SlideShare a Scribd company logo

The National Security Framework of Spain

Miguel A. Amutio
Miguel A. Amutio

The National Security Framework (ENS) provides the basic principles and minimum security requirements, proportionality through categorization into three steps, security measures updated and adapted to Digital Government, flexibility mechanisms through compliance profiles, accreditation and conformity through a certification scheme with the National Accreditation Entity, ENAC, and monitoring through the Annual Report on State of Security, along with more than 100 support guides ( CCN-STIC) and a collection of support tools provided by CCN-CERT, plus the references in the instruments for central procurement of IT services and products. The ENS is applicable to the entire public sector, to systems that process classified information, to those who provide services or provide solutions to public sector entities, and to the supply chain of such contractors on the basis of risk analysis.

Government & Nonprofit
1 of 32
Download to read offline
0 The National Security Framework (ENS - Esquema Nacional de Seguridad) 29th Plenary Meeting of the NIS Cooperation Group 29th November 2023 Miguel A. Amutio Deputy DG for Cybersecurity Planning and Coordination General Secretariat for Digital Government Secretary of State for Digitization and Artificial Intelligence Ministry for Digital Transformation
1 2010 2014 -16 2017 National Security Strategy 2017 Regulation eIDAS GDPR NIS Directive Updated ENS Technical Security Instructions • Compliance with ENS • Annual Repport Administrative Laws 39/2015, 40/2015 ICT Strategy – Shared Services Declaration (includes Shared Managed Security Services) National Security Framework National Interoperability Framework 2018 ENS Instructions • Auditing • Notification of incidents CoCENS Council for Certification of ENS NIS transposition Law Data Protection (Adding to GDPR) Regulation Critical Infrastructure Protection National Cybersecurity Strategy 2013 Risk Analysis Methodology Magerit v3 2011-13 2019 Cybersecurity Regulation National Guide on Notification of Cyberincidents National Cybersecurity Strategy 2019 Ministers Council Agreement on the Cybersecurity Operations Center of the General State Administration EU Digital Strategy EU Strategy for Data EU on AI White Paper EU Cybersecurity Package España Digital 2025 National Cybersecurity Forum Regulation ECCC Development of NIS Transposition Plan for Digitization of Public Administrations 2021 – 20215 Recovery Plan (Next generation EU funding) Ministers Council Agreement Action Plan on Cybersecurity 2020 2021 2022 RDL 7/2022 Security 5G Cybersecurity National Plan New National Security Framework Proposal Regulation Cybersecurity EUIBAS Proposal Regulation information security EUIBAS Council Conclusions on protection of supply chain Directive 2022/2555 NIS2 Regulation 2022/2554 DORA Directive 2022/2557 CER European Cybersecurity Skills Framework (ECSF) 2022 2023 Communication Cyber Skills Academy Adequacy Decision EU-US Data Privacy Framework Proposal Cybersolidarity Act Proposal modification Cybersecurity Act Adenda Recovery Plan Cybersecurity A collective and multidisciplinary effort, sustained along the time Source: Miguel A. Amutio
2 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
3 National Security Framework Big decisions, why and how (1/2) Around 2006, when drafting the eGovernment Law, on the basis of previous experience, it was decided to develop a security instrument tailored to the protection needs of information and services provided BY and provided TO Public Administrations (though not limited to the specific need of eGovernment at the time). It should be embedded in the administrative legislation. Aligned with the National and European strategic and legal framework. And it should be the reference for: • Data Protection • Protection of Critical Infrastructures, as well as Essential Services (at least for the ones managed by the Public Sector)
4 National Security Framework Big decisions, why and how (2/2) The National Security Framework was created by the eGovernment Law in 2007. The ENS was first implemented by a Royal Decree in 2010, to be aplicable by all Public Administrations, as a result of a public effort by the public and private sectors. It was included in the Administrative Laws of 2015 which superseded the previous administrative and eGovernment legislation. It was updated in 2015 in the light of experience and evolution of National and European legislation (e.g. eIDAS, etc.) The ENS was revamped in 2022: • To be aligned with the current National and European strategic and legal framework. • To introduce flexibility that facilitates implementation for specific contexts (e.g. Local Entities, etc.). • To respond to cybersecurity need and trends.
5 National Security Framework More big decisions It was decided to include Public Administration within Strategic Sectors in the legislation for the Protection of Critical Infrastructures. In the transposition of NIS1: • It was decided to align the identification of essential services and their operators with the procedures defined for the designation of Operators of Critical Infrastructures. • The security obligations of essential service operators and digital service providers refer to the National Security Framework (ENS) as a reference. In the COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, article 10 states: Information assurance and security standards: 1. Node operators of nodes providing authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation.
6 National Security Framework Embedded in Administrative Legislation “The National Security Framework aims to establish the security policy within the scope of this Law, and it is constituted by the basic principles and minimum requirements that adequately guarantee the security of the information processed.” (Ar. 156) Security, a general principle of action by Public Administrations “The Public Administrations will interact with each other and with their linked or dependent bodies, public organizations and entities through electronic means, which ensure the interoperability and security of the systems and solutions adopted by each of them, they will guarantee the protection of data, and they will preferably facilitate the joint provision of services to interested parties.” (Art. 3.2) Law 40/2015 on the Legal Regime of the Public Sector Rights of citizens To the protection of personal data, and, in particular, to the security and confidentiality of the data in the files, systems and applications of the Public Administrations. Art. 13 h) Law 39/2015 on the Common Administrative Procedure of Public Administrations
7 National Security Framework General objectives Create the necessary conditions of trust through measures to guarantee security, enabling citizens and Public Sector entities to exercise their rights and fulfil their duties. Promote: • Continuous management of security. • Prevention, detection and response to cyber threats and cyber attacks. • Homogeneous approach to security that facilitates cooperation in the provision of services by means of a common language and elements appropriate to the Public Sector. Provide leadership on best practices. Facilitate interoperability of data and services supporting the National Interoperability Framerwork.
8 An overview (RD 311/2022) • General provisions, object, scope of application, … (arts. 1 – 4) • Basic principles, which serve as a guide. (arts. 5 – 11) • Security policy and minimum requirements, mandatory compliance. (arts. 12 – 28) • Categorization of systems for the adoption of proportionate security measures (arts. 28, 40, 41, Annexes I and II) • Procurement of security products and services. Use of certified products. Role of the Certification Body (OC-CCN) (art. 19 and Annex II) • Use of common infrastructure and services (art. 29) • Specific compliance profiles (art. 30) • The security audit that verifies compliance with the ENS. (art. 31 and A-III) • Annual Report on the Security Status (art. 32) • Response to security incidents (arts. 33 and 34) • Compliance with the ENS (arts. 35 to 38) • Permanent updating (art. 39) • Training (D.a. 1st) • Technical security instructions (D.a. 2nd) • Security guides (D.a. 2nd) • Systems adaptation (d.t.u) -> 24 months • Annex I. System security categories • Annex II. Security measures • Annex III. Security audit • Annex IV. Glossary 41 Articles 4 Annexes English version available (*) (*) Link to the English version: https://administracionelectronica.gob.es/dam/jcr:eb23ff83-ebdb-487e-abd2- 8654f837794f/RD_311-2022_of-3_May_ENS.pdf Link to the official version in Spanish: https://www.boe.es/eli/es/rd/2022/05/03/311
9 ▪ The whole Public Sector in Spain. ▪ Systems that handle classified information. ▪ Providers of services and solutions to entities of the Public Sector. ▪ Public sector entities and third parties providing services to them, in the processing and protection of personal data. ▪ And… ▪ The calls for procurement will include the requirements to ensure compliance with the ENS (extended to the supply chain on the basis of risk analysis). ▪ Providers should have a security policy. ▪ Providers of outsourced services shoud have a Point of Contact for the security of information handled and services provided, and for incident management. It is aplicable to…
10 Compliance Monitoring Annual Report - Support, Guides and Tools Legal base Scope ✓Public Sector Classified Information Technical Instructions ✓Royal Decree 3/2010 ✓Updated 2015 ✓Royal Decree 311/2022 Administrative laws 40/2015 y 39/2015 ✓ Annual Report ✓ Compliance with the ENS ✓ Audit ✓ Notification of incidentes ✓ Certifiers accredited by ENAC ✓ Certified entities (public/private) ✓ Council for the Certification of ENS (CoCENS) ✓> 100 Guides CCN-STIC Series 800 - ✓> 23 Solutions by References ✓ 9 Editions of the Annual Report ✓ Law 3/2018 (add to GDPR) ✓ Transposition of NIS - RD-l 12/2018 - RD 43/2021 ✓ ✓ Providers Supply Chain (on the basis of Risk analisys) ✓ Development Specific Profiles > 10 Specific Profiles for: - Local Entities - Cloud environments - Others ✓
11 Organizational framework 4 Security policy Security regulations Security procedures Authorization process Operational framework 33 Protection measures 36 Planning (5) Access control (6) Operation (10) External resources (4) Cloud services (1) Continuity of service (4) System monitoring (3) Facilities and infrastrucure (7) Staff management (4) Protection of equipment (4) Protection of communications (4) Protection of information media (5) Protection of IT applications (2) Protection of information (6) Protection of services (4) Source: ENS Infographics Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Proportionate to 3 categories (High, Medium, Low) and 5 security dimensions (Confidentiality [C], Integrity [I], Accountability [Acc], Authenticity [Auth], Availability [A]) Security Measures (I/IV)
12 Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Security Measures (II/IV) The security measures provided by ENS satisfy the measures by NISCG In relation to article 21, with added value (coding, levels, reinforcements)
13 Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Security Measures (III/IV) The security measures provided by ENS satisfy the measures by NISCG In relation to article 21, with added value (coding, levels, reinforcements)
