SlideShare ist ein Scribd-Unternehmen logo

Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

Miguel A. Amutio
Miguel A. Amutio

Cloud Security Alliance EMEA Congress Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector Text of the presentation by Miguel A. Amutio

Technologie
1 von 9
Downloaden Sie, um offline zu lesen
Cloud Security Alliance EMEA Congress Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector Text of the presentation by Miguel A. Amutio Good morning, Ladies and Gentlemen, I appreciate very much the invitation to speak here today in this CSA EMEA Congress. My talk is about “Using cloud services: compliance with the Security Requirements of the Spanish Public Sector.” You might be aware that in Spain we are promoting the protection, the cybersecurity of information and services managed by entities of the Spanish Public Sector by means of the National Security Framework, in place since the beginning of 2010. Since the use of cloud services is expanding also through the public sector we have seen the need: • To provide specific guidance to meet the requirements of the NSF • And to deploy a compliance approach to be applied by Spanish entities of the public sector, and also by providers of solutions or services through cloud computing. So, in this presentation we will see: First of all, Why and What is the National Security Framework (NSF- ENS) Then, Compliance with the NSF-ENS And finally, Challenges and conclusions 1
1. Why and What is the National Security Framework (NSF- ENS) Digital public services Look, the public sector in Spain has a considerable size: the General State Administration, 17 regional governments and 2 autonomous cities, plus over 8,000 municipalities, public universities and other entities under public law. As you can imagine the scenario is quite complex. Our country has committed to the development of eGovernment services. In fact the trend is the digital transformation of our Administration. For instance, the new administrative laws (39/2015 and 40/2015) foresee a paperless Administration on the basis of working fully with electronic means. And in any case, there is a need for a comprehensive framework to address security. Why the National Security Framework The National Security Framework has been designed to ensure an overall approach to information security throughout the public sector; both coherent and efficient, by identifying synergies and eliminating duplication of work. The NSF addresses the following objectives or needs, as you prefer: To create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services. To promote the continuous management of security, regardless of the impulses of the moment or lack thereof. To promote best practices for prevention, detection and reaction. To provide common concepts and elements of security. This common approach is helpful: o to provide guidance to Public Administrations in the implementation of ICT security, o to enable cooperation to deliver eGovernment services o and to facilitate the interaction between Public Administrations. The NSF complements the National Interoperability Framework. o To facilitate the communication of security requirements to the 2
Industry. Surely, it is easy to imagine what this means in terms of calls for tenders, technical specifications, predictive offer. The Industry finds all Public Administrations speaking the same language. The NSF - Royal Decree 3/2010 How do we produce a positive change towards security? How do we make impact? Through the legal framework. The Spanish NSF is implemented through a legal text, a regulation, the Royal Decree 3/2010, which develops the provisions about security foreseen in the Legal framework of the public sector. The NSF establishes the security policy for eGovernment services. It consists of the basic principles and minimum requirements to enable adequate protection of information, to be followed by the Public Sector. The National Security Framework introduces common security elements applicable to the whole public sector in Spain. It is also a key element of the National Cybersecurity Strategy. This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their main associations, under the leadership of the team formed by the Ministry of Finance and Public Function and the National Cryptologic Center. The main elements of the NSF Public Administrations will have a security policy on the basis of the basic principles and minimum requirements. Which are the main elements of the NSF? The basic principles to be taken into account in decisions about security. The minimum requirements which allow an adequate protection of information. How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the risks to which they are exposed. Security audits. Response to security incidents (CERT). Security certified products, to be considered in procurement. Awareness and training. 3
