La transformación digital del Sector Público ha de ir acompañada de medidas organizativas y técnicas de seguridad que protejan la información manejada y los servicios prestados, proporcionadas a los riesgos provenientes de acciones malintencionadas o ilícitas, particularmente de las ciberamenazas, errores o fallos y accidentes o desastres.
Law 39 / 2015, 1 October, Common Administrative procedure of public administrations
collects between the rights of people in their relations with public administrations, established in Article 13, the relative “ to the protection of personal data, and in particular the security and confidentiality of the data contained in the files, systems and applications of public administrations ”. While the security is among the principles of action of public administrations, as well as the guarantee of protection of personal data, as established in the Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público
in his article 3 dealing with the general principles relating to relations of administrations by electronic means.
In response to the foregoing, article 156 of law 40 / 2015 reflects the
National security scheme (NHIS)
que “tiene por objeto establecer la política de seguridad en la utilización de medios electrónicos en el ámbito de la presente Ley, y está constituido por los principios básicos y requisitos mínimos que garanticen adecuadamente la seguridad de la información tratada”.
The ENS was previously established by Article 42 of Law 11 / 2007 and is regulated by the
Royal Decree 3 / 2010, of January 8th
, which was modified by the Royal Decree 951 / 2015
to update it in the light of experience in their implantation of the evolution of technology and cyber threats and international regulatory context and European.
technical safety instructions
, binding, are essential to ensure adequate, uniform and consistent implementation of the requirements and measures contained in the outline and, particularly, to indicate the common way of acting on specific aspects: Report of the state of security;
Notification of security incidents;
Audit of safety;
Line with the national security Scheme;
Acquisition of security products; Cryptology of employment in the national security Scheme; Interconnection in the national security Scheme; and security requirements in environments outsourced.
The guides of security by the National PKIX Centre, called
and available in the Portal del CCN-CERT
help with best compliance with the national security Scheme, in particular, the collection of guides of the series 800.
The ENS was developed in the light of the state of the art and the main referents in safety of information from the European Union, OCDE, national and international standardization, like in other countries, etc.
The ENS is the result of a work coordinated by the Ministry of Territorial Policy and Public function together with the National PKIX Centre (CCN) and the participation of all the AA.PP., through the collegiate bodies responsible for digital administration. They have been designed with the view of industry associations TIC sector.
The national security Scheme (NHIS) has the following objectives:
Create the conditions of safety in the use of electronic media
, a través de medidas para garantizar la seguridad de los sistemas, los datos, las comunicaciones, y los servicios electrónicos, que permita el ejercicio de derechos y el cumplimiento de deberes a través de estos medios.
Promote continuing management security
Promote prevention detection and correction,
for better resilience in the scene of cyber threats and cyber attacks.
Promote a homogeneous treatment security
to facilitate cooperation in the provision of public services digitales when participating various entities. This means providing the common elements that guide the performance of public Sector entities in safety of information technologies; also provide a common language to facilitate interaction, as well as the communication of the requirements of information security industry.
Serve as a model of good practices,
en línea con lo apuntado en las recomendaciones de la OCDE «
Digital Security Risk Management for Economic and Social Prosperity - OECD Recommendation and Companion Document
In the national security Scheme is conceived security as an integral activity, in which there can be no action punctual or cyclical treatments, due to the weakness of a system is determined by its point more fragile and often this point is the coordination between individual measures appropriate but poorly assembled.
Elements of the national security Scheme
The main elements of ENS are as follows:
The basic principles
a considerar en las decisiones en materia de seguridad (arts. 4-10).
The minimum requirements
allow adequate protection of information (arts. 11-26).
El mecanismo para lograr el cumplimiento de los principios básicos y de los requisitos mínimos
through security measures provided
the nature of the information and services to protect (arts. 27, 43, 44, annex I and Annex (II).
The use of common infrastructure and services
The instructions security techniques
(art. 29 and additional provision 4th).
The audit of safety
(art. 34 and Annex (III).
The response to security incidents
(arts. 36 and 37).
The use of certified products
(art. 18., annex II and annex V).
The training and awareness
(additional provision first).
El mandato principal del ENS es el establecido en el artículo 11 ‘Requisitos mínimos de seguridad’, según el cual “todos los órganos superiores de las Administraciones públicas deberán disponer formalmente de su política de seguridad que articule la gestión continuada de la seguridad, que será aprobada por el titular del órgano superior correspondiente”, que se establecerá en base a los principios básicos y que se desarrollará aplicando los requisitos mínimos.
Accordance with ENS
The ENS in its Article 41 on ‘ Publication in accordance ’ notes that the bodies and public entities give publicity in the corresponding electronic headquarters declarations of conformity, and the hallmarks of security of those who are creditors, obtained with regard to compliance with ENS. After the entry into force of laws 39 / 2015 and 40 / 2015 affects all public Sector entities in Spain, as well as private Sector operators providing solutions and services, not only of security, or interested in the certification of conformity with the ENS.
Technical safety instruction in accordance with the ENS
» Establishes criteria and procedures for the conformity assessment, as well as for advertising of that line. Precise obtaining mechanisms and publicity declarations of conformity and of the hallmarks of security obtained with regard to compliance with ENS.