14 Security measures, their requirements, and reinforcements are coded to facilitate both implementation and auditing. Example: Security Measures (IV/IV)
15 ✓ Specific compliance profiles (art. 30): They will include the set of security measures that, because of the mandatory risk analysis, are suitable for a specific security category. ✓ Profiles seek to introduce the ability to adjust the ENS requirements to the specific needs of certain: • Groups: Local Entities, Universities, Paying Agencies,… • Technological areas: cloud services,… Examples: ✓ CCN-STIC-881A. Perfil de Cumplimiento Específico Universidades ✓ CCN-STIC 883A Perfil de Cumplimiento Específico Ayuntamientos pequeños (menos de 5.000 habitantes) ✓ CCN-STIC 883B Perfil Cumplimiento Específico Ayuntamientos de menos de 20.000 habitantes ✓ CCN-STIC 883C Perfil de Cumplimiento Específico Ayuntamientos de entre 20.000 y 75.000 habitantes ✓ CCN-STIC 883D Perfil de Cumplimento Específico Diputaciones ✓ CCN-STIC-884 Perfil de cumplimiento específico para Azure Servicio de Cloud Corporativo ✓ CCN-STIC-885 Perfil de cumplimiento específico para Office 365 Servicio de Cloud Corporativo ✓ CCN-STIC-886 Perfil de cumplimiento específico para Sistemas Cloud Privados y Comunitarios ✓ CCN-STIC-887 Perfil de cumplimiento específico para AWS Servicio de Cloud Corporativo ✓ CCN-STIC-888 Perfil de Cumplimiento Específico para Google Cloud Servicio de Cloud Corporativo Responding to specific needs
16 Procedure and roles, in the light of experience and on the basis of the roles defined in the transposition of NIS1. Role of CISRTs: • CCN-CERT, notified by entities of the Public Sector, and national coordinator • INCIBE-CERT, notified by entities of the Private Sector • ESPDEF-CERT, notified by entities in the scope of National Defense Role of the General Secretariat for Digital Government, SGAD, provider of common and shared services, in collaboration with the CCN-CERT. Role of the Ministry of Interior (Cybersecurity Coordination Office, OCC), involved when an essential operator who has been designated as a critical operator suffers an incident. Response to cybersecurity incidentes
17 Use of certified products on the basis of proportionality. Role of the Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) recognized. It offers a set of reference products whose security functionalities have been certified. The instruments for central procurement refer to the ENS for security requirements and to the means to show the compliance. Procurement of security products e.g. DYNAMIC SYSTEM FOR PROCUREMENT OF SYSTEM, DEVELOPMENT AND APPLICATION SOFTWARE SUPPLIES, OF THE STATE CENTRALIZED PROCUREMENT SYSTEM - SDA 25 The specifications for the procurement include: - Security requirements - How to show the compliance with the security requirements by means of the reference to: - National Security Framework (ENS) - Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) or equivalent - Reference to (coming) European certification schemas
18 Those in scope should show compliance with the ENS. Public Sector Entities, service providers or solution providers: same procedures and documents. Certification entities Accreditation by in accordance with UNE-EN ISO/IEC 17065, for certification of systems within the scope of application of the ENS. Declaration of Compliance Applicable to Basic category information systems. Self-assessment for the declaration. Certification of Compliance Mandatory application to information systems of Medium or High categories and voluntary application in Basic category. Audit for certification. Labels Compliance ✓ It allows the unification of criteria of certifying entities through the ENS Certification Council (CoCENS). ✓ At any time, any person or entity can consult the status of a Certification of Compliance with the ENS, in a centralized portal maintained by the CCN based on the information provided by the certification entities.
19 Monitoring - Annual Report ▪ Article 32. Security status report ▪ Security Measurement: 4.7.2 Metric System [op.mon.2] There is a tool for collecting and consolidating data for the State of Security Report Main contents of the report: - General information about organisms - Risk management - Organizational security information - Economic and human resources - Security measures of Annex II of the ENS.In - formation about interconnections - Security application (authentication methods, outsourced services, change management, continuity of services, training, awareness...) - Incident management (number and response times). - Audits and certifications. Versions of the report: Global and by context 177 218 877 55 Participation by type of organism Year 2022 General State Admin Regions Local Bodies Universities 768 898 933 1008 1327 886 1078 1187 1283 1747 500 800 1100 1400 1700 2000 2018 2019 2020 2021 2022 Developments in participation Included in the report Registered in Governance 1327 bodies + 30% compared to 2021 Some figures of 9 edition:
20 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
21 General State Administration Gobernanza y Cooperación TIC Working Groups (…ENS, COCS) Sectorial Commission for eGovernment Public Administrations Working Groups (…WG Security) CIO (SGAD) Council for the Certification of ENS Established: 2018 Presidence: CCN Members: SGAD, ENAC, accredited certifies of the ENS Mission: Implementation of the certification of the compliance with the ENS + Community Cooperation, Governance, Community
22 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
23 Capacities, services and solutions ✓ COCS provides SOC horizontal cybersecurity services. ✓ It facilitates compliance with the ENS. ✓ > 100 entities within its scope (General State Administration) ✓ Catalogue of solutions provided by the CCN-CERT. ✓ Audit, detection, SIEM, CTI exchange, … ✓ They facilitate the implementation of the ENS. ✓ National Network of SOCs. ✓ Collaboration and exchange of information between the SOCs of the Spanish public sector. ✓ 141 Members, 89 public entities, 52 providers (31 Gold, 21 Informed) ✓ Promotion of cybersecurity capacities in regional governments and local entities.
24 European Crossborder Platform for the Exchange of Cyberintelligence info ✓ EU funding DIGITAL ✓ Cybersecurity Work Prgramme ✓ Cross-border platforms for pooling data on Cybersecurity threats between several Member States ✓ Call for Expression of Interest to select entities in Member States and other elligible countries willing to deploy and manage cross-border SOC platforms. ENSOC Architecture
25 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
26 Funding Agreement of the Council of Ministers on Urgent Measures on Cybersecurity (25.05.2021) Line 2 - Action 5 Meausure 9 April 2019 July 2020 October 2021 January 2021 May 2021 Funding Next Generation EU Funding from Nex Generation EU through the Plan for Recovery, Transformation and Resilience: ✓ Cybersecurity Operations Center of the General State Administration (COCS) ✓ Solutions provided by CCN-CERT required by the COCS ✓ Improvement of the implementation of the ENS in the General State Administration. ✓ Cybersecurity capacities in other Public Administrations, Regional Governments, and, particularly, Local Entities, as well as improvement of the implementation of the ENS. ✓ Other investments in cybersecurity.
27 • Regulation 910/2014 eIDAS • Regulation 2016/679 GDPR • Regulation 2019/881 Cybersecurity Act • Regulation 2021/887 ECCC • Directive 2016/1148 NIS • Regulation 2018/1724 Single Digital Gateway • Regulation 2022/2554 DORA • Directive 2022/2555 NIS2 • Directiva 2022/2557 resilience of critical entities (CER) • Regulation 2022/868 Data Governance Act • Council Conclusions on security of the Supply Chain • EU Policy on Cyber Defence • Adequacy Decision EU-US Data Privacy Framework • Proposal Regulation Artificial Intelligence • Proposal Regulation Data Act • Proposal Regulation Europa Interoperable • Proposal Cyberresilience Act (CRA) • Proposal Regulation eIDAS2 • Proposal Regulation on Cybersecurity of EU Institutions • Proposal Regulation on information security of EU Institutions • Proposals European Certification Schemes (EUCC, EUCS) • Proposal Cybersolidarity Act • Proposal modification Cybersecurity Act (No exhaustivo) • Multi Stakeholder Platform for ICT Standards • CIO Network • Expert Group on Interoperability • Group Coordination SDG • European Blockchain Services Infrastructure • eIDAS Expert Group • … • European Cybersecurity Competence Center (ECCC) • Network of NCCs • Group Cooperation NIS • CyCLONe – European Cyber Crises Liaison Organisation Network • Joint Cyber Unit – Cooperation of Cybersecurity Communities • International Cooperation on Cybersecurity standards and specifications • Cooperation with third countries, … • Trans-European TESTA Network • CEF Building Blocks, … • ENISA • CERT-EU (for EUIBAS) • CSIRT Network, … • Next Generation EU • Digital Europe Programme - Cybersecurity • Horizon Europe • Other instruments for funding Cooperation Governance Community Legal Framework Operational capacities Services Solutions Funding ▪ Alignment ▪ Transposition ▪ Implementation ▪ Participation ▪ Contribution to factsheets, etc. EU Cybersecurity Context
28 Photo by Annie Spratt on Unsplash Measures for Risk management • Security policies • Incident management (prevention, detection and response) • Continuity of activities • Supply chain security • Security in acquisition, development and maintenance of networks and systems. Supply chain • Policies and procedures to evaluate the effectiveness of measures. • Basic cyber hygiene practices and cybersecurity training. • Policies and procedures relating to cryptography and encryption • Human resources security,… • Specific vulnerabilities of supplier and service providers. The ENS positions Spain in a favorable condition for the agile implementation of the transposition of the NIS2 Directive. Enlarged scope: Public Administration (General State, Regional Govs; Local Entities, to be determined) Main obligations for entities in the scope: Public Administrations, in the scope of NIS2
29 Conclusions ✓ The ENS provides basic principles and security requirements, proportionality through categorization, updated security measures, flexibility mechanisms through specific profiles, plus accreditation and compliance mechanisms through a certification scheme with ENAC, as well as monitoring through the Annual Report on the state of security, along with more than 100 support guides and a collection of support tools provided by the CCN-CERT. ✓ Applicable to the whole public sector, systems that handle classified information, and providers of solutions and services. ✓ Global approach which engages legal framework; governance cooperation and community; capacities, solutions and services; and funding. ✓ Aligned with cybersecurity context, tailored to digital government including aspects not treated in standards, but coherent with international standards. ✓ It is flexible. At the same time enables harmonization of criteria. Continuously tuned to the evolution of threat on information systems. The ENS satisfy the measures proposed by NISCG for article 21. ✓ 13 years of experience. ✓ A sound basis for the implementation of NIS2 in Spain.
30 More info
31 Many thanks 29th Plenary Meeting of the NIS Cooperation Group 29th November 2023

