electronic means has potential risks from the threat of
malicious or illegal actions, errors or failures and accidents or disasters.




                                                                               Digital Agenda
                                                                               for Europe

                                                                                     4
International context

OECD
Guidelines for information and network security:
“... risk evaluation, security design and implementation,
security management and re-evaluation.”
Implementation Plan for the OECD Guidelines:
“Government should develop policies that reflect best practices in
security management and risk assessment... to create a coherent
system of security.”

Standards, in the field of IT security.
European Union – Digital Agenda, ENISA.

USA, FISMA, Federal Information Security
Management Act

Other references: DE, UK, FR


                                                            5
Contents


The context: eGovernment services
The legal basis: eGov services and security
The National Security Framework
How do we collaborate
Conclusions




                                              6
eGovernment Law 11/2007

  Recognises the citizens’ right to interact with Public
Administration by electronic means.

  Obligation to public administrations to enable electronic
access to their services.

 The principles pay attention to security:
   – The right to the protection of personal data.
   – Security in the implementation and use of electronic means
     by public administrations.
   – Proportionality in the implementation of security measures
     according to the information and services to be protected and their context.

 Also the rights of citizens:
   – Right to security and confidentiality of the information contained in
     the files, systems and applications of Public Administrations.


                                                                             7
The National Security Framework
                                     Law 11/2007, art. 42 → RD 3/2010

 The Spanish NSF is a legal text (Royal Decree 3/2010) which
develops the provisions about security foreseen in eGovernment Law.

 The NSF establishes the security policy for eGov services.
  It consists of the basic principles and minimum requirements to enable adequate
protection of information.

 To be followed by all Public administrations.
  It is a key element of the Spanish Security Strategy.




    The legal framework has a direct impact in eGovernment quality of service as well in
  the perception of the citizens and, at the same time, as a driver of the digital society.
    OECD highligths it as an important aspect of eGovernment readiness.
                                                                                     8
Why the National Security
                                   Framework is needed
                                                Objectives
  Create the necessary conditions of trust, through
measures to ensure IT security for the exercise of rights and the fulfillment of duties
through the electronic access to public services.

  Provide common languange and elements of security
    to guide Public Administrations in the implementation of ICT security.
    to facilitate interaction between Public Administrations and
    to communicate security requirements to the Industry.

 Provide an common approach to security                       which
enables cooperation to deliver eGoverment services. The NSF complements
the National Interoperability Framework.

 Facilitate the continuous management of security,
regardless of the impulses of the moment or lack thereof.




                                                                                  9
+ Stimulate the Industry

AMETIC: multi-sector partnership of companies in the fields of electronics,
telecommunications and digital content.




 http://www.ametic.es/
                                                                              10
Contents


The context: eGovernment services
The legal basis: eGov services and security
The National Security Framework
How do we collaborate
Conclusions




                                              11
National Security Framework
                                       Main elements

 The Basic principles to be taken into
account in decision about security.

  The minimum requirements which
allow an adequate protection of
information.
  How to satisfy the basic principles and
minimum requirements by means of the
adoption of proportionate security
measures according to information and
services to be protected and to the riks
to which they are exposed.
 Security audit.
  Response to security incidents
(CERT).
 Security certified products, to be
considered in procurement.
                                                                 12
National Security Framework
                                            Security policy

 Public Administrations will have a security policy
on the basis of the basic principles and minimum requirements.

 In order to satisfy the minimum requirements, proportional
security measures will be adopted taking into account:
               System category, on the basis of the evaluation of the security
               dimensions.
               Law and rules about personal data protection.
               Decisions to manage identified risks.

 Regular audits           will be carried out (for systems falling under Medium or High
categories).




                                                                                 13
Basic principles
The following basic principles should considered when taking
decisions about security:
  Security as an integral process
        every process is concerned
        involves equipment, facilities, people, and processes
  Risk management
        risk analysis is mandatory; the rest is negotiable
  Prevention, reaction and recovery
  Defense in depth
        defence in depth
        physical, logical, organisational
  Periodic re-evaluation
        dynamic and reactive
  Segregation of duties
              Security role is separated from operational role
                                                                 14
Minimum requirements
The security policy will be based on the basic principles and it will be
developed to meet the following minimum requirements:




                                 74




                                                                   15
Fulfilment of minimum
                                      requirements
 To meet the minimum requirements, security measures will
be selected considering the following:
    The category of the system, Basic, Medium and High, depending on
    the evaluation of the security dimensions (availability, authenticity,
    integrity, confidentiality, traceability), taking into account the impact of a security
    breach. Who? higher management: information owner service owner.
    The provisions in the legislation on protection of personal data.
    The decisions taken to manage identified risks.




                                                                                  16
Security measures

organizational                   operational           asset protection
  – security policy                – planning            – facilities
  – security                       – access control      – personnel
    regulations                    – operation           – equipment
  – security                       – external services   – communications
    procedures                     – continuity          – media
  – authorization                  – monitoring          – software
    process                                              – information
                                                         – services
  + use of common infrastructures and services and security guidelines provided by CCN.




                                                                                   17
How to


Organisations providing e-government services have to ...

                                                Evaluate information
 Prepare and adopt a     Define roles and       and services (system
    security policy      appoint persons           categorisation)




                                                   Carry out risk
  Improve security                                   analysis




        Audit          Implement, operate,       Prepare and adopt a
 Every 2 years (H/M)     and monitor the            statement of
                             security                applicability




                                                                    18
Audits

Periodic audit to assess compliance with NSF.
According to the category of the system:
        Category LOW: self-evaluation
        Category MEDIUM – HIGH: periodic (e.g. aligned with personal data audits)


 Use of widely recognized audit criteria and standards.
 Audit reports to be analysed by the security manager that will communicate his
 conclusions to the operational manager to apply the required changes.

Security of information systems shall be audited:
   Security policy defines roles and functions.
   There are procedures for resolving conflicts.
   People have been designated for those roles according to the principle of "separation of
   roles”.
   There is a risk analysis, approved, and periodic.
   Compliance to security measures, according to system category and security
   requirements.
   There is a formal management system.


                                                                                    19
Implementation support
Guidelines and tools
Security Guidelines
• 801 – Roles and responsibilities
• 802 – Auditing guide
• 803 – Valuation of systems
• 804 – Implementation guidance
• 805 – Information security policy
• 806 – Security implementation plan
• 807 – Use of cryptography
• 808 – Inspection of compliance
• 809 – Statement of conformity
• 810 – Creation of a CERT/CSIRT
• 811 – Networking in the Nat. Security Framework
• 812 – Security in web applications
• 814 – Security in e-mail
• …
Risk analysis methodology and software tools
          • MAGERIT – Risk analysis methodology
          • PILAR – Risk Analysis and Manag. Tool
• Early warning services in admin. network Red SARA
• CERT services
• Certification services (certified security products)
• Training                                     20
Government CERT
                                  CCN-CERT

                                 Support and coordination of other
                               national CERTS.
                                 International point of contact.
                                 Support and coordination in
                               incident resolution: incident response;
                               may request audit reports from
                               attacked systems
                                 Research and dissemination.
                                 Awareness and training for the
                               public sector.
                                 Reporting of vulnerabilities (Early
                               Warning System)
                                 Support to the building of CERT
                               capabilities in other administrations.
https://www.ccn-cert.cni.es/
                                                              21
National Evaluation and
                                   Certification Scheme




http://www.oc.ccn.cni.es/index_en.html

  The NSF recognizes the role of certified products to fulfill the minimum
requirements proportionately.
 Recognizes the role of the Certification Body (CCN).
 Certification is an aspect to consider when purchasing security
products.
 Depending on the security level, preferably use certified products.
 It includes a model clause for Technical Specifications.
                                                                       22
National Interoperability Framework
                                       (Royal Decree 4/2010)
Criteria and recommendations to build and improve interoperability:

  Integral, multidimensional and
 multilateral approach.
   Takes into account dimensions:
 Organisational, Semantic, Technical
   Use of standards.
  Use of common infrastrutures
 and services for multilateral
 interactions.
   Reuse of applications and other
 information objects.

   e-Signature and certificates.
  e-Document: recovery and
 preservation.
   + Tecnical Guides & supporting
 instruments.                            http://administracionelectronica.gob.es/recursos/pae_000002017.pdf
                                         http://www.epractice.eu/en/cases/eni
                                                                                                23
Contents


The context: eGovernment services
The legal basis: eGov services and security
The National Security Framework
How do we collaborate
Conclusions




                                              24
How do we collaborate?

Coordinated by MPTAP + CCN with the collaboration of all Public Administrations +
opinion of Industry.

                                                             *> 200 experts
                                                             With different profiles
                                                             (IT, legal, archives, ...)




 +      Justice (EJIS)            Universities (CRUE)

                                                                               25
Contents


The context: eGovernment services
The legal basis: eGov services and security
The National Security Framework
How do we collaborate
Conclusions




                                              26
Conclusions

 The NSF provides a legal framework to align security
of eGovernment services across public administrations.
 A global and coherent approach to security.
 It applies proportionality: balance between the minimum
requirements, information and services to be protected and their
risks.

  It references security measures, the WHAT, but
there is freedom on HOW to implement them.

 It takes into account the state of the art and principal
terms of reference from EU, OECD, standardization, others.

 The NSF is a key element of the Spanish Security
strategy.
 Cooperation: participation of all Public Administrations;
and of the private sector through Industry associations.

 Challenge: Provide guidance, tools and training to
facilitate implementation of the NSF and resolve
common issues and difficulties.
                                                                   27
To know more about
                                                              IT security and Spain




                                    www.lamoncloa.gob.es/NR
                                    /.../EstrategiaEspanolaDeSeguridad.pdf                            http://www.epractice.eu/en/factsheets/
 http://administracionelectronica.gob.es/                           http://www.enisa.europa.eu/act/sr/files/
 recursos/pae_000002018.pdf                                         country-reports/?searchterm=country%20reports




                                                   http://www.oc.ccn.cni.es/index_en.html
https://www.ccn-cert.cni.es/index.php?lang=en                                               http://administracionelectronica.gob.es
                                                                                                                           28
Thank you very
much for your
  attention



                 29

20111010 The National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.

  • 1.
    The National Security Frameworkof Spain 10 October 2011 Miguel A. Amutio, CISA, CISM Ministry of Territorial Policy and Public Administration 1
  • 2.
    Contents The context: eGovernmentservices The legal basis: eGov services and security The National Security Framework How do we collaborate Conclusions 2
  • 3.
    The context: eGovernment services To improve the quality of life of citizens and reduce administrative burden on business in their interaction with public administrations. To contribute to growth and extend the benefits of a digital society to all (no one left behind). Services are provided in a complex scenario. 3
  • 4.
    Why security isimportant in eGovernment services Citizens expect that eGov services are provided under conditions of trust and security comparable to those they encounter when they go personally to the offices of the Administration. There is a growing proportion of electronic versus paper documents, and, increasingly, there is no paper. Information on electronic means has potential risks from the threat of malicious or illegal actions, errors or failures and accidents or disasters. Digital Agenda for Europe 4
  • 5.
    International context OECD Guidelines forinformation and network security: “... risk evaluation, security design and implementation, security management and re-evaluation.” Implementation Plan for the OECD Guidelines: “Government should develop policies that reflect best practices in security management and risk assessment... to create a coherent system of security.” Standards, in the field of IT security. European Union – Digital Agenda, ENISA. USA, FISMA, Federal Information Security Management Act Other references: DE, UK, FR 5
  • 6.
    Contents The context: eGovernmentservices The legal basis: eGov services and security The National Security Framework How do we collaborate Conclusions 6
  • 7.
    eGovernment Law 11/2007 Recognises the citizens’ right to interact with Public Administration by electronic means. Obligation to public administrations to enable electronic access to their services. The principles pay attention to security: – The right to the protection of personal data. – Security in the implementation and use of electronic means by public administrations. – Proportionality in the implementation of security measures according to the information and services to be protected and their context. Also the rights of citizens: – Right to security and confidentiality of the information contained in the files, systems and applications of Public Administrations. 7
  • 8.
    The National SecurityFramework Law 11/2007, art. 42 → RD 3/2010 The Spanish NSF is a legal text (Royal Decree 3/2010) which develops the provisions about security foreseen in eGovernment Law. The NSF establishes the security policy for eGov services. It consists of the basic principles and minimum requirements to enable adequate protection of information. To be followed by all Public administrations. It is a key element of the Spanish Security Strategy. The legal framework has a direct impact in eGovernment quality of service as well in the perception of the citizens and, at the same time, as a driver of the digital society. OECD highligths it as an important aspect of eGovernment readiness. 8
  • 9.
    Why the NationalSecurity Framework is needed Objectives Create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services. Provide common languange and elements of security to guide Public Administrations in the implementation of ICT security. to facilitate interaction between Public Administrations and to communicate security requirements to the Industry. Provide an common approach to security which enables cooperation to deliver eGoverment services. The NSF complements the National Interoperability Framework. Facilitate the continuous management of security, regardless of the impulses of the moment or lack thereof. 9
  • 10.
    + Stimulate theIndustry AMETIC: multi-sector partnership of companies in the fields of electronics, telecommunications and digital content. http://www.ametic.es/ 10
  • 11.
    Contents The context: eGovernmentservices The legal basis: eGov services and security The National Security Framework How do we collaborate Conclusions 11
  • 12.
    National Security Framework Main elements The Basic principles to be taken into account in decision about security. The minimum requirements which allow an adequate protection of information. How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the riks to which they are exposed. Security audit. Response to security incidents (CERT). Security certified products, to be considered in procurement. 12
  • 13.
    National Security Framework Security policy Public Administrations will have a security policy on the basis of the basic principles and minimum requirements. In order to satisfy the minimum requirements, proportional security measures will be adopted taking into account: System category, on the basis of the evaluation of the security dimensions. Law and rules about personal data protection. Decisions to manage identified risks. Regular audits will be carried out (for systems falling under Medium or High categories). 13
  • 14.
    Basic principles The followingbasic principles should considered when taking decisions about security: Security as an integral process every process is concerned involves equipment, facilities, people, and processes Risk management risk analysis is mandatory; the rest is negotiable Prevention, reaction and recovery Defense in depth defence in depth physical, logical, organisational Periodic re-evaluation dynamic and reactive Segregation of duties Security role is separated from operational role 14
  • 15.
    Minimum requirements The securitypolicy will be based on the basic principles and it will be developed to meet the following minimum requirements: 74 15
  • 16.
    Fulfilment of minimum requirements To meet the minimum requirements, security measures will be selected considering the following: The category of the system, Basic, Medium and High, depending on the evaluation of the security dimensions (availability, authenticity, integrity, confidentiality, traceability), taking into account the impact of a security breach. Who? higher management: information owner service owner. The provisions in the legislation on protection of personal data. The decisions taken to manage identified risks. 16
  • 17.
    Security measures organizational operational asset protection – security policy – planning – facilities – security – access control – personnel regulations – operation – equipment – security – external services – communications procedures – continuity – media – authorization – monitoring – software process – information – services + use of common infrastructures and services and security guidelines provided by CCN. 17
  • 18.
    How to Organisations providinge-government services have to ... Evaluate information Prepare and adopt a Define roles and and services (system security policy appoint persons categorisation) Carry out risk Improve security analysis Audit Implement, operate, Prepare and adopt a Every 2 years (H/M) and monitor the statement of security applicability 18
  • 19.
    Audits Periodic audit toassess compliance with NSF. According to the category of the system: Category LOW: self-evaluation Category MEDIUM – HIGH: periodic (e.g. aligned with personal data audits) Use of widely recognized audit criteria and standards. Audit reports to be analysed by the security manager that will communicate his conclusions to the operational manager to apply the required changes. Security of information systems shall be audited: Security policy defines roles and functions. There are procedures for resolving conflicts. People have been designated for those roles according to the principle of "separation of roles”. There is a risk analysis, approved, and periodic. Compliance to security measures, according to system category and security requirements. There is a formal management system. 19
  • 20.
    Implementation support Guidelines andtools Security Guidelines • 801 – Roles and responsibilities • 802 – Auditing guide • 803 – Valuation of systems • 804 – Implementation guidance • 805 – Information security policy • 806 – Security implementation plan • 807 – Use of cryptography • 808 – Inspection of compliance • 809 – Statement of conformity • 810 – Creation of a CERT/CSIRT • 811 – Networking in the Nat. Security Framework • 812 – Security in web applications • 814 – Security in e-mail • … Risk analysis methodology and software tools • MAGERIT – Risk analysis methodology • PILAR – Risk Analysis and Manag. Tool • Early warning services in admin. network Red SARA • CERT services • Certification services (certified security products) • Training 20
  • 21.
    Government CERT CCN-CERT Support and coordination of other national CERTS. International point of contact. Support and coordination in incident resolution: incident response; may request audit reports from attacked systems Research and dissemination. Awareness and training for the public sector. Reporting of vulnerabilities (Early Warning System) Support to the building of CERT capabilities in other administrations. https://www.ccn-cert.cni.es/ 21
  • 22.
    National Evaluation and Certification Scheme http://www.oc.ccn.cni.es/index_en.html The NSF recognizes the role of certified products to fulfill the minimum requirements proportionately. Recognizes the role of the Certification Body (CCN). Certification is an aspect to consider when purchasing security products. Depending on the security level, preferably use certified products. It includes a model clause for Technical Specifications. 22
  • 23.
    National Interoperability Framework (Royal Decree 4/2010) Criteria and recommendations to build and improve interoperability: Integral, multidimensional and multilateral approach. Takes into account dimensions: Organisational, Semantic, Technical Use of standards. Use of common infrastrutures and services for multilateral interactions. Reuse of applications and other information objects. e-Signature and certificates. e-Document: recovery and preservation. + Tecnical Guides & supporting instruments. http://administracionelectronica.gob.es/recursos/pae_000002017.pdf http://www.epractice.eu/en/cases/eni 23
  • 24.
    Contents The context: eGovernmentservices The legal basis: eGov services and security The National Security Framework How do we collaborate Conclusions 24
  • 25.
    How do wecollaborate? Coordinated by MPTAP + CCN with the collaboration of all Public Administrations + opinion of Industry. *> 200 experts With different profiles (IT, legal, archives, ...) + Justice (EJIS) Universities (CRUE) 25
  • 26.
    Contents The context: eGovernmentservices The legal basis: eGov services and security The National Security Framework How do we collaborate Conclusions 26
  • 27.
    Conclusions The NSFprovides a legal framework to align security of eGovernment services across public administrations. A global and coherent approach to security. It applies proportionality: balance between the minimum requirements, information and services to be protected and their risks. It references security measures, the WHAT, but there is freedom on HOW to implement them. It takes into account the state of the art and principal terms of reference from EU, OECD, standardization, others. The NSF is a key element of the Spanish Security strategy. Cooperation: participation of all Public Administrations; and of the private sector through Industry associations. Challenge: Provide guidance, tools and training to facilitate implementation of the NSF and resolve common issues and difficulties. 27
  • 28.
    To know moreabout IT security and Spain www.lamoncloa.gob.es/NR /.../EstrategiaEspanolaDeSeguridad.pdf http://www.epractice.eu/en/factsheets/ http://administracionelectronica.gob.es/ http://www.enisa.europa.eu/act/sr/files/ recursos/pae_000002018.pdf country-reports/?searchterm=country%20reports http://www.oc.ccn.cni.es/index_en.html https://www.ccn-cert.cni.es/index.php?lang=en http://administracionelectronica.gob.es 28
  • 29.
    Thank you very muchfor your attention 29