the accesskey _ mod _ content

Introduction

Digital transformation of the public Sector must be accompanied by organizational and technical measures of security to protect the information managed and services provided to the risks from malicious or illicit actions, particularly of cyber threats, errors or mistakes and accidents or disasters.

The Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas (Opens in new window) recoge entre los derechos de las personas en sus relaciones con las Administraciones Públicas, establecidos en su artículo 13, el relativo “a la protección de datos de carácter personal, y en particular a la seguridad y confidencialidad de los datos que figuren en los ficheros, sistemas y aplicaciones de las Administraciones Públicas”. A la vez que la seguridad figura entre los principios de actuación de las administraciones públicas, así como la garantía de la protección de los datos personales, según lo establecido en la Law 40/2015, 1 October, of Legal Regime of the public Sector (Opens in new window) in his article 3 dealing with the general principles relating to relations of administrations by electronic means.

In response to the foregoing, article 156 of law 40/2015 reflects the National security scheme (NHIS) “ aims to establish security policy in the use of electronic media in the scope of this law, and consists of the basic principles and minimum requirements that adequately information security treated ”.

The ENS was previously established by Article 42 of Law 11/2007 and is regulated by the Royal Decree 3/2010, of January 8th (Opens in new window) , which was modified by the Royal Decree 951/2015 (Opens in new window) to update it in the light of experience in their implantation of the evolution of technology and cyber threats and international regulatory context and European.

The technical safety instructions , de obligado cumplimiento, son esenciales para lograr una adecuada, homogénea y coherente implantación de los requisitos y medidas recogidos en el Esquema y, particularmente, para indicar el modo común de actuar en aspectos concretos: Report of the state of security; Notification of security incidents; Audit of safety; Line with the national security Scheme; Adquisición de productos de seguridad; Criptología de empleo en el Esquema Nacional de Seguridad; Interconexión en el Esquema Nacional de Seguridad; y Requisitos de seguridad en entornos externalizados.

The guides of security by the National PKIX Centre, called CCN-STIC guides (Opens in new window) and available in the Portal del CCN-CERT (Opens in new window) , ayudan al mejor cumplimiento de lo establecido en el Esquema Nacional de Seguridad, en particular, de la colección de guías de la serie 800.

The ENS was developed in the light of the state of the art and the main referents in safety of information from the European Union, OCDE, national and international standardization, like in other countries, etc.

El ENS es el resultado de un trabajo coordinado por el Ministerio de Política Territorial y función Pública junto con el Centro Criptológico Nacional (CCN) y la participación de todas las AA.PP., a través de los órganos colegiados con competencias en materia de administración digital. También se ha tenido presente la opinión de las asociaciones de la Industria del sector TIC.

Goals

El Esquema Nacional de Seguridad (ENS) persigue los siguientes objetivos :

  • Crear las condiciones necesarias de seguridad en el uso de los medios electrónicos , a través de medidas para garantizar la seguridad de los sistemas, los datos, las comunicaciones, y los servicios electrónicos, que permita el ejercicio de derechos y el cumplimiento de deberes a través de estos medios.
  • Promote continuing management security .
  • Promote prevention detection and correction, for better resilience in the scene of cyber threats and cyber attacks.
  • Promote a homogeneous treatment security que facilite la cooperación en la prestación de servicios públicos digitales cuando participan diversas entidades. Esto supone proporcionar los elementos comunes que han de guiar la actuación de las entidades del Sector Público en materia de seguridad de las tecnologías de la información; también aportar un lenguaje común para facilitar la interacción, así como la comunicación de los requisitos de seguridad de la información a la Industria.
  • Serve as a model of good practices, en línea con lo apuntado en las recomendaciones de la OCDE « Digital Security Risk Management for Economic and Social Prosperity - OECD Recommendation and Companion Document

In the national security Scheme is conceived security as an integral activity, in which there can be no action punctual or cyclical treatments, due to the weakness of a system is determined by its point more fragile and often this point is the coordination between individual measures appropriate but poorly assembled.

Elements of the national security Scheme

The main elements of ENS are as follows:

  • The basic principles to consider in decisions on security (arts. 4-10).
  • The minimum requirements allow adequate protection of information (arts. 11-26).
  • The mechanism for achieving compliance with the basic principles and minimum requirements through security measures provided the nature of the information and services to protect (arts. 27, 43, 44, annex I and Annex (II).
  • The use of common infrastructure and services (art. 28).
  • Safety guides (art. 29).
  • The instructions security techniques (art. 29 and additional provision 4th).
  • Electronic communications (arts. 31-33)
  • The audit of safety (art. 34 and Annex (III).
  • The response to security incidents (arts. 36 and 37).
  • The use of certified products (art. 18., annex II and annex V).
  • The line (art. 41).
  • The training and awareness (additional provision first).

The principal mandate of ENS is established in Article 11 ‘ minimum requirements of security ’, whereby “ all the higher level of public administrations should formally have its security policy that articulates continued management of security, which shall be adopted by the holder of the corresponding upper Body ”, which was established in base to the basic principles and will run through the minimum requirements.

Scope

The Scope the national security Scheme is the public Sector, as established in Article 2 of laws 39/2015 and 40/2015 on the field subjective and what is stated on the public sector institutional. Are excluded from its scope systems dealing with classified information regulated by law 9/1968 of 5 April, on official secrets and its rules of development.

Alignment with national security Scheme

Una adecuación ordenada al Esquema Nacional de Seguridad requiere el tratamiento de las siguientes cuestiones, expresadas de forma muy sucinta:

ENS alignment to the figure

Accordance with ENS

The ENS in its Article 41 on ‘ Publication in accordance ’ notes that the bodies and public entities give publicity in the corresponding electronic headquarters declarations of conformity, and the hallmarks of security of those who are creditors, obtained with regard to compliance with ENS. After the entry into force of laws 39/2015 and 40/2015 affects all public Sector entities in Spain, as well as private Sector operators providing solutions and services, not only of security, or interested in the certification of conformity with the ENS.

The ‘ Technical safety instruction in accordance with the ENS » Establishes criteria and procedures for the conformity assessment, as well as for advertising of that line. Precise obtaining mechanisms and publicity declarations of conformity and of the hallmarks of security obtained with regard to compliance with ENS.

More information

Fill the form Contact (Opens in new window) to send your request for information.

General access point
General access point