1

The National Security Framework of Spain10 October 2011

Miguel A. Amutio, CISA, CISMMinistry of Territorial Policy and Public Administration

2

Contents

The context: eGovernment services

The legal basis: eGov services and securityThe National Security FrameworkHow do we collaborateConclusions

3

The context: eGovernment services

To improve the quality of life of citizens and reduce administrative burden on business in their interaction with public administrations. To contribute to growth and extend the benefits of a

digital society to all (no one left behind). Services are provided in a complex scenario.

4

Citizens expect that eGov services are provided under conditions of trust and security comparable to those they encounter when they go personally to the offices of the Administration.

There is a growing proportion of electronic versus paper documents, and, increasingly, there is no paper.

Information on electronic means has potential risks from the threat of malicious or illegal actions, errors or failures and accidents or disasters.

Why security is important in eGovernment services

Digital Agenda for Europe

5

International context

OECDGuidelines for information and network security: “... risk evaluation, security design and implementation, security management and re-evaluation.”

Implementation Plan for the OECD Guidelines: “Government should develop policies that reflect best practices in security management and risk assessment... to create a coherent system of security.”

Standards, in the field of IT security.

European Union – Digital Agenda, ENISA.

USA, FISMA, Federal Information Security Management Act

Other references: DE, UK, FR

6

Contents

The context: eGovernment services

The legal basis: eGov services and security

The National Security FrameworkHow do we collaborateConclusions

7

Recognises the citizens’ right to interact with Public Administration by electronic means.

Obligation to public administrations to enable electronic access to their services.

The principles pay attention to security:– The right to the protection of personal data.– Security in the implementation and use of electronic means

by public administrations.– Proportionality in the implementation of security measures

according to the information and services to be protected and their context.

Also the rights of citizens:– Right to security and confidentiality of the information contained in

the files, systems and applications of Public Administrations.

eGovernment Law 11/2007

8

The National Security FrameworkLaw 11/2007, art. 42 RD 3/2010→

The Spanish NSF is a legal text (Royal Decree 3/2010) which develops the provisions about security foreseen in eGovernment Law.

The NSF establishes the security policy for eGov services. It consists of the basic principles and minimum requirements to enable adequate

protection of information.

To be followed by all Public administrations.

It is a key element of the Spanish Security Strategy.

The legal framework has a direct impact in eGovernment quality of service as well in the perception of the citizens and, