20111010 The National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.

The National Security
Framework of Spain
10 October 2011

Miguel A. Amutio, CISA, CISM
Ministry of Territorial Policy and Public Administration

1

Contents

The context: eGovernment services
The legal basis: eGov services and security
The National Security Framework
How do we collaborate
Conclusions

2

The context:
eGovernment services
To improve the quality of life of citizens and reduce
administrative burden on business in their interaction with
public administrations.
To contribute to growth and extend the benefits of a
digital society to all (no one left behind).
Services are provided in a complex scenario.

3

Why security is important in
eGovernment services
Citizens expect that eGov services are provided under conditions of
trust and security comparable to those they encounter when they go personally to the
offices of the Administration.

There is a growing proportion of electronic versus paper documents,
and, increasingly, there is no paper.

Information on electronic means has potential risks from the threat of
malicious or illegal actions, errors or failures and accidents or disasters.

Digital Agenda
for Europe

4

International context

OECD
Guidelines for information and network security:
“... risk evaluation, security design and implementation,
security management and re-evaluation.”
Implementation Plan for the OECD Guidelines:
“Government should develop policies that reflect best practices in
security management and risk assessment... to create a coherent
system of security.”

Standards, in the field of IT security.
European Union – Digital Agenda, ENISA.

USA, FISMA, Federal Information Security
Management Act

Other references: DE, UK, FR

5

Contents

Conclusions

6

eGovernment Law 11/2007

Recognises the citizens’ right to interact with Public
Administration by electronic means.

Obligation to public administrations to enable electronic
access to their services.

The principles pay attention to security:
– The right to the protection of personal data.
– Security in the implementation and use of electronic means
by public administrations.
– Proportionality in the implementation of security measures
according to the information and services to be protected and their context.

Also the rights of citizens:
– Right to security and confidentiality of the information contained in
the files, systems and applications of Public Administrations.

7

Law 11/2007, art. 42 → RD 3/2010

The Spanish NSF is a legal text (Royal Decree 3/2010) which
develops the provisions about security foreseen in eGovernment Law.

The NSF establishes the security policy for eGov services.
It consists of the basic principles and minimum requirements to enable adequate
protection of information.

To be followed by all Public administrations.
It is a key element of the Spanish Security Strategy.

The legal framework has a direct impact in eGovernment quality of service as well in
the perception of the citizens and, at the same time, as a driver of the digital society.
OECD highligths it as an important aspect of eGovernment readiness.
8

Why the National Security
Framework is needed
Objectives
Create the necessary conditions of trust, through
measures to ensure IT security for the exercise of rights and the fulfillment of duties
through the electronic access to public services.

Provide common languange and elements of security
to guide Public Administrations in the implementation of ICT security.
to facilitate interaction between Public Administrations and
to communicate security requirements to the Industry.

Provide an common approach to security which
enables cooperation to deliver eGoverment services. The NSF complements
the National Interoperability Framework.

Facilitate the continuous management of security,
regardless of the impulses of the moment or lack thereof.

9

+ Stimulate the Industry

AMETIC: multi-sector partnership of companies in the fields of electronics,
telecommunications and digital content.

http://www.ametic.es/
10

Contents

Conclusions

11

National Security Framework
Main elements

The Basic principles to be taken into
account in decision about security.

The minimum requirements which
allow an adequate protection of
information.
How to satisfy the basic principles and
minimum requirements by means of the
adoption of proportionate security
measures according to information and
services to be protected and to the riks
to which they are exposed.
Security audit.
Response to security incidents
(CERT).
Security certified products, to be
considered in procurement.
12

National Security Framework
Security policy

Public Administrations will have a security policy
on the basis of the basic principles and minimum requirements.

In order to satisfy the minimum requirements, proportional
security measures will be adopted taking into account:
System category, on the basis of the evaluation of the security
dimensions.
Law and rules about personal data protection.
Decisions to manage identified risks.

Regular audits will be carried out (for systems falling under Medium or High
categories).

13

Basic principles
The following basic principles should considered when taking
decisions about security:
Security as an integral process
every process is concerned
involves equipment, facilities, people, and processes
Risk management
risk analysis is mandatory; the rest is negotiable
Prevention, reaction and recovery
Defense in depth
defence in depth
physical, logical, organisational
Periodic re-evaluation
dynamic and reactive
Segregation of duties
Security role is separated from operational role
14

Minimum requirements
The security policy will be based on the basic principles and it will be
developed to meet the following minimum requirements:

74

15

Fulfilment of minimum
requirements
To meet the minimum requirements, security measures will
be selected considering the following:
The category of the system, Basic, Medium and High, depending on
the evaluation of the security dimensions (availability, authenticity,
integrity, confidentiality, traceability), taking into account the impact of a security
breach. Who? higher management: information owner service owner.
The provisions in the legislation on protection of personal data.
The decisions taken to manage identified risks.

16

Security measures

organizational operational asset protection
– security policy – planning – facilities
– security – access control – personnel
regulations – operation – equipment
– security – external services – communications
procedures – continuity – media
– authorization – monitoring – software
process – information
– services
+ use of common infrastructures and services and security guidelines provided by CCN.

17

How to

Organisations providing e-government services have to ...

Evaluate information
Prepare and adopt a Define roles and and services (system
security policy appoint persons categorisation)

Carry out risk
Improve security analysis

Audit Implement, operate, Prepare and adopt a
Every 2 years (H/M) and monitor the statement of
security applicability

18

Audits

Periodic audit to assess compliance with NSF.
According to the category of the system:
Category LOW: self-evaluation
Category MEDIUM – HIGH: periodic (e.g. aligned with personal data audits)

Use of widely recognized audit criteria and standards.
Audit reports to be analysed by the security manager that will communicate his
conclusions to the operational manager to apply the required changes.

Security of information systems shall be audited:
Security policy defines roles and functions.
There are procedures for resolving conflicts.
People have been designated for those roles according to the principle of "separation of
roles”.
There is a risk analysis, approved, and periodic.
Compliance to security measures, according to system category and security
requirements.
There is a formal management system.

19

Implementation support
Guidelines and tools
Security Guidelines
• 801 – Roles and responsibilities
• 802 – Auditing guide
• 803 – Valuation of systems
• 804 – Implementation guidance
• 805 – Information security policy
• 806 – Security implementation plan
• 807 – Use of cryptography
• 808 – Inspection of compliance
• 809 – Statement of conformity
• 810 – Creation of a CERT/CSIRT
• 811 – Networking in the Nat. Security Framework
• 812 – Security in web applications
• 814 – Security in e-mail
• …
Risk analysis methodology and software tools
• MAGERIT – Risk analysis methodology
• PILAR – Risk Analysis and Manag. Tool
• Early warning services in admin. network Red SARA
• CERT services
• Certification services (certified security products)
• Training 20

Government CERT
CCN-CERT

Support and coordination of other
national CERTS.
International point of contact.
Support and coordination in
incident resolution: incident response;
may request audit reports from
attacked systems
Research and dissemination.
Awareness and training for the
public sector.
Reporting of vulnerabilities (Early
Warning System)
Support to the building of CERT
capabilities in other administrations.
https://www.ccn-cert.cni.es/
21

National Evaluation and
Certification Scheme

http://www.oc.ccn.cni.es/index_en.html

The NSF recognizes the role of certified products to fulfill the minimum
requirements proportionately.
Recognizes the role of the Certification Body (CCN).
Certification is an aspect to consider when purchasing security
products.
Depending on the security level, preferably use certified products.
It includes a model clause for Technical Specifications.
22

National Interoperability Framework
(Royal Decree 4/2010)
Criteria and recommendations to build and improve interoperability:

Integral, multidimensional and
multilateral approach.
Takes into account dimensions:
Organisational, Semantic, Technical
Use of standards.
Use of common infrastrutures
and services for multilateral
interactions.
Reuse of applications and other
information objects.

e-Signature and certificates.
e-Document: recovery and
preservation.
+ Tecnical Guides & supporting
instruments. http://administracionelectronica.gob.es/recursos/pae_000002017.pdf
http://www.epractice.eu/en/cases/eni
23

Contents

Conclusions

24

How do we collaborate?

Coordinated by MPTAP + CCN with the collaboration of all Public Administrations +
opinion of Industry.

*> 200 experts
With different profiles
(IT, legal, archives, ...)

+ Justice (EJIS) Universities (CRUE)

25

Contents

Conclusions

26

Conclusions

The NSF provides a legal framework to align security
of eGovernment services across public administrations.
A global and coherent approach to security.
It applies proportionality: balance between the minimum
requirements, information and services to be protected and their
risks.

It references security measures, the WHAT, but
there is freedom on HOW to implement them.

It takes into account the state of the art and principal
terms of reference from EU, OECD, standardization, others.

The NSF is a key element of the Spanish Security
strategy.
Cooperation: participation of all Public Administrations;
and of the private sector through Industry associations.

Challenge: Provide guidance, tools and training to
facilitate implementation of the NSF and resolve
common issues and difficulties.
27

To know more about
IT security and Spain

www.lamoncloa.gob.es/NR
/.../EstrategiaEspanolaDeSeguridad.pdf http://www.epractice.eu/en/factsheets/
http://administracionelectronica.gob.es/ http://www.enisa.europa.eu/act/sr/files/
recursos/pae_000002018.pdf country-reports/?searchterm=country%20reports

http://www.oc.ccn.cni.es/index_en.html
https://www.ccn-cert.cni.es/index.php?lang=en http://administracionelectronica.gob.es
28

Thank you very
much for your
attention

29

20111010 The National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.

More Related Content

What's hot

Similar to 20111010 The National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.

More from Miguel A. Amutio

Recently uploaded

20111010 The National Security Framework of Spain for Guide Share Europe, in Madrid in October 2011.