Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 28 Anzeige

Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

Herunterladen, um offline zu lesen

Cloud Security Alliance EMEA Congress: Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

Cloud Security Alliance EMEA Congress: Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

Anzeige
Anzeige

Weitere Verwandte Inhalte

Andere mochten auch (10)

Ähnlich wie Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector (20)

Anzeige

Weitere von Miguel A. Amutio (20)

Aktuellste (20)

Anzeige

Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

  1. 1. 1 Madrid, 16 November 2016 Miguel A. Amutio Secretaría General de Administración Digital Ministerio de Hacienda y Función Pública Cloud Security Alliance EMEA Congress Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
  2. 2. 2 Why and What is the National Security Framework (NSF- ENS) Compliance with the NSF-ENS Challenges and conclusions Contents
  3. 3. 3 1. Why and what is the National Security Framework
  4. 4. 4 Digital public services The new administrative laws (39/2015 and 40/2015) foresee a paperless Administration on the basis of working fully with electronic means. Digital public services are provided in a complex scenario in Spain. Potential risks.
  5. 5. 5 Why the NSF-ENS Create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services. Promote the continuous management of security, regardless of the impulses of the moment . Promote prevention, detection and correction. Promote a common approach to security which enables cooperation to deliver eGoverment services. The NSF complements the National Interoperability Framework. National Security Framework (NSF) = Esquema Nacional de Seguridad (ENS)
  6. 6. 6 The National Security Framework It is a legal text (Royal Decree 3/2010). It establishes the security policy for the use of ICT by the Public Sector. To be followed by the Public Sector in Spain. Developed through ‘technical security instructions’ It is a key element of the National Cybersecurity Strategy.
  7. 7. 7 The Basic principles to be taken into account in decision about security. The minimum requirements which allow an adequate protection of information. Categorization of systems and risk management for the adoption of proportionate security measures according to information and services to be protected and to the risks to which they are exposed. Security audit to verify compliance with the NSF. Response to security incidents (CERT). Use of security certified products, to be considered in procurement. Awareness and training. NSF-ENS, Main elements All entities of the Public Sector will have a security policy, formally adopted, on the basis of the basic principles and minimum requirements.
  8. 8. 8 operational – planning – access control – operation – external services – continuity – monitoring asset protection – facilities – personnel – equipment – communications – media – software – information – services organizational – security policy – security regulations – security procedures – authorization process Security measures + use of common infrastructures and services and security guidelines provided by CCN.
  9. 9. 9 Public entities, should, as SP 800-144 says: • Carefully plan the security and privacy aspects of cloud computing solutions before engaging them. • Deploy o Understand the public cloud computing environment offered by the cloud provider -> assess and manage risk accurately o Ensure that a cloud computing solution satisfies organizational security and privacy requirements. o Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing. • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments. Using Cloud, Public entities should …
  10. 10. 10 For instance: In case of use of cloud services, the following measures deserve special attention: [Org.4] Authorization process [Op.acc.4] Access rights management process [Op.exp.7] Incident management [Op.exp.11] Cryptographic Key Protection [Op.ext] External services There are measures that should not be transferred to the CSP: Categorization of the system (Annex I) Security policy [org.1] Security policy [org.2] Risk analysis [op.pl.1] (coordinate) Authorization process [org.4] (to coordinate) Daily management [op.ext.2] (coordinate) Incident management [op.exp.7] (coordinate) Protection of customer equipment [mp.eq.] Activities that probably the CSP should not carry out: Electronic signature [mp.info.4] Time stamps [mp.info.5] User identification [op.acc.1] Access requirements [op.acc.2] Management of access rights [op.acc.4] Authentication mechanism [op.acc.5] User activity log [op.exp.5] Protection of activity records [op.exp.10] Protection of cryptographic keys [op.exp.11] Consideration of Who does What