Security measures Let`s see an overview of the security measures in the NSF. There is a reference in the NSF to security measures. There are three general classes of security measures: Organizational: measures related to global security. Operational: the measures to protect the system's operation as a comprehensive set of components. Asset protection: measures to protect specific assets (facilities, personnel, equipment, communications, information media, applications, information, services), according to their nature and requirements. The NSF tells the WHAT, but there is freedom on HOW to implement them. Using Cloud, Public entities should … Public entities should, as SP 800-144 says: “Carefully plan the security and privacy aspects of cloud computing solutions before engaging them. Understand the public cloud computing environment offered by the cloud provider -> assess and manage risk accurately Ensure that a cloud computing solution satisfies organizational security and privacy requirements. Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing. Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.” Consideration of Who does What In relation to the implementation of the security measures ‘Who does What’ requires careful consideration; some measures should remain on the side of the public entity; other measures could be carried out by the provider, other ones would require a detailed analysis to decide who does them: 4
In case of use of cloud services, the following measures deserve special attention: [Org.4] Authorization process [Op.acc.4] Access rights management process [Op.exp.7] Incident management [Op.exp.11] Cryptographic Key Protection [Op.ext] External services There are measures that should not be transferred to the CSP: Categorization of the system (Annex I) Security policy [org.1] Security policy [org.2] Risk analysis [op.pl.1] (coordinate) Authorization process [org.4] (to coordinate) Daily management [op.ext.2] (coordinate) Incident management [op.exp.7] (coordinate) Protection of customer equipment [mp.eq.] Activities that probably the CSP should not carry out: Electronic signature [mp.info.4] Time stamps [mp.info.5] User identification [op.acc.1] Access requirements [op.acc.2] Management of access rights [op.acc.4] Authentication mechanism [op.acc.5] User activity log [op.exp.5] Protection of activity records [op.exp.10] Protection of cryptographic keys [op.exp.11] Metric system [op.mon.2] (coordinate) Cloud services and the NSF For all these reasons, we are offering guidance about the use of cloud services and security through a guide (CCN-STIC 823) with the following contents. This guide is under revision at this moment. 2 SECURITY REQUIREMENTS 2.1 ROLES AND FUNCTIONS 2.2 CATEGORIZATION (ENS - ANNEX I) 2.2.1 COMMUNITIES 2.3 RECOMMENDATIONS 2.4 PROTECTION MEASURES (ENS - ANNEX II) 2.5 ADDITIONAL RESTRICTIONS 3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION 4 INTERNAL REGULATIONS 5 PROCUREMENT 5.1 DESCRIPTION OF SERVICE 5.2 SUBCONTRACTING 5.3 PROTECTION OF INFORMATION 5.4 SERVICE LEVEL AGREEMENTS 5.5 ACCESS TO SERVICE 5.6 GEOGRAPHICAL CONDITIONERS 5.7 RESPONSIBILITIES AND OBLIGATIONS 5.8 REGISTRATION OF ACTIVITY 5
5.9 TERM 6. OPERA MINATION OF SERVVICE 6 OPEERATION 6.1 OPER ATION 6.2 FOLLO RATING SE 6.3 CHAN 6.4 INCID 6.5 BACK 6.6 CONT 6.7 TERM 7 SUPER ANNEX A NSF, 27 The sup certificat evidence Re Info Co Clo Annex A matrix, to This table 2. Com Audit, Who are t OW-UP O ECURITY NGE MANA DENT MAN KUP AND R TINUITY O MINATION RVISION AN A. ENS CO 7000 an plier/prov ions can s es of comp commende ormation S ntinuity Ma oud Contro of Guide ogether wi e shows t mpliance reportin the interes F THE SE PROCEDUURES AGEMENT RVICE NAGEMEN T RECOVER T OF THE SE RY OF DATTA ERVICE ND AUDIT OMPLIANC T E nd CCM vider may simplify th pliance to ed audits b Security Ma anagemen ols Matrix [ e CCN-STI ith their co he gaps w e with th ng and c ted actors? have se he comple be valued by ENISA f anagemen nt System [ CCM] C 823 con orrespond with the NS he Natio complia ? 6 ecurity ce ete audit o d by the au for service t System ( [ISO 22301 ntains the dence to m SF. onal Sec ance ertification of the serv udit team. F e providers (ISMS) [ISO 1: 2012] e controls meet the r curity F ns or acc ice rendere For examp in the clou O / IEC 27 s of ISO 2 equireme Framew creditation ed, in its co ple: ud [ENISA- 001: 2013 27002 and nts of the work ns. These ondition of -CCSL] ] the CCM NSF. e f M