Recommended

European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity ContextMiguel A. Amutio
 
ICT Risk Management and ICT third party risk Objectives
ICT Risk Management and ICT third party risk Objectives ICT Risk Management and ICT third party risk Objectives
ICT Risk Management and ICT third party risk Objectives ssuser382ff5
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanDr David Probert
 
Pemeringkatan Indeks KAMI 2014_Intan Rahayu
Pemeringkatan Indeks KAMI 2014_Intan RahayuPemeringkatan Indeks KAMI 2014_Intan Rahayu
Pemeringkatan Indeks KAMI 2014_Intan RahayuDirectorate of Information Security | Ditjen Aptika
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001CUNIX INDIA
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 

Recommended

European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity ContextMiguel A. Amutio
 
ICT Risk Management and ICT third party risk Objectives
ICT Risk Management and ICT third party risk Objectives ICT Risk Management and ICT third party risk Objectives
ICT Risk Management and ICT third party risk Objectives ssuser382ff5
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanDr David Probert
 
Pemeringkatan Indeks KAMI 2014_Intan Rahayu
Pemeringkatan Indeks KAMI 2014_Intan RahayuPemeringkatan Indeks KAMI 2014_Intan Rahayu
Pemeringkatan Indeks KAMI 2014_Intan RahayuDirectorate of Information Security | Ditjen Aptika
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001CUNIX INDIA
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Malaysia's National Cyber Security Policy
Malaysia's National Cyber Security PolicyMalaysia's National Cyber Security Policy
Malaysia's National Cyber Security PolicyDirectorate of Information Security | Ditjen Aptika
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationMLG College of Learning, Inc
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3MLG College of Learning, Inc
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
La cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiLa cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiVincenzo Calabrò
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?Patrick Soenen
 
