National Security Framework of Spain (ENS)

Normal 0 21 false false false ES X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

The National Security Framework (NSF) of Spain is a legal text, Royal Decree 3/2010, which develops the provisions about security foreseen in the eGovernment Law 11/2007 2007 and is applicable to all Public Administrations in Spain. The NSF establishes the security policy for eGovernment services. It consists of the basic principles and minimum requirements to enable adequate protection of information, to be followed by all Public administrations. This National Security Framework accompanies the National Interoperability Framework.

The National Security Framework pursues the creation of the necessary conditions of confidence in the use of electronic means, through measures to ensure the security of information and services services that permits the exercise of rights and the fulfilment of duties through the electronic access to public services; to ensure that information systems will provide their services in accordance with their functional specifications and will protect information.

The objectives of the NSF are the following:

-To create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services.

-To facilitate the continuous management of security.

-To facilitate an homogeneous approach to security by Public Administrations.

- To provide common languange, concepts and elements of security. This common approach is helpful to provide guidance to Public Administrations in the implementation of ICT security; to enable cooperation to deliver eGoverment services; and to facilitate the interaction between Public Administrations. The NSF complements the National Interoperability Framework.

- To facilitate the communication of security requirements to the Industry.

In order to create such conditions, the National Security Scheme introduces the common elements that have to guide the action of the Public Administrations regarding security.

Particularly it introduces the following principal elements:

- The basic principles to be taken into account in decisions about security.

- The minimum requirements which allow an adequate protection of information.

- How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the risks to which they are exposed.

- Security audits.

- Response to security incidents, CERT services provided by CCN-CERT.

- Security certified products, to be considered in procurement.

Policy Context

The Royal decree 3/2010, of January 8th (Official Gazette, January 29th) regulates the National Security Framework foreseen in the article 42 of the eGovernment Law 11/2007.

It has been developed in a process coordinated by the Ministerio de la Presidencia with the support of Centro Criptologico Nacional (CCN), with the participation of all Public Administrations (General State, Regional Local) in Spain through the Administration Bodies with competences in the field of eGovernment.

So the context is all Public Administrations in Spain.

During the last three years more than a hundred experts of Public Administrations have contributed to its elaboration; together with a wide number of experts who have contributed with their opinion through the professional associations of ICT Industry.

The National Security Framework takes into account recommendations from the European Union, the current technological situation of Public Administrations, existing services, and the use of open standards and, as appropriate and in complement, standards which are of general use among the public.

During the elaboration process it has been taken into account a wide number of references about eGovernment and security coming from the European Union, other countries, the OECD, standardization bodies and forums and national legislation.

Description of target users and groups

• Public Administrations of Spain: managers and civil servants responsible for the planning, design, procurement, development, deployment, operation ofsystems for eGoverment services.
• ICT Industry providers of Public Administrations.

Description of the way to implement the initiative

The National Security Framework is implemented through the Royal Decree 3/2010, of January 8th (Official Gazette, January 29th) regulates the National Security Framework foreseen in the article 42 of the eGovernment Law 11/2007, with the participation of all Public Administrations through the Administration Bodies with competences in the field of eGovernement and which join all Public Administrations nationa, regional and local (Highest Council of eGoverment - Consejo Superior de Administracion Electronica, Sectorial Committee of eGovernment - Comite Sectorial de Administracion Electronica, National Commission of Local Administration - Comision Nacional de Administracion Local).

Technology solution

In order to create such conditions, the National Security Framework introduces the common elements that have to guide the action of the Public Administrations regarding security.

A global approach to security has been followed:

Normal 0 21 false false false ES X-NONE X-NONE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

-        - The basic principles to be taken into account in decisions about security.

-        - The minimum requirements which allow an adequate protection of information.

-        - How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the risks to which they are exposed.

-        - Security audits.

-       -  Response to security incidents, CERT services provided by CCN-CERT.

-        - Security certified products, to be considered in procurement.

Technology choice: Standards-based technology

Main results, benefits and impacts

The National Security Framework pursues the creation of the necessary conditions of confidence in the use of electronic means, through measures to ensure the security of systems, data, communications and electronic services that permits the exercise of rights and the fulfilment of duties through the electronic access to public services; to ensure that information systems will provide their services in accordance with their functional specifications and will protect information.

The National Interoperability Framework:

• Creates the necessary conditions of trust in the use of electronic means, through measures to ensure security of systems, data, communications and electronic services that permits the exercise of rights and the fulfillment of duties through the electronic access to public services.
• Establishes the security policy in the use of electronic means in the scope of the eGovernment Law 11/2007; this security policy will be formed by the basic principles and minimum requirements for an adequate protection of information. 
• Introduces the common elements that will guide the activity of Public Administrations in relation to security. 
• Introduces a common language that will facilitate the interaction among public administrations as well as the communication of security requirements to ICT Industry.

Return on investment

Return on investment: Not applicable / Not available

Track record of sharing

This National Security Framework has been developed with the participation of all Public Administrations in Spain and it is expected a high degree of reuse of it.

Lessons learnt

The three main lessons learnt are the following:

1. The need to address security from a completely global perspective including all aspects involved.
2. The importance of taking into account the points of view and contribution of all stakeholders involved. This National Security Framework has been developed with the participation of all Public Administrations in Spain. During the last three years more than a hundred experts of Public Administrations have contributed to its elaboration; together with a wide number of experts who have contributed with their opinion through the professional associations of ICT Industry. During the elaboration process it has been taken into account a wide number of references about eGovernment and security coming from the European Union, other countries, standardization bodies and forums and national legislation.
3. The importance of introducing the common elements and language of security in our legal basis about eGovernment.

Scope: Local (city or municipality), National, Regional (sub-national)