Compliance with NSF The NSF can be developed through ‘Technical Security Instructions’ to address some specific issues. In order to satisfy the demand, a ‘Technical Security Instruction’ has been published recently in the official diary: TECHNICAL SECURITY INSTRUCTION - COMPLIANCE WITH THE NATIONAL SECURITY FRAMEWORK INDEX I. Object. II. Scope. III. Procedures for determining compliance. IV. Declaration of Compliance with the National Security Framework of BASIC category systems and its publicity. V. Certification of Compliance with the National Security Framework of systems of category MEDIUM or HIGH and its publicity. VI. Requirements of the certifying entities. VII. Solutions and services provided by the private sector. Annex I. Contents of the Declaration of Compliance with the National Security Framework. Annex II. Declaration of Compliance with the National Security Framework. Annex III. Content of the Certification of Compliance with the National Security Framework. Annex IV. Certificate of Compliance with the National Security Framework. Requirements for providers Private sector organizations are often engaged in the provision of solutions or services to public entities (through, for example, cloud services) within systems subject to the obligations of the NSF. Solutions or services should comply with the provisions of the NSF-ENS and have the corresponding Declarations or Certifications of Compliance. In this case, providers should be able to show: A Declaration of Compliance with the NSF-ENS (in the case of category systems BASIC) or a Certification of Compliance with the NSF-ENS (mandatory, in the case of MEDIUM or HIGH category systems, and of voluntary application in the case of BASIC category systems), using the same procedures as those required for public entities. It is the responsibility of contracting public entities to notify providers of solutions or of services, the obligation that such solutions or services should comply with the provisions of the ENS-NSF and have the corresponding Declarations or Certifications of Compliance. When the provision of solutions or services subject to compliance with the ENS is carried out by private sector organizations, they should use the same documentary models 7
used for Declarations, Certifications or Compliance Badges contained in this guide, replacing the references to the public entities by the ones corresponding to the private entities. Likewise, the Compliance Badges, when displayed by such private operators, should link to the corresponding Declarations or Certifications of Compliance, which will always be accessible on the website of the economic operator in question. In addition to the National Cryptological Center, public entities that use solutions or services provided or rendered by private sector organizations that exhibit a Declaration or Certification of Compliance with the ENS may at any time request from such operators the corresponding Self-Assessment or Audit Reports, in order to verify the appropriateness and adequacy of the aforementioned manifestations. Requirements for certifiers The main requirement for certifiers of compliance with the NSF-ENS is the accreditation by ENAC according to UNE-EN ISO / IEC 17065: 2012 (Conformity assessment — Requirements for bodies certifying products, processes and services), for the certification of systems within the scope of ENS. In case of NOT having the accreditation: • They will request accreditation to the ENAC. • They will inform of the acceptance of the request to the CCN. • They can begin their certification activities on a temporary basis, having 12 months to obtain it. The CCN maintains a list of Certification Entities, accredited or in the process of being accredited. Exempt are those entities, organs, agencies and units of the Public Administrations whose competencies correspond to the development of IS audits as recorded in their creation regulations or structure decrees. Challenges and Conclusions The National Security Framework (NSF-ENS): Promotes a common approach to cybersecurity in the public sector of Spain, adapted to its requirements. Independent audits are the basis for the Security Report and for the compliance with the NSF-ENS. Compliance with the NSF-ENS is applicable to: Entities of the Public Sector 8
9 Providers of solutions and services (e.g. Cloud services) engaged in systems under the scope of the NSF-ENS. Public entities should have an understanding of security issues in the cloud computing environment and ensure security requirements. Under development: specific compliance requirements to certify cloud service providers for systems falling under ENS. Challenges: Progress in cybersecurity of entities of the Public Sector. Improve the implementation of the security measures. Extend the implementation of the NSF-ENS to all kind of information systems of the Public Sector in Spain. Extend the use of common services offered by the General State Administration. Improve the compliance with the NSF-ENS. To know more about IT security in Spain Well, for more information about IT security and Spain: The NSF is available in English. The eGovernment factsheet of Spain published by the European Commission in JOINUP. And the websites of the CCN, the Certification Body, ENAC and the eGovernment Portal provide more information. Thank you very much for your attention

