Digital transformation of the public Sector must be accompanied by organizational and technical measures of security to protect the information managed and services provided to the risks from malicious or illicit actions, particularly of cyber threats, errors or mistakes and accidents or disasters.
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
collects between the rights of people in their relations with public administrations, established in Article 13, the relative “ to the protection of personal data, and in particular the security and confidentiality of the data contained in the files, systems and applications of public administrations ”. While the security is among the principles of action of public administrations, as well as the guarantee of protection of personal data, as established in the Law 40/2015, 1 October, of Legal Regime of the public Sector
in his article 3 dealing with the general principles relating to relations of administrations by electronic means.
Para dar respuesta a todo lo anterior, el artículo 156 de la Ley 40/2015 recoge el
National security scheme (NHIS)
“ aims to establish security policy in the use of electronic media in the scope of this law, and consists of the basic principles and minimum requirements that adequately information security treated ”.
El ENS fue establecido anteriormente por el artículo 42 de la Ley 11/2007 y está regulado por el
Royal Decree 3/2010, of January 8th
, which was modified by the Royal Decree 951/2015
to update it in the light of experience in their implantation of the evolution of technology and cyber threats and international regulatory context and European.
technical safety instructions
, binding, are essential to ensure adequate, uniform and consistent implementation of the requirements and measures contained in the outline and, particularly, to indicate the common way of acting on specific aspects: Report of the state of security;
Notification of security incidents;
Audit of safety;
Line with the national security Scheme;
Acquisition of security products; Cryptology of employment in the national security Scheme; Interconnection in the national security Scheme; and security requirements in environments outsourced.
The guides of security by the National PKIX Centre, called
and available in the Portal del CCN-CERT
help with best compliance with the national security Scheme, in particular, the collection of guides of the series 800.
The ENS was developed in the light of the state of the art and the main referents in safety of information from the European Union, OCDE, national and international standardization, like in other countries, etc.
The ENS is the result of a work coordinated by the Ministry of Territorial Policy and Public function together with the National PKIX Centre (CCN) and the participation of all the AA.PP., through the collegiate bodies responsible for digital administration. They have been designed with the view of industry associations TIC sector.
El Esquema Nacional de Seguridad (ENS) persigue los siguientes objetivos :
Create the conditions of safety in the use of electronic media
through measures to ensure the safety systems, data, communications, and electronic services, allowing the exercise of rights and duties through these means.
Promote continuing management security
Promote prevention detection and correction,
for better resilience in the scene of cyber threats and cyber attacks.
Promote a homogeneous treatment security
que facilite la cooperación en la prestación de servicios públicos digitales cuando participan diversas entidades. Esto supone proporcionar los elementos comunes que han de guiar la actuación de las entidades del Sector Público en materia de seguridad de las tecnologías de la información; también aportar un lenguaje común para facilitar la interacción, así como la comunicación de los requisitos de seguridad de la información a la Industria.
Serve as a model of good practices,
in line with the recommendations of the ‘ OCDE
Digital Security Risk Management for Economic and Social Prosperity - OECD Recommendation and Companion Document
En el Esquema Nacional de Seguridad se concibe la seguridad como una actividad integral, en la que no caben actuaciones puntuales o tratamientos coyunturales, debido a que la debilidad de un sistema la determina su punto más frágil y, a menudo, este punto es la coordinación entre medidas individualmente adecuadas pero deficientemente ensambladas.
Elements of the national security Scheme
The main elements of ENS are as follows:
The basic principles
to consider in decisions on security (arts. 4-10).
The minimum requirements
allow adequate protection of information (arts. 11-26).
The mechanism for achieving compliance with the basic principles and minimum requirements
through security measures provided
the nature of the information and services to protect (arts. 27, 43, 44, annex I and Annex (II).
The use of common infrastructure and services
The instructions security techniques
(art. 29 and additional provision 4th).
The audit of safety
(art. 34 and Annex (III).
The response to security incidents
(arts. 36 and 37).
The use of certified products
(art. 18., annex II and annex V).
The training and awareness
(additional provision first).
The principal mandate of ENS is established in Article 11 ‘ minimum requirements of security ’, whereby “ all the higher level of public administrations should formally have its security policy that articulates continued management of security, which shall be adopted by the holder of the corresponding upper Body ”, which was established in base to the basic principles and will run through the minimum requirements.
Accordance with ENS
The ENS in its Article 41 on ‘ Publication in accordance ’ notes that the bodies and public entities give publicity in the corresponding electronic headquarters declarations of conformity, and the hallmarks of security of those who are creditors, obtained with regard to compliance with ENS. After the entry into force of laws 39/2015 and 40/2015 affects all public Sector entities in Spain, as well as private Sector operators providing solutions and services, not only of security, or interested in the certification of conformity with the ENS.
Technical safety instruction in accordance with the ENS
» establece los criterios y procedimientos para la determinación de la conformidad, así como para la publicidad de dicha conformidad. Precisa los mecanismos de obtención y publicidad de las declaraciones de conformidad y de los distintivos de seguridad obtenidos respecto al cumplimiento del ENS.