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIEryk Budi Pratama
 
Découvrir le RGPD de façon pragmatique
Découvrir le RGPD de façon pragmatiqueDécouvrir le RGPD de façon pragmatique
Découvrir le RGPD de façon pragmatiqueNicolas Wipfli
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
Governing Information Security
Governing Information SecurityGoverning Information Security
Governing Information SecurityRoberto Reale
 

More Related Content

What's hot

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3MLG College of Learning, Inc
 
La cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiLa cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiVincenzo Calabrò
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?Patrick Soenen
 
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIEryk Budi Pratama
 
Découvrir le RGPD de façon pragmatique
Découvrir le RGPD de façon pragmatiqueDécouvrir le RGPD de façon pragmatique
Découvrir le RGPD de façon pragmatiqueNicolas Wipfli
 

What's hot (20)

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Malaysia's National Cyber Security Policy
Malaysia's National Cyber Security PolicyMalaysia's National Cyber Security Policy
Malaysia's National Cyber Security Policy
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
La cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiLa cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei dati
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
 
Découvrir le RGPD de façon pragmatique
Découvrir le RGPD de façon pragmatiqueDécouvrir le RGPD de façon pragmatique
Découvrir le RGPD de façon pragmatique
 

Similar to The National Security Framework of Spain

Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
Governing Information Security
Governing Information SecurityGoverning Information Security
Governing Information SecurityRoberto Reale
 
Roberto Reale - Governing Information Security
Roberto Reale - Governing Information SecurityRoberto Reale - Governing Information Security
Roberto Reale - Governing Information SecurityLegal Hackers Roma
 
Strategy and experience of Spain in interoperability for eGovernment. Governm...
Strategy and experience of Spain in interoperability for eGovernment. Governm...Strategy and experience of Spain in interoperability for eGovernment. Governm...
Strategy and experience of Spain in interoperability for eGovernment. Governm...Miguel A. Amutio
 
CTO-CybersecurityForum-2010-Trilok-Debeesing
CTO-CybersecurityForum-2010-Trilok-DebeesingCTO-CybersecurityForum-2010-Trilok-Debeesing
CTO-CybersecurityForum-2010-Trilok-Debeesingsegughana
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
CTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea GlorisoCTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea Glorisosegughana
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...Miguel A. Amutio
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
 
E govermentinlocalandregionaladministrations onlineversionpdf
E govermentinlocalandregionaladministrations onlineversionpdfE govermentinlocalandregionaladministrations onlineversionpdf
E govermentinlocalandregionaladministrations onlineversionpdfprojecte doscinczero1
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementchristophefeltus
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfAlexandre Pinheiro
 
Cyber security for smart cities an architecture model for public transport
Cyber security for smart cities an architecture model for public transportCyber security for smart cities an architecture model for public transport
Cyber security for smart cities an architecture model for public transportAndrey Apuhtin
 
Digital transformation in the Spanish Government
Digital transformation in the Spanish Government Digital transformation in the Spanish Government
Digital transformation in the Spanish Government Miguel A. Amutio
 
Digital strategy for cyprus
Digital strategy for cyprusDigital strategy for cyprus
Digital strategy for cyprusAnima Slides
 
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Miguel A. Amutio
 
European Directive DRAFT Network and Information Technology Security
European Directive DRAFT Network and Information Technology SecurityEuropean Directive DRAFT Network and Information Technology Security
European Directive DRAFT Network and Information Technology SecurityDavid Sweigert
 

Similar to The National Security Framework of Spain (20)

Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
Governing Information Security
Governing Information SecurityGoverning Information Security
Governing Information Security
 
Roberto Reale - Governing Information Security
Roberto Reale - Governing Information SecurityRoberto Reale - Governing Information Security
Roberto Reale - Governing Information Security
 
Strategy and experience of Spain in interoperability for eGovernment. Governm...
Strategy and experience of Spain in interoperability for eGovernment. Governm...Strategy and experience of Spain in interoperability for eGovernment. Governm...
Strategy and experience of Spain in interoperability for eGovernment. Governm...
 
CTO-CybersecurityForum-2010-Trilok-Debeesing
CTO-CybersecurityForum-2010-Trilok-DebeesingCTO-CybersecurityForum-2010-Trilok-Debeesing
CTO-CybersecurityForum-2010-Trilok-Debeesing
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
CTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea GlorisoCTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea Gloriso
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification Framework
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
 
E govermentinlocalandregionaladministrations onlineversionpdf
E govermentinlocalandregionaladministrations onlineversionpdfE govermentinlocalandregionaladministrations onlineversionpdf
E govermentinlocalandregionaladministrations onlineversionpdf
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdf
 
Cyber security for smart cities an architecture model for public transport
Cyber security for smart cities an architecture model for public transportCyber security for smart cities an architecture model for public transport
Cyber security for smart cities an architecture model for public transport
 
Digital transformation in the Spanish Government
Digital transformation in the Spanish Government Digital transformation in the Spanish Government
Digital transformation in the Spanish Government
 
Session 2.1 Martin Mühleck
Session 2.1 Martin MühleckSession 2.1 Martin Mühleck
Session 2.1 Martin Mühleck
 
Digital strategy for cyprus
Digital strategy for cyprusDigital strategy for cyprus
Digital strategy for cyprus
 
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
 
European Directive DRAFT Network and Information Technology Security
European Directive DRAFT Network and Information Technology SecurityEuropean Directive DRAFT Network and Information Technology Security
European Directive DRAFT Network and Information Technology Security
 

More from Miguel A. Amutio

Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Miguel A. Amutio
 
Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Miguel A. Amutio
 
Código de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónCódigo de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónMiguel A. Amutio
 
El Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadEl Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadMiguel A. Amutio
 
V Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasV Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasMiguel A. Amutio
 
Quien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSQuien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSMiguel A. Amutio
 
Contexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadContexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadMiguel A. Amutio
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneMiguel A. Amutio
 
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesCryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesMiguel A. Amutio
 
Medidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMedidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMiguel A. Amutio
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosMiguel A. Amutio
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesMiguel A. Amutio
 
Presente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaPresente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaMiguel A. Amutio
 
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaEl nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaMiguel A. Amutio
 
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadIV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadMiguel A. Amutio
 
Revista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadRevista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadMiguel A. Amutio
 
El nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadEl nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadMiguel A. Amutio
 
Actualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADActualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADMiguel A. Amutio
 
Implementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainImplementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainMiguel A. Amutio
 

More from Miguel A. Amutio (20)

Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
 
Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...
 
Código de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónCódigo de interoperabilidad - Introducción
Código de interoperabilidad - Introducción
 
El Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadEl Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en Ciberseguridad
 
V Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasV Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendencias
 
Quien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSQuien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENS
 
Quien hace el ENI
Quien hace el ENIQuien hace el ENI
Quien hace el ENI
 
Contexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadContexto Europeo de Ciberseguridad
Contexto Europeo de Ciberseguridad
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que viene
 
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesCryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
 
Medidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMedidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración Pública
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
 
Presente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaPresente y futuro de la administración electrónica
Presente y futuro de la administración electrónica
 
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaEl nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
 
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadIV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
 
Revista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadRevista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridad
 
El nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadEl nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de Seguridad
 
Actualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADActualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGAD
 
Implementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainImplementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in Spain
 

Recently uploaded

Building a better Britain: How cities like Bradford can help to end economic ...
Building a better Britain: How cities like Bradford can help to end economic ...Building a better Britain: How cities like Bradford can help to end economic ...
Building a better Britain: How cities like Bradford can help to end economic ...ResolutionFoundation
 
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单enbam
 
Effective governance in the modern charity
Effective governance in the modern charityEffective governance in the modern charity
Effective governance in the modern charityFelixPerez547899
 
Ghana High Commission on list of diplomats including US & China who owe £143m...
Ghana High Commission on list of diplomats including US & China who owe £143m...Ghana High Commission on list of diplomats including US & China who owe £143m...
Ghana High Commission on list of diplomats including US & China who owe £143m...Kweku Zurek
 
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024) - Daftar Rumpun, Pohon, dan Caba...
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024) - Daftar Rumpun, Pohon, dan Caba...Daftar Rumpun, Pohon, dan Cabang Ilmu (2024) - Daftar Rumpun, Pohon, dan Caba...
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024) - Daftar Rumpun, Pohon, dan Caba...suryaaamsyah
 
一比一原版(MQU毕业证)麦考瑞大学毕业证成绩单
一比一原版(MQU毕业证)麦考瑞大学毕业证成绩单一比一原版(MQU毕业证)麦考瑞大学毕业证成绩单
一比一原版(MQU毕业证)麦考瑞大学毕业证成绩单enbam
 
SK 10% nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
SK 10% nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnSK 10% nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
SK 10% nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnRyanAlejandro5
 
IEA Global Critical Minerals Outlook2024
IEA Global Critical Minerals Outlook2024IEA Global Critical Minerals Outlook2024
IEA Global Critical Minerals Outlook2024Energy for One World
 
EDI Executive Education Master Class- 15thMay 2024 (updated) (2)
EDI Executive Education Master Class- 15thMay 2024 (updated) (2)EDI Executive Education Master Class- 15thMay 2024 (updated) (2)
EDI Executive Education Master Class- 15thMay 2024 (updated) (2)Energy for One World
 
sarkarijobswork.online-bsf-si-vehicle-mechanic-and-constable-technical-may24.pdf
sarkarijobswork.online-bsf-si-vehicle-mechanic-and-constable-technical-may24.pdfsarkarijobswork.online-bsf-si-vehicle-mechanic-and-constable-technical-may24.pdf
sarkarijobswork.online-bsf-si-vehicle-mechanic-and-constable-technical-may24.pdfSarkari Jobs Work
 
Setting a new path to greater, shared prosperity
Setting a new path to greater, shared prosperitySetting a new path to greater, shared prosperity
Setting a new path to greater, shared prosperityResolutionFoundation
 
Rocky Mount | Wilson | Greenville Regional Transit Plan Executive Summary
Rocky Mount | Wilson | Greenville Regional Transit Plan Executive SummaryRocky Mount | Wilson | Greenville Regional Transit Plan Executive Summary
Rocky Mount | Wilson | Greenville Regional Transit Plan Executive SummaryRobert Hiett
 
Proposed Facility Types: Chesapeake Trails and Connectivity Plan
Proposed Facility Types: Chesapeake Trails and Connectivity PlanProposed Facility Types: Chesapeake Trails and Connectivity Plan
Proposed Facility Types: Chesapeake Trails and Connectivity PlanCity of Chesapeake
 
CrossWalksInspirations for Brockville***
CrossWalksInspirations for Brockville***CrossWalksInspirations for Brockville***
CrossWalksInspirations for Brockville***Stephen Abram
 
International Day of Families - 15 May 2024 - UNDESA.
International Day of Families - 15 May 2024 - UNDESA.International Day of Families - 15 May 2024 - UNDESA.
International Day of Families - 15 May 2024 - UNDESA.Christina Parmionova
 
“Be part of the Plan” International Day For Biological Diversity 2024.
“Be part of the Plan” International Day For Biological Diversity 2024.“Be part of the Plan” International Day For Biological Diversity 2024.
“Be part of the Plan” International Day For Biological Diversity 2024.Christina Parmionova
 
Minority economic forum Executive Summary
Minority economic forum Executive SummaryMinority economic forum Executive Summary
Minority economic forum Executive SummaryRDE GROUP CORP
 
Who are the Sherden Yale Historical Review
Who are the Sherden Yale Historical ReviewWho are the Sherden Yale Historical Review
Who are the Sherden Yale Historical Reviewyalehistoricalreview
 

Recently uploaded (20)

Building a better Britain: How cities like Bradford can help to end economic ...
Building a better Britain: How cities like Bradford can help to end economic ...Building a better Britain: How cities like Bradford can help to end economic ...
Building a better Britain: How cities like Bradford can help to end economic ...
 
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
 
How to Save a Place: How to Fund Your Preservation Project
How to Save a Place: How to Fund Your Preservation ProjectHow to Save a Place: How to Fund Your Preservation Project
How to Save a Place: How to Fund Your Preservation Project
 
Effective governance in the modern charity
Effective governance in the modern charityEffective governance in the modern charity
Effective governance in the modern charity
 
Ghana High Commission on list of diplomats including US & China who owe £143m...
Ghana High Commission on list of diplomats including US & China who owe £143m...Ghana High Commission on list of diplomats including US & China who owe £143m...
Ghana High Commission on list of diplomats including US & China who owe £143m...
 
How to Save a Place: Get the Word Out Far And Wide
How to Save a Place: Get the Word Out Far And WideHow to Save a Place: Get the Word Out Far And Wide
How to Save a Place: Get the Word Out Far And Wide
 
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024) - Daftar Rumpun, Pohon, dan Caba...
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024) - Daftar Rumpun, Pohon, dan Caba...Daftar Rumpun, Pohon, dan Cabang Ilmu (2024) - Daftar Rumpun, Pohon, dan Caba...
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024) - Daftar Rumpun, Pohon, dan Caba...
 
一比一原版(MQU毕业证)麦考瑞大学毕业证成绩单
一比一原版(MQU毕业证)麦考瑞大学毕业证成绩单一比一原版(MQU毕业证)麦考瑞大学毕业证成绩单
一比一原版(MQU毕业证)麦考瑞大学毕业证成绩单
 
SK 10% nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
SK 10% nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnSK 10% nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
SK 10% nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
 
IEA Global Critical Minerals Outlook2024
IEA Global Critical Minerals Outlook2024IEA Global Critical Minerals Outlook2024
IEA Global Critical Minerals Outlook2024
 
EDI Executive Education Master Class- 15thMay 2024 (updated) (2)
EDI Executive Education Master Class- 15thMay 2024 (updated) (2)EDI Executive Education Master Class- 15thMay 2024 (updated) (2)
EDI Executive Education Master Class- 15thMay 2024 (updated) (2)
 
sarkarijobswork.online-bsf-si-vehicle-mechanic-and-constable-technical-may24.pdf
sarkarijobswork.online-bsf-si-vehicle-mechanic-and-constable-technical-may24.pdfsarkarijobswork.online-bsf-si-vehicle-mechanic-and-constable-technical-may24.pdf
sarkarijobswork.online-bsf-si-vehicle-mechanic-and-constable-technical-may24.pdf
 