Empfohlen

National cyber security policy 2013
National cyber security policy 2013National cyber security policy 2013
National cyber security policy 2013
M P Keshava
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)
Gopal Choudhary
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
Miguel A. Amutio
 
National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013
Vidushi Singh
 
Review of national cyber security policy 2013 by chintan pathak
Review of national cyber security policy 2013 by chintan pathakReview of national cyber security policy 2013 by chintan pathak
Review of national cyber security policy 2013 by chintan pathak
Chintan Pathak
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
Santosh Khadsare
 
Singapore's National Cyber Security Strategy
Singapore's National Cyber Security StrategySingapore's National Cyber Security Strategy
Singapore's National Cyber Security Strategy
Benjamin Ang
 
Governing Information Security
Governing Information SecurityGoverning Information Security
Governing Information Security
Roberto Reale
 

Empfohlen

National cyber security policy 2013
National cyber security policy 2013National cyber security policy 2013
National cyber security policy 2013
M P Keshava
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)
Gopal Choudhary
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
Miguel A. Amutio
 
National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013
Vidushi Singh
 
Review of national cyber security policy 2013 by chintan pathak
Review of national cyber security policy 2013 by chintan pathakReview of national cyber security policy 2013 by chintan pathak
Review of national cyber security policy 2013 by chintan pathak
Chintan Pathak
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
Santosh Khadsare
 
Singapore's National Cyber Security Strategy
Singapore's National Cyber Security StrategySingapore's National Cyber Security Strategy
Singapore's National Cyber Security Strategy
Benjamin Ang
 
Governing Information Security
Governing Information SecurityGoverning Information Security
Governing Information Security
Roberto Reale
 
Overview of national cybercrime strategies
Overview of national cybercrime strategiesOverview of national cybercrime strategies
Overview of national cybercrime strategies
Benjamin Ang
 
Singapore. industry 4.0 and cybersecurity
Singapore. industry 4.0 and cybersecurity Singapore. industry 4.0 and cybersecurity
Singapore. industry 4.0 and cybersecurity
Yuri Anisimov
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI Report
Benjamin Ang
 
National cyber security policy final
National cyber security policy finalNational cyber security policy final
National cyber security policy final
Indian Air Force
 
Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)
Benjamin Ang
 
Cybersecurity legislation in Singapore (2017)
Cybersecurity legislation in Singapore (2017)Cybersecurity legislation in Singapore (2017)
Cybersecurity legislation in Singapore (2017)
Benjamin Ang
 
IRJET- CHAOS based Security for Online Transactions through GUI Implementation
IRJET- CHAOS based Security for Online Transactions through GUI ImplementationIRJET- CHAOS based Security for Online Transactions through GUI Implementation
IRJET- CHAOS based Security for Online Transactions through GUI Implementation
IRJET Journal
 
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Benjamin Ang
 
Cybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information InfrastructureCybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information Infrastructure
Dr David Probert
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
GovCloud Network
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
IRJET Journal
 
Critical Infrastructure and Cybersecurity
Critical Infrastructure and Cybersecurity Critical Infrastructure and Cybersecurity
Critical Infrastructure and Cybersecurity
European Services Institute
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
Norbi Hegedus
 
New developments in cyber law - Singapore and beyond
New developments in cyber law - Singapore and beyondNew developments in cyber law - Singapore and beyond
New developments in cyber law - Singapore and beyond
Benjamin Ang
 
ICS Cyber Security Europe 2015
ICS Cyber Security Europe 2015ICS Cyber Security Europe 2015
ICS Cyber Security Europe 2015
G. Jane Louise Cook
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
Community Protection Forum
 
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Enrique Martin
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital Economy
Settapong_CyberSecurity
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
Cybersecurity Education and Research Centre
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
Miguel A. Amutio
 
Ethiopia reba paper
Ethiopia reba paperEthiopia reba paper
Ethiopia reba paper
Wesen Tegegne
 

Weitere ähnliche Inhalte

Was ist angesagt?

Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
GovCloud Network
 
ICS Cyber Security Europe 2015
ICS Cyber Security Europe 2015ICS Cyber Security Europe 2015
ICS Cyber Security Europe 2015
G. Jane Louise Cook
 

Was ist angesagt? (20)

Overview of national cybercrime strategies
Overview of national cybercrime strategiesOverview of national cybercrime strategies
Overview of national cybercrime strategies
 
Singapore. industry 4.0 and cybersecurity
Singapore. industry 4.0 and cybersecurity Singapore. industry 4.0 and cybersecurity
Singapore. industry 4.0 and cybersecurity
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI Report
 
National cyber security policy final
National cyber security policy finalNational cyber security policy final
National cyber security policy final
 
Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)
 
Cybersecurity legislation in Singapore (2017)
Cybersecurity legislation in Singapore (2017)Cybersecurity legislation in Singapore (2017)
Cybersecurity legislation in Singapore (2017)
 
IRJET- CHAOS based Security for Online Transactions through GUI Implementation
IRJET- CHAOS based Security for Online Transactions through GUI ImplementationIRJET- CHAOS based Security for Online Transactions through GUI Implementation
IRJET- CHAOS based Security for Online Transactions through GUI Implementation
 
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
 
Cybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information InfrastructureCybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information Infrastructure
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Critical Infrastructure and Cybersecurity
Critical Infrastructure and Cybersecurity Critical Infrastructure and Cybersecurity
Critical Infrastructure and Cybersecurity
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
 
New developments in cyber law - Singapore and beyond
New developments in cyber law - Singapore and beyondNew developments in cyber law - Singapore and beyond
New developments in cyber law - Singapore and beyond
 
ICS Cyber Security Europe 2015
ICS Cyber Security Europe 2015ICS Cyber Security Europe 2015
ICS Cyber Security Europe 2015
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
 
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital Economy
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
 

Ähnlich wie Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

Secure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance SectorSecure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance Sector
Eftychia Chalvatzi
 
The National Security Framework of Spain
The National Security Framework of SpainThe National Security Framework of Spain
The National Security Framework of Spain
Miguel A. Amutio
 
Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016
Mohan C. de SILVA
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Steve Hood
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Steven Pearson
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Alan Coleman
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
Kresimir Popovic
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
Christopher Nanchengwa
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information Technology
ITU
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
Malaysia University of Science and Technology (MUST)
 
APEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital EconomyAPEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital Economy
ETDAofficialRegist
 

Ähnlich wie Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector (20)

Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
Ethiopia reba paper
Ethiopia reba paperEthiopia reba paper
Ethiopia reba paper
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdf
 
Secure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance SectorSecure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance Sector
 
The National Security Framework of Spain
The National Security Framework of SpainThe National Security Framework of Spain
The National Security Framework of Spain
 
Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016
 
Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)
 
Cloud computing_LKYSPP GSP 2019
Cloud computing_LKYSPP GSP 2019Cloud computing_LKYSPP GSP 2019
Cloud computing_LKYSPP GSP 2019
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
Chapter 3.docx
Chapter 3.docxChapter 3.docx
Chapter 3.docx
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information Technology
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
 
Cybersecurity for Smart Grids: Technical Approaches to Provide Cybersecurity
Cybersecurity for Smart Grids: Technical Approaches to Provide CybersecurityCybersecurity for Smart Grids: Technical Approaches to Provide Cybersecurity
Cybersecurity for Smart Grids: Technical Approaches to Provide Cybersecurity
 
News letter jan.14
News letter jan.14News letter jan.14
News letter jan.14
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment report
 
APEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital EconomyAPEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital Economy
 

Mehr von Miguel A. Amutio

Código de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónCódigo de interoperabilidad - Introducción
Código de interoperabilidad - Introducción
Miguel A. Amutio
 
Quien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSQuien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENS
Miguel A. Amutio
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que viene
Miguel A. Amutio
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
Miguel A. Amutio
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
Miguel A. Amutio
 

Mehr von Miguel A. Amutio (20)

Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
 
Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...
 