  11. 11. 11 Cloud services and the NSF-ENS 2 SECURITY REQUIREMENTS 2.1 ROLES AND FUNCTIONS 2.2 CATEGORIZATION (ENS - ANNEX I) 2.2.1 COMMUNITIES 2.3 RECOMMENDATIONS 2.4 PROTECTION MEASURES (ENS - ANNEX II) 2.5 ADDITIONAL RESTRICTIONS 3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION 4 INTERNAL REGULATIONS 5 PROCUREMENT 5.1 DESCRIPTION OF SERVICE 5.2 SUBCONTRACTING 5.3 PROTECTION OF INFORMATION 5.4 SERVICE LEVELAGREEMENTS 5.5 ACCESS TO SERVICE 5.6 GEOGRAPHICAL CONDITIONERS 5.7 RESPONSIBILITIES AND OBLIGATIONS 5.8 REGISTRATION OF ACTIVITY 5.9 TERMINATION OF SERVICE 6. OPERATION 6.1 OPERATING SECURITY PROCEDURES 6.2 FOLLOW-UP OF THE SERVICE 6.3 CHANGE MANAGEMENT 6.4 INCIDENT MANAGEMENT 6.5 BACKUP AND RECOVERY OF DATA 6.6 CONTINUITY OF THE SERVICE 6.7 TERMINATION 7 SUPERVISION AND AUDIT ANNEX A. ENS COMPLIANCE
  12. 12. 12 Annex A contains the controls of standards 27002 and the CCM matrix, together with their correspondence to meet the ENS requirements. (…) (…) NSF-ENS, 27000 and CCM
  13. 13. 13 2. Compliance with the National Security Framework Fuente: NASA
  14. 14. 14 Audit, reporting & compliance Interested actors
  15. 15. 15 Compliance with the NSF-ENS TECHNICAL SECURITY INSTRUCTION - COMPIANCE WITH THE NATIONAL SECURITY FRAMEWORK INDEX I. Object. II. Scope. III. Procedures for determining compliance. IV. Declaration of Compliance with the National Security Framework of BASIC category systems and its publicity. V. Certification of Compliance with the National Security Framework of systems of category MEDIUM or HIGH and its publicity. VI. Requirements of the certifying entities. VII. Solutions and services provided by the private sector. Annex I. Contents of the Declaration of Compliance with the National Security Framework. Annex II. Declaration of Compliance with the National Security Framework. Annex III. Content of the Certification of Compliance with the National Security Framework. Annex IV. Certificate of Compliance with the National Security Framework.
  16. 16. 16 Providers are often engaged in the provision of solutions or services (through, for example, cloud services) for systems under the scope of the NSF. Solutions or services should comply with the requirements of the NSF-ENS and have the corresponding Declarations or Certifications of Compliance. Declaration of Compliance with the NSF-ENS (category BASIC) Certification of Compliance with the NSF-ENS (mandatory for categories MEDIUM or HIGH, voluntary for category BASIC) Providers: same procedures as for the Public Sector Requirements for providers
  17. 17. 17 Accreditation by ENAC according to UNE-EN ISO / IEC 17065: 2012, for the certification of systems within the scope of ENS. In case of NOT having the accreditation: 1. They will request accreditation to the ENAC. 2. They will inform of the acceptance of the request to the CCN. 3. They can begin their certification activities on a temporary basis, having 12 months to obtain it. Requirements for Certifiers
  18. 18. 18 3. Challenges and Conclusions
  19. 19. 19 The National Security Framework (NSF-ENS):  Promotes a common approach to cybersecurity in the Public Sector of Spain, adapted to its requirements  Independent audits are the basis for the Security Report and for the compliance with the NSF-ENS. Compliance with the NSF-ENS is applicable to:  Entities of the Public Sector  Providers of solutions and services (e.g. Cloud services) engaged in systems under the scope of the NSF-ENS. Public entities should have an understanding of security issues in the cloud computing environment and ensure security requirements. Under development: specific compliance requirements to certify cloud service providers for systems falling under ENS. Challenges & Conclusions
  20. 20. 20 Challenges:  Progress in cibersecurity of entities of the Public Sector.  Improve the implementation of the security measures.  Extend the implementation of the NSF-ENS to all kind of information systems of the Public Sector in Spain.  Extend the use of common services offered by the General State Administration.  Promote the compliance with the NSF-ENS. Challenges & Conclusions
  21. 21. 21 More information
  22. 22. 22 Public Sector Law 40/2015 Institutional Public SectorGeneral State Administration Autonomous Communities Local Entities Law 39/2015 Public Entities and Public Law Entities Entities of Private Law (Administrative powers) Public Universities Public Law Corporations Linked or depend ent Linked or depend ent The Public Sector in Spain
  23. 23. 23
  24. 24. 24 CCN-CERT Guidelines and tools
  25. 25. 25
  26. 26. 26 eGovernment and Security
  27. 27. 27
  28. 28. 28  E-mail addresses – ens@ccn-cert.cni.es – ens.minhap@correo.gob.es – ccn@cni.es – sondas@ccn-cert.cni.es – redsara@ccn-cert.cni.es – organismo.certificacion@cni.es  Web pages: – administracionelectronica.gob.es – www.ccn-cert.cni.es – www.ccn.cni.es – www.oc.ccn.cni.es Many thanks