Setting a new path to greater, shared prosperity
Setting a new path to greater, shared prosperitySetting a new path to greater, shared prosperity
Setting a new path to greater, shared prosperity
 
Rocky Mount | Wilson | Greenville Regional Transit Plan Executive Summary
Rocky Mount | Wilson | Greenville Regional Transit Plan Executive SummaryRocky Mount | Wilson | Greenville Regional Transit Plan Executive Summary
Rocky Mount | Wilson | Greenville Regional Transit Plan Executive Summary
 
Proposed Facility Types: Chesapeake Trails and Connectivity Plan
Proposed Facility Types: Chesapeake Trails and Connectivity PlanProposed Facility Types: Chesapeake Trails and Connectivity Plan
Proposed Facility Types: Chesapeake Trails and Connectivity Plan
 
CrossWalksInspirations for Brockville***
CrossWalksInspirations for Brockville***CrossWalksInspirations for Brockville***
CrossWalksInspirations for Brockville***
 
International Day of Families - 15 May 2024 - UNDESA.
International Day of Families - 15 May 2024 - UNDESA.International Day of Families - 15 May 2024 - UNDESA.
International Day of Families - 15 May 2024 - UNDESA.
 
“Be part of the Plan” International Day For Biological Diversity 2024.
“Be part of the Plan” International Day For Biological Diversity 2024.“Be part of the Plan” International Day For Biological Diversity 2024.
“Be part of the Plan” International Day For Biological Diversity 2024.
 
Minority economic forum Executive Summary
Minority economic forum Executive SummaryMinority economic forum Executive Summary
Minority economic forum Executive Summary
 
Who are the Sherden Yale Historical Review
Who are the Sherden Yale Historical ReviewWho are the Sherden Yale Historical Review
Who are the Sherden Yale Historical Review
 