Código de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónCódigo de interoperabilidad - Introducción
Código de interoperabilidad - Introducción
 
El Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadEl Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en Ciberseguridad
 
V Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasV Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendencias
 
Quien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENSQuien hace el Esquema Nacional de Seguridad ENS
Quien hace el Esquema Nacional de Seguridad ENS
 
Quien hace el ENI
Quien hace el ENIQuien hace el ENI
Quien hace el ENI
 
European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity Context
 
Contexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadContexto Europeo de Ciberseguridad
Contexto Europeo de Ciberseguridad
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que viene
 
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesCryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
 
Medidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMedidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración Pública
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
 
Presente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaPresente y futuro de la administración electrónica
Presente y futuro de la administración electrónica
 
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaEl nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
 
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadIV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
 
Revista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadRevista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridad
 
El nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadEl nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de Seguridad
 
Actualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADActualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGAD
 

Kürzlich hochgeladen

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

  • 1. Cloud Security Alliance EMEA Congress Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector Text of the presentation by Miguel A. Amutio Good morning, Ladies and Gentlemen, I appreciate very much the invitation to speak here today in this CSA EMEA Congress. My talk is about “Using cloud services: compliance with the Security Requirements of the Spanish Public Sector.” You might be aware that in Spain we are promoting the protection, the cybersecurity of information and services managed by entities of the Spanish Public Sector by means of the National Security Framework, in place since the beginning of 2010. Since the use of cloud services is expanding also through the public sector we have seen the need: • To provide specific guidance to meet the requirements of the NSF • And to deploy a compliance approach to be applied by Spanish entities of the public sector, and also by providers of solutions or services through cloud computing. So, in this presentation we will see: First of all, Why and What is the National Security Framework (NSF- ENS) Then, Compliance with the NSF-ENS And finally, Challenges and conclusions 1
  • 2. 1. Why and What is the National Security Framework (NSF- ENS) Digital public services Look, the public sector in Spain has a considerable size: the General State Administration, 17 regional governments and 2 autonomous cities, plus over 8,000 municipalities, public universities and other entities under public law. As you can imagine the scenario is quite complex. Our country has committed to the development of eGovernment services. In fact the trend is the digital transformation of our Administration. For instance, the new administrative laws (39/2015 and 40/2015) foresee a paperless Administration on the basis of working fully with electronic means. And in any case, there is a need for a comprehensive framework to address security. Why the National Security Framework The National Security Framework has been designed to ensure an overall approach to information security throughout the public sector; both coherent and efficient, by identifying synergies and eliminating duplication of work. The NSF addresses the following objectives or needs, as you prefer: To create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services. To promote the continuous management of security, regardless of the impulses of the moment or lack thereof. To promote best practices for prevention, detection and reaction. To provide common concepts and elements of security. This common approach is helpful: o to provide guidance to Public Administrations in the implementation of ICT security, o to enable cooperation to deliver eGovernment services o and to facilitate the interaction between Public Administrations. The NSF complements the National Interoperability Framework. o To facilitate the communication of security requirements to the 2