Hinweis der Redaktion

  • The use of cloud services has been expanding also for public sector organizations. The adoption of these services creates new risks that must be managed according to personal data regulations requirements and also, according to Security Requirements for Spanish Public Administration established at “Esquema Nacional de Seguridad” (ENS). Thus, public sector organizations ensure the protection of information handled and services provided. Because the very nature of cloud services requires specific guidance to help meet those security requirements. Compliance with the ENS is required for Spanish public sector entities, and should be considered by private sector organizations involved in providing technology solutions or the provision of services to public entities through cloud services.
  • Provide common languange and elements of security
    to guide Public Administrations in the implementation of ICT security.
    to facilitate interaction between Public Administrations and
    to communicate security requirements to the Industry.

  • El proveedor puede disponer de certificaciones o acreditaciones en materia de seguridad. Estas certificaciones pueden simplificar la auditoría completa del servicio prestado, en su condición de evidencias de cumplimiento a valorar por el equipo auditor. Por ejemplo:

     Auditorías recomendadas por ENISA para proveedores de servicios en la nube [ENISA-CCSL]

     Sistema de Gestión de la Seguridad de la Información (SGSI) [ISO/IEC 27001:2013]

     Sistema de Gestión de la Continuidad [ISO 22301:2012]

     Cloud Controls Matrix [CCM]

    Annex A contains the controls of standards 27002 and the CCM matrix, together with their correspondence to meet the ENS requirements. It is to be hoped that future versions of this guide will incorporate other security profiles that have well-de fi ned, de facto international support.
  • SOLUTIONS AND SERVICES PROVIDED BY THE PRIVATE SECTOR
    Private sector organizations are often involved in the provision of technological solutions or in the provision of services to public entities (through, for example, cloud services).
    When private sector organizations provide services or provide solutions to public entities that are required to comply with the ENS, they must be able to exhibit the corresponding Declaration of Conformity with the ENS (in the case of category systems BASIC) or the Certification of Conformity with the ENS (mandatory, in the case of MEDIA or ALTA category systems, and of voluntary application in the case of BASIC category systems), using the same procedures as those required for public entities.
    It is the responsibility of contracting public entities to notify private sector operators involved in the provision of technological solutions or the provision of services, the obligation that such solutions or services conform to the provisions of the ENS and have the corresponding Declarations or Certifications of Conformity, as indicated in this Guide.
    When the provision of solutions or provision of services subject to compliance with the ENS is carried out by private sector organizations, they shall use the same documentary models used for Declarations, Certifications or Compliance Badges contained in this guide , Replacing the references to the public entities by the ones corresponding to the private entities. Likewise, the Conformity Badges, when displayed by such private operators, must link to the corresponding Declarations or Certifications of Conformity, which will always be accessible on the website of the economic operator in question.
    In addition to the National Cryptological Center, public entities that use solutions or services provided or rendered by private sector organizations that exhibit a Declaration or Certification of Conformity with the ENS may at any time request from such operators the corresponding Self-Assessment or Audit Reports , In order to verify the appropriateness and adequacy of the aforementioned manifestations.
  • Private sector organizations provide solutions or services to public entities (through, for example, cloud services).

    Private sector providers should be able to exhibit the corresponding:
    Declaration of Compliance with the ENS-NSF (in the case of category systems BASIC)
    or the Certification of Conformity with the ENS-NSF (mandatory, in the case of MEDIA or ALTA category systems, and of voluntary application in the case of BASIC category systems), using the same procedures as those required for public entities.

    It is the responsibility of contracting public entities to notify providers of solutions or of services, the obligation that such solutions or services should conform to the provisions of the ENS-NSF and have the corresponding Declarations or Certifications of Compliance.

×