The National Security Framework of Spain

  • 1. 0 The National Security Framework (ENS - Esquema Nacional de Seguridad) 29th Plenary Meeting of the NIS Cooperation Group 29th November 2023 Miguel A. Amutio Deputy DG for Cybersecurity Planning and Coordination General Secretariat for Digital Government Secretary of State for Digitization and Artificial Intelligence Ministry for Digital Transformation
  • 2. 1 2010 2014 -16 2017 National Security Strategy 2017 Regulation eIDAS GDPR NIS Directive Updated ENS Technical Security Instructions • Compliance with ENS • Annual Repport Administrative Laws 39/2015, 40/2015 ICT Strategy – Shared Services Declaration (includes Shared Managed Security Services) National Security Framework National Interoperability Framework 2018 ENS Instructions • Auditing • Notification of incidents CoCENS Council for Certification of ENS NIS transposition Law Data Protection (Adding to GDPR) Regulation Critical Infrastructure Protection National Cybersecurity Strategy 2013 Risk Analysis Methodology Magerit v3 2011-13 2019 Cybersecurity Regulation National Guide on Notification of Cyberincidents National Cybersecurity Strategy 2019 Ministers Council Agreement on the Cybersecurity Operations Center of the General State Administration EU Digital Strategy EU Strategy for Data EU on AI White Paper EU Cybersecurity Package España Digital 2025 National Cybersecurity Forum Regulation ECCC Development of NIS Transposition Plan for Digitization of Public Administrations 2021 – 20215 Recovery Plan (Next generation EU funding) Ministers Council Agreement Action Plan on Cybersecurity 2020 2021 2022 RDL 7/2022 Security 5G Cybersecurity National Plan New National Security Framework Proposal Regulation Cybersecurity EUIBAS Proposal Regulation information security EUIBAS Council Conclusions on protection of supply chain Directive 2022/2555 NIS2 Regulation 2022/2554 DORA Directive 2022/2557 CER European Cybersecurity Skills Framework (ECSF) 2022 2023 Communication Cyber Skills Academy Adequacy Decision EU-US Data Privacy Framework Proposal Cybersolidarity Act Proposal modification Cybersecurity Act Adenda Recovery Plan Cybersecurity A collective and multidisciplinary effort, sustained along the time Source: Miguel A. Amutio
  • 3. 2 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
  • 4. 3 National Security Framework Big decisions, why and how (1/2) Around 2006, when drafting the eGovernment Law, on the basis of previous experience, it was decided to develop a security instrument tailored to the protection needs of information and services provided BY and provided TO Public Administrations (though not limited to the specific need of eGovernment at the time). It should be embedded in the administrative legislation. Aligned with the National and European strategic and legal framework. And it should be the reference for: • Data Protection • Protection of Critical Infrastructures, as well as Essential Services (at least for the ones managed by the Public Sector)
  • 5. 4 National Security Framework Big decisions, why and how (2/2) The National Security Framework was created by the eGovernment Law in 2007. The ENS was first implemented by a Royal Decree in 2010, to be aplicable by all Public Administrations, as a result of a public effort by the public and private sectors. It was included in the Administrative Laws of 2015 which superseded the previous administrative and eGovernment legislation. It was updated in 2015 in the light of experience and evolution of National and European legislation (e.g. eIDAS, etc.) The ENS was revamped in 2022: • To be aligned with the current National and European strategic and legal framework. • To introduce flexibility that facilitates implementation for specific contexts (e.g. Local Entities, etc.). • To respond to cybersecurity need and trends.
  • 6. 5 National Security Framework More big decisions It was decided to include Public Administration within Strategic Sectors in the legislation for the Protection of Critical Infrastructures. In the transposition of NIS1: • It was decided to align the identification of essential services and their operators with the procedures defined for the designation of Operators of Critical Infrastructures. • The security obligations of essential service operators and digital service providers refer to the National Security Framework (ENS) as a reference. In the COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, article 10 states: Information assurance and security standards: 1. Node operators of nodes providing authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation.
  • 7. 6 National Security Framework Embedded in Administrative Legislation “The National Security Framework aims to establish the security policy within the scope of this Law, and it is constituted by the basic principles and minimum requirements that adequately guarantee the security of the information processed.” (Ar. 156) Security, a general principle of action by Public Administrations “The Public Administrations will interact with each other and with their linked or dependent bodies, public organizations and entities through electronic means, which ensure the interoperability and security of the systems and solutions adopted by each of them, they will guarantee the protection of data, and they will preferably facilitate the joint provision of services to interested parties.” (Art. 3.2) Law 40/2015 on the Legal Regime of the Public Sector Rights of citizens To the protection of personal data, and, in particular, to the security and confidentiality of the data in the files, systems and applications of the Public Administrations. Art. 13 h) Law 39/2015 on the Common Administrative Procedure of Public Administrations
  • 8. 7 National Security Framework General objectives Create the necessary conditions of trust through measures to guarantee security, enabling citizens and Public Sector entities to exercise their rights and fulfil their duties. Promote: • Continuous management of security. • Prevention, detection and response to cyber threats and cyber attacks. • Homogeneous approach to security that facilitates cooperation in the provision of services by means of a common language and elements appropriate to the Public Sector. Provide leadership on best practices. Facilitate interoperability of data and services supporting the National Interoperability Framerwork.
  • 9. 8 An overview (RD 311/2022) • General provisions, object, scope of application, … (arts. 1 – 4) • Basic principles, which serve as a guide. (arts. 5 – 11) • Security policy and minimum requirements, mandatory compliance. (arts. 12 – 28) • Categorization of systems for the adoption of proportionate security measures (arts. 28, 40, 41, Annexes I and II) • Procurement of security products and services. Use of certified products. Role of the Certification Body (OC-CCN) (art. 19 and Annex II) • Use of common infrastructure and services (art. 29) • Specific compliance profiles (art. 30) • The security audit that verifies compliance with the ENS. (art. 31 and A-III) • Annual Report on the Security Status (art. 32) • Response to security incidents (arts. 33 and 34) • Compliance with the ENS (arts. 35 to 38) • Permanent updating (art. 39) • Training (D.a. 1st) • Technical security instructions (D.a. 2nd) • Security guides (D.a. 2nd) • Systems adaptation (d.t.u) -> 24 months • Annex I. System security categories • Annex II. Security measures • Annex III. Security audit • Annex IV. Glossary 41 Articles 4 Annexes English version available (*) (*) Link to the English version: https://administracionelectronica.gob.es/dam/jcr:eb23ff83-ebdb-487e-abd2- 8654f837794f/RD_311-2022_of-3_May_ENS.pdf Link to the official version in Spanish: https://www.boe.es/eli/es/rd/2022/05/03/311
  • 10. 9 ▪ The whole Public Sector in Spain. ▪ Systems that handle classified information. ▪ Providers of services and solutions to entities of the Public Sector. ▪ Public sector entities and third parties providing services to them, in the processing and protection of personal data. ▪ And… ▪ The calls for procurement will include the requirements to ensure compliance with the ENS (extended to the supply chain on the basis of risk analysis). ▪ Providers should have a security policy. ▪ Providers of outsourced services shoud have a Point of Contact for the security of information handled and services provided, and for incident management. It is aplicable to…
  • 11. 10 Compliance Monitoring Annual Report - Support, Guides and Tools Legal base Scope ✓Public Sector Classified Information Technical Instructions ✓Royal Decree 3/2010 ✓Updated 2015 ✓Royal Decree 311/2022 Administrative laws 40/2015 y 39/2015 ✓ Annual Report ✓ Compliance with the ENS ✓ Audit ✓ Notification of incidentes ✓ Certifiers accredited by ENAC ✓ Certified entities (public/private) ✓ Council for the Certification of ENS (CoCENS) ✓> 100 Guides CCN-STIC Series 800 - ✓> 23 Solutions by References ✓ 9 Editions of the Annual Report ✓ Law 3/2018 (add to GDPR) ✓ Transposition of NIS - RD-l 12/2018 - RD 43/2021 ✓ ✓ Providers Supply Chain (on the basis of Risk analisys) ✓ Development Specific Profiles > 10 Specific Profiles for: - Local Entities - Cloud environments - Others ✓
  • 12. 11 Organizational framework 4 Security policy Security regulations Security procedures Authorization process Operational framework 33 Protection measures 36 Planning (5) Access control (6) Operation (10) External resources (4) Cloud services (1) Continuity of service (4) System monitoring (3) Facilities and infrastrucure (7) Staff management (4) Protection of equipment (4) Protection of communications (4) Protection of information media (5) Protection of IT applications (2) Protection of information (6) Protection of services (4) Source: ENS Infographics Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Proportionate to 3 categories (High, Medium, Low) and 5 security dimensions (Confidentiality [C], Integrity [I], Accountability [Acc], Authenticity [Auth], Availability [A]) Security Measures (I/IV)
  • 13. 12 Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Security Measures (II/IV) The security measures provided by ENS satisfy the measures by NISCG In relation to article 21, with added value (coding, levels, reinforcements)
  • 14. 13 Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Security Measures (III/IV) The security measures provided by ENS satisfy the measures by NISCG In relation to article 21, with added value (coding, levels, reinforcements)
  • 15. 14 Security measures, their requirements, and reinforcements are coded to facilitate both implementation and auditing. Example: Security Measures (IV/IV)