  • 3. Industry. Surely, it is easy to imagine what this means in terms of calls for tenders, technical specifications, predictive offer. The Industry finds all Public Administrations speaking the same language. The NSF - Royal Decree 3/2010 How do we produce a positive change towards security? How do we make impact? Through the legal framework. The Spanish NSF is implemented through a legal text, a regulation, the Royal Decree 3/2010, which develops the provisions about security foreseen in the Legal framework of the public sector. The NSF establishes the security policy for eGovernment services. It consists of the basic principles and minimum requirements to enable adequate protection of information, to be followed by the Public Sector. The National Security Framework introduces common security elements applicable to the whole public sector in Spain. It is also a key element of the National Cybersecurity Strategy. This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their main associations, under the leadership of the team formed by the Ministry of Finance and Public Function and the National Cryptologic Center. The main elements of the NSF Public Administrations will have a security policy on the basis of the basic principles and minimum requirements. Which are the main elements of the NSF? The basic principles to be taken into account in decisions about security. The minimum requirements which allow an adequate protection of information. How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the risks to which they are exposed. Security audits. Response to security incidents (CERT). Security certified products, to be considered in procurement. Awareness and training. 3
  • 4. Security measures Let`s see an overview of the security measures in the NSF. There is a reference in the NSF to security measures. There are three general classes of security measures: Organizational: measures related to global security. Operational: the measures to protect the system's operation as a comprehensive set of components. Asset protection: measures to protect specific assets (facilities, personnel, equipment, communications, information media, applications, information, services), according to their nature and requirements. The NSF tells the WHAT, but there is freedom on HOW to implement them. Using Cloud, Public entities should … Public entities should, as SP 800-144 says: “Carefully plan the security and privacy aspects of cloud computing solutions before engaging them. Understand the public cloud computing environment offered by the cloud provider -> assess and manage risk accurately Ensure that a cloud computing solution satisfies organizational security and privacy requirements. Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing. Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.” Consideration of Who does What In relation to the implementation of the security measures ‘Who does What’ requires careful consideration; some measures should remain on the side of the public entity; other measures could be carried out by the provider, other ones would require a detailed analysis to decide who does them: 4
  • 5. In case of use of cloud services, the following measures deserve special attention: [Org.4] Authorization process [Op.acc.4] Access rights management process [Op.exp.7] Incident management [Op.exp.11] Cryptographic Key Protection [Op.ext] External services There are measures that should not be transferred to the CSP: Categorization of the system (Annex I) Security policy [org.1] Security policy [org.2] Risk analysis [op.pl.1] (coordinate) Authorization process [org.4] (to coordinate) Daily management [op.ext.2] (coordinate) Incident management [op.exp.7] (coordinate) Protection of customer equipment [mp.eq.] Activities that probably the CSP should not carry out: Electronic signature [mp.info.4] Time stamps [mp.info.5] User identification [op.acc.1] Access requirements [op.acc.2] Management of access rights [op.acc.4] Authentication mechanism [op.acc.5] User activity log [op.exp.5] Protection of activity records [op.exp.10] Protection of cryptographic keys [op.exp.11] Metric system [op.mon.2] (coordinate) Cloud services and the NSF For all these reasons, we are offering guidance about the use of cloud services and security through a guide (CCN-STIC 823) with the following contents. This guide is under revision at this moment. 2 SECURITY REQUIREMENTS 2.1 ROLES AND FUNCTIONS 2.2 CATEGORIZATION (ENS - ANNEX I) 2.2.1 COMMUNITIES 2.3 RECOMMENDATIONS 2.4 PROTECTION MEASURES (ENS - ANNEX II) 2.5 ADDITIONAL RESTRICTIONS 3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION 4 INTERNAL REGULATIONS 5 PROCUREMENT 5.1 DESCRIPTION OF SERVICE 5.2 SUBCONTRACTING 5.3 PROTECTION OF INFORMATION 5.4 SERVICE LEVEL AGREEMENTS 5.5 ACCESS TO SERVICE 5.6 GEOGRAPHICAL CONDITIONERS 5.7 RESPONSIBILITIES AND OBLIGATIONS 5.8 REGISTRATION OF ACTIVITY 5
  • 6. 5.9 TERM 6. OPERA MINATION OF SERVVICE 6 OPEERATION 6.1 OPER ATION 6.2 FOLLO RATING SE 6.3 CHAN 6.4 INCID 6.5 BACK 6.6 CONT 6.7 TERM 7 SUPER ANNEX A NSF, 27 The sup certificat evidence Re Info Co Clo Annex A matrix, to This table 2. Com Audit, Who are t OW-UP O ECURITY NGE MANA DENT MAN KUP AND R TINUITY O MINATION RVISION AN A. ENS CO 7000 an plier/prov ions can s es of comp commende ormation S ntinuity Ma oud Contro of Guide ogether wi e shows t mpliance reportin the interes F THE SE PROCEDUURES AGEMENT RVICE NAGEMEN T RECOVER T OF THE SE RY OF DATTA ERVICE ND AUDIT OMPLIANC T E nd CCM vider may simplify th pliance to ed audits b Security Ma anagemen ols Matrix [ e CCN-STI ith their co he gaps w e with th ng and c ted actors? have se he comple be valued by ENISA f anagemen nt System [ CCM] C 823 con orrespond with the NS he Natio complia ? 6 ecurity ce ete audit o d by the au for service t System ( [ISO 22301 ntains the dence to m SF. onal Sec ance ertification of the serv udit team. F e providers (ISMS) [ISO 1: 2012] e controls meet the r curity F ns or acc ice rendere For examp in the clou O / IEC 27 s of ISO 2 equireme Framew creditation ed, in its co ple: ud [ENISA- 001: 2013 27002 and nts of the work ns. These ondition of -CCSL] ] the CCM NSF. e f M
