PAe - 10 years of national security Scheme, ENS, at the service of the public Sector cybersecurity
the accesskey _ mod _ content

Ten years of national security Scheme (NHIS) at the service of the public Sector cybersecurity

08 January 2020

The result of a collective effort led by MPTFP-SGAD and CNI-CCN, ENS has meant a milestone in cybersecurity in Spain and a benchmark for other countries. In 2020 has to maintain both the implantation of the effort ENS, because its application helps better protection against cyber threats, as its suitability for the challenges and trends in cybersecurity.

On a day like today, ten years ago, approving the Royal Decree 3/2010 of 8 January, regulating the National security scheme in the field of E-government. 21 days later, on 29 January, is published in the official newsletter of the State, BOE, establishing the basic principles and minimum requirements that, according to the general interest, allowed adequate protection of information, communications and services of public administrations.

Subsequently, in 2015, expanded the scope of the national security Scheme (NHIS) throughout the public Sector of the hand of Law 40/2015 and was modified via the "(简) 951/ , de 23 de octubre a la luz de la experiencia adquirida y del contexto normativo comunitario, particularmente del Reglamento eIDAS. El ENS incluía de forma pionera, 75 medidas de seguridad de obligado cumplimiento por parte del Sector Público español, tanto en el marco organizativo, como operacional y de protección.

Una fortaleza que ha posicionado a nuestro país como un referente en la Unión Europea y que es el resultado de un esfuerzo colectivo de las Administraciones Públicas de España, con la colaboración del Sector Privado, que contribuyeron activamente a su elaboración y aplicación liderados por el Political ministry Territorial and Public Function through the General secretariat of administration Digital, SGAD , (in 2010, when it was adopted, ministry of the presidency) and central National PKIX .

The ENS has become the main tool to strengthen cybersecurity in the public Sector and has been accompanied by 61 Guides CCN-STIC (Series 800), 14 cybersecurity solutions developed by the CCN and 4 Technical safety Instructions (ITS) publicadas en el BOE sobre notificación de incidentes, Auditoría de la Seguridad en los Sistemas de Información, de conformidad con el propio Esquema y del Informe del Estado de la Seguridad.

Precisely, to compile this report and to establish a measurement system of the security of the public Sector, the CCN (Opens in new window) the solution developed INES (national report of the state of security) to facilitate more fast and intuitive its adequacy finding the ENS. It has made five editions of the report INES and the 6th ongoing. In 2019, 1006 entities had loaded their data, off the 799 a year earlier. The general assessment that emerges from the report INES is that it has to maintain the effort of implantation of ENS, especially when it shows that your application helps better protection against cyber threats.

Also in 2015 established criteria for achieving compliance with the outline and its corresponding Statement and certification of conformity with the ENS so that the collaboration of the SGAD and CCN with National accreditation entity (ENAC) led to the outline of accreditation and certification that has allowed to the timestamp 8 accredited certification entities y al término de 2019 más de 160 entidades certificadas (públicas y privadas).

Finally, and already in 2018, created the Certification council of national security Scheme (CoCENS ), whose objective is to help the proper implementation of ENS and, consequently, to the best and most guarantor provision of public services.

ENS under revision

At this time of anniversary requires a revision of ENS where, learning from the experience of these ten years, it can prepare the schema to face new threats; improve monitoring capabilities and designing replies increasingly effective against attacks; to reduce the surface of exposure to vulnerabilities and shortcomings of system configuration.

This requires, first, ENS align with the legal framework and the strategic context to the date of 2020 to provide security in the digital service; secondly, introducing flexibility to facilitate implementation of the ENS to specific needs of certain collectives of entities or technologies; and thirdly, update the ENS to facilitate the response to trends in cybersecurity, reduce vulnerabilities and promote the active defence through the revision, in light of the state of the art of the basic principles, the minimum requirements and security measures, focusing in particular on issues such as monitoring systems, the monitoring tools advanced threat detection and correlation of events, and the provision of observatories surveillance purposes, more specific approximations for notification and managing incidents, measures for the use of services in the cloud, and to help the protection of personal data as described in the First Additional Provision of the Organic Law 3/2018.

  • Security
  • Electronic services
General access point
General access point