The CERT from downtown National PKIX (CCN-CERT) has published a new report of good practices in the public part of its portal. document CCN-CERT BP/14 aims to explain the procedure to define the declaration of applicability in the national security Scheme (NHIS).
The report includes the determination of the category of a system (primary, secondary or high), which is based on the valuation of the impact on the organization an incident affecting the security of the information or systems. Also, the document addresses the determination of safety levels depending on the dimension.
One of the main points is the determination of implementing measures necessary for the fulfilment of the basic principles and minimum requirements established in the ENS. In this sense, Annex II of the Royal Decree 3/2010 collects correspondence between the levels of security required in each dimension and security measures applicable.
The report concludes with a number of examples, a section devoted to the profile of compliance, shaped this by a set of security measures and its concrete implementation result of a risk analysis, as well as a decalogue recommendations.