  • 7. Compliance with NSF The NSF can be developed through ‘Technical Security Instructions’ to address some specific issues. In order to satisfy the demand, a ‘Technical Security Instruction’ has been published recently in the official diary: TECHNICAL SECURITY INSTRUCTION - COMPLIANCE WITH THE NATIONAL SECURITY FRAMEWORK INDEX I. Object. II. Scope. III. Procedures for determining compliance. IV. Declaration of Compliance with the National Security Framework of BASIC category systems and its publicity. V. Certification of Compliance with the National Security Framework of systems of category MEDIUM or HIGH and its publicity. VI. Requirements of the certifying entities. VII. Solutions and services provided by the private sector. Annex I. Contents of the Declaration of Compliance with the National Security Framework. Annex II. Declaration of Compliance with the National Security Framework. Annex III. Content of the Certification of Compliance with the National Security Framework. Annex IV. Certificate of Compliance with the National Security Framework. Requirements for providers Private sector organizations are often engaged in the provision of solutions or services to public entities (through, for example, cloud services) within systems subject to the obligations of the NSF. Solutions or services should comply with the provisions of the NSF-ENS and have the corresponding Declarations or Certifications of Compliance. In this case, providers should be able to show: A Declaration of Compliance with the NSF-ENS (in the case of category systems BASIC) or a Certification of Compliance with the NSF-ENS (mandatory, in the case of MEDIUM or HIGH category systems, and of voluntary application in the case of BASIC category systems), using the same procedures as those required for public entities. It is the responsibility of contracting public entities to notify providers of solutions or of services, the obligation that such solutions or services should comply with the provisions of the ENS-NSF and have the corresponding Declarations or Certifications of Compliance. When the provision of solutions or services subject to compliance with the ENS is carried out by private sector organizations, they should use the same documentary models 7
  • 8. used for Declarations, Certifications or Compliance Badges contained in this guide, replacing the references to the public entities by the ones corresponding to the private entities. Likewise, the Compliance Badges, when displayed by such private operators, should link to the corresponding Declarations or Certifications of Compliance, which will always be accessible on the website of the economic operator in question. In addition to the National Cryptological Center, public entities that use solutions or services provided or rendered by private sector organizations that exhibit a Declaration or Certification of Compliance with the ENS may at any time request from such operators the corresponding Self-Assessment or Audit Reports, in order to verify the appropriateness and adequacy of the aforementioned manifestations. Requirements for certifiers The main requirement for certifiers of compliance with the NSF-ENS is the accreditation by ENAC according to UNE-EN ISO / IEC 17065: 2012 (Conformity assessment — Requirements for bodies certifying products, processes and services), for the certification of systems within the scope of ENS. In case of NOT having the accreditation: • They will request accreditation to the ENAC. • They will inform of the acceptance of the request to the CCN. • They can begin their certification activities on a temporary basis, having 12 months to obtain it. The CCN maintains a list of Certification Entities, accredited or in the process of being accredited. Exempt are those entities, organs, agencies and units of the Public Administrations whose competencies correspond to the development of IS audits as recorded in their creation regulations or structure decrees. Challenges and Conclusions The National Security Framework (NSF-ENS): Promotes a common approach to cybersecurity in the public sector of Spain, adapted to its requirements. Independent audits are the basis for the Security Report and for the compliance with the NSF-ENS. Compliance with the NSF-ENS is applicable to: Entities of the Public Sector 8
  • 9. 9 Providers of solutions and services (e.g. Cloud services) engaged in systems under the scope of the NSF-ENS. Public entities should have an understanding of security issues in the cloud computing environment and ensure security requirements. Under development: specific compliance requirements to certify cloud service providers for systems falling under ENS. Challenges: Progress in cybersecurity of entities of the Public Sector. Improve the implementation of the security measures. Extend the implementation of the NSF-ENS to all kind of information systems of the Public Sector in Spain. Extend the use of common services offered by the General State Administration. Improve the compliance with the NSF-ENS. To know more about IT security in Spain Well, for more information about IT security and Spain: The NSF is available in English. The eGovernment factsheet of Spain published by the European Commission in JOINUP. And the websites of the CCN, the Certification Body, ENAC and the eGovernment Portal provide more information. Thank you very much for your attention