  • 16. 15 ✓ Specific compliance profiles (art. 30): They will include the set of security measures that, because of the mandatory risk analysis, are suitable for a specific security category. ✓ Profiles seek to introduce the ability to adjust the ENS requirements to the specific needs of certain: • Groups: Local Entities, Universities, Paying Agencies,… • Technological areas: cloud services,… Examples: ✓ CCN-STIC-881A. Perfil de Cumplimiento Específico Universidades ✓ CCN-STIC 883A Perfil de Cumplimiento Específico Ayuntamientos pequeños (menos de 5.000 habitantes) ✓ CCN-STIC 883B Perfil Cumplimiento Específico Ayuntamientos de menos de 20.000 habitantes ✓ CCN-STIC 883C Perfil de Cumplimiento Específico Ayuntamientos de entre 20.000 y 75.000 habitantes ✓ CCN-STIC 883D Perfil de Cumplimento Específico Diputaciones ✓ CCN-STIC-884 Perfil de cumplimiento específico para Azure Servicio de Cloud Corporativo ✓ CCN-STIC-885 Perfil de cumplimiento específico para Office 365 Servicio de Cloud Corporativo ✓ CCN-STIC-886 Perfil de cumplimiento específico para Sistemas Cloud Privados y Comunitarios ✓ CCN-STIC-887 Perfil de cumplimiento específico para AWS Servicio de Cloud Corporativo ✓ CCN-STIC-888 Perfil de Cumplimiento Específico para Google Cloud Servicio de Cloud Corporativo Responding to specific needs
  • 17. 16 Procedure and roles, in the light of experience and on the basis of the roles defined in the transposition of NIS1. Role of CISRTs: • CCN-CERT, notified by entities of the Public Sector, and national coordinator • INCIBE-CERT, notified by entities of the Private Sector • ESPDEF-CERT, notified by entities in the scope of National Defense Role of the General Secretariat for Digital Government, SGAD, provider of common and shared services, in collaboration with the CCN-CERT. Role of the Ministry of Interior (Cybersecurity Coordination Office, OCC), involved when an essential operator who has been designated as a critical operator suffers an incident. Response to cybersecurity incidentes
  • 18. 17 Use of certified products on the basis of proportionality. Role of the Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) recognized. It offers a set of reference products whose security functionalities have been certified. The instruments for central procurement refer to the ENS for security requirements and to the means to show the compliance. Procurement of security products e.g. DYNAMIC SYSTEM FOR PROCUREMENT OF SYSTEM, DEVELOPMENT AND APPLICATION SOFTWARE SUPPLIES, OF THE STATE CENTRALIZED PROCUREMENT SYSTEM - SDA 25 The specifications for the procurement include: - Security requirements - How to show the compliance with the security requirements by means of the reference to: - National Security Framework (ENS) - Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) or equivalent - Reference to (coming) European certification schemas
  • 19. 18 Those in scope should show compliance with the ENS. Public Sector Entities, service providers or solution providers: same procedures and documents. Certification entities Accreditation by in accordance with UNE-EN ISO/IEC 17065, for certification of systems within the scope of application of the ENS. Declaration of Compliance Applicable to Basic category information systems. Self-assessment for the declaration. Certification of Compliance Mandatory application to information systems of Medium or High categories and voluntary application in Basic category. Audit for certification. Labels Compliance ✓ It allows the unification of criteria of certifying entities through the ENS Certification Council (CoCENS). ✓ At any time, any person or entity can consult the status of a Certification of Compliance with the ENS, in a centralized portal maintained by the CCN based on the information provided by the certification entities.
  • 20. 19 Monitoring - Annual Report ▪ Article 32. Security status report ▪ Security Measurement: 4.7.2 Metric System [op.mon.2] There is a tool for collecting and consolidating data for the State of Security Report Main contents of the report: - General information about organisms - Risk management - Organizational security information - Economic and human resources - Security measures of Annex II of the ENS.In - formation about interconnections - Security application (authentication methods, outsourced services, change management, continuity of services, training, awareness...) - Incident management (number and response times). - Audits and certifications. Versions of the report: Global and by context 177 218 877 55 Participation by type of organism Year 2022 General State Admin Regions Local Bodies Universities 768 898 933 1008 1327 886 1078 1187 1283 1747 500 800 1100 1400 1700 2000 2018 2019 2020 2021 2022 Developments in participation Included in the report Registered in Governance 1327 bodies + 30% compared to 2021 Some figures of 9 edition:
  • 21. 20 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
  • 22. 21 General State Administration Gobernanza y Cooperación TIC Working Groups (…ENS, COCS) Sectorial Commission for eGovernment Public Administrations Working Groups (…WG Security) CIO (SGAD) Council for the Certification of ENS Established: 2018 Presidence: CCN Members: SGAD, ENAC, accredited certifies of the ENS Mission: Implementation of the certification of the compliance with the ENS + Community Cooperation, Governance, Community
  • 23. 22 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
  • 24. 23 Capacities, services and solutions ✓ COCS provides SOC horizontal cybersecurity services. ✓ It facilitates compliance with the ENS. ✓ > 100 entities within its scope (General State Administration) ✓ Catalogue of solutions provided by the CCN-CERT. ✓ Audit, detection, SIEM, CTI exchange, … ✓ They facilitate the implementation of the ENS. ✓ National Network of SOCs. ✓ Collaboration and exchange of information between the SOCs of the Spanish public sector. ✓ 141 Members, 89 public entities, 52 providers (31 Gold, 21 Informed) ✓ Promotion of cybersecurity capacities in regional governments and local entities.
  • 25. 24 European Crossborder Platform for the Exchange of Cyberintelligence info ✓ EU funding DIGITAL ✓ Cybersecurity Work Prgramme ✓ Cross-border platforms for pooling data on Cybersecurity threats between several Member States ✓ Call for Expression of Interest to select entities in Member States and other elligible countries willing to deploy and manage cross-border SOC platforms. ENSOC Architecture
  • 26. 25 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
  • 27. 26 Funding Agreement of the Council of Ministers on Urgent Measures on Cybersecurity (25.05.2021) Line 2 - Action 5 Meausure 9 April 2019 July 2020 October 2021 January 2021 May 2021 Funding Next Generation EU Funding from Nex Generation EU through the Plan for Recovery, Transformation and Resilience: ✓ Cybersecurity Operations Center of the General State Administration (COCS) ✓ Solutions provided by CCN-CERT required by the COCS ✓ Improvement of the implementation of the ENS in the General State Administration. ✓ Cybersecurity capacities in other Public Administrations, Regional Governments, and, particularly, Local Entities, as well as improvement of the implementation of the ENS. ✓ Other investments in cybersecurity.
  • 28. 27 • Regulation 910/2014 eIDAS • Regulation 2016/679 GDPR • Regulation 2019/881 Cybersecurity Act • Regulation 2021/887 ECCC • Directive 2016/1148 NIS • Regulation 2018/1724 Single Digital Gateway • Regulation 2022/2554 DORA • Directive 2022/2555 NIS2 • Directiva 2022/2557 resilience of critical entities (CER) • Regulation 2022/868 Data Governance Act • Council Conclusions on security of the Supply Chain • EU Policy on Cyber Defence • Adequacy Decision EU-US Data Privacy Framework • Proposal Regulation Artificial Intelligence • Proposal Regulation Data Act • Proposal Regulation Europa Interoperable • Proposal Cyberresilience Act (CRA) • Proposal Regulation eIDAS2 • Proposal Regulation on Cybersecurity of EU Institutions • Proposal Regulation on information security of EU Institutions • Proposals European Certification Schemes (EUCC, EUCS) • Proposal Cybersolidarity Act • Proposal modification Cybersecurity Act (No exhaustivo) • Multi Stakeholder Platform for ICT Standards • CIO Network • Expert Group on Interoperability • Group Coordination SDG • European Blockchain Services Infrastructure • eIDAS Expert Group • … • European Cybersecurity Competence Center (ECCC) • Network of NCCs • Group Cooperation NIS • CyCLONe – European Cyber Crises Liaison Organisation Network • Joint Cyber Unit – Cooperation of Cybersecurity Communities • International Cooperation on Cybersecurity standards and specifications • Cooperation with third countries, … • Trans-European TESTA Network • CEF Building Blocks, … • ENISA • CERT-EU (for EUIBAS) • CSIRT Network, … • Next Generation EU • Digital Europe Programme - Cybersecurity • Horizon Europe • Other instruments for funding Cooperation Governance Community Legal Framework Operational capacities Services Solutions Funding ▪ Alignment ▪ Transposition ▪ Implementation ▪ Participation ▪ Contribution to factsheets, etc. EU Cybersecurity Context
  • 29. 28 Photo by Annie Spratt on Unsplash Measures for Risk management • Security policies • Incident management (prevention, detection and response) • Continuity of activities • Supply chain security • Security in acquisition, development and maintenance of networks and systems. Supply chain • Policies and procedures to evaluate the effectiveness of measures. • Basic cyber hygiene practices and cybersecurity training. • Policies and procedures relating to cryptography and encryption • Human resources security,… • Specific vulnerabilities of supplier and service providers. The ENS positions Spain in a favorable condition for the agile implementation of the transposition of the NIS2 Directive. Enlarged scope: Public Administration (General State, Regional Govs; Local Entities, to be determined) Main obligations for entities in the scope: Public Administrations, in the scope of NIS2
  • 30. 29 Conclusions ✓ The ENS provides basic principles and security requirements, proportionality through categorization, updated security measures, flexibility mechanisms through specific profiles, plus accreditation and compliance mechanisms through a certification scheme with ENAC, as well as monitoring through the Annual Report on the state of security, along with more than 100 support guides and a collection of support tools provided by the CCN-CERT. ✓ Applicable to the whole public sector, systems that handle classified information, and providers of solutions and services. ✓ Global approach which engages legal framework; governance cooperation and community; capacities, solutions and services; and funding. ✓ Aligned with cybersecurity context, tailored to digital government including aspects not treated in standards, but coherent with international standards. ✓ It is flexible. At the same time enables harmonization of criteria. Continuously tuned to the evolution of threat on information systems. The ENS satisfy the measures proposed by NISCG for article 21. ✓ 13 years of experience. ✓ A sound basis for the implementation of NIS2 in Spain.
  • 32. 31 Many thanks 29th Plenary Meeting of the NIS Cooperation Group 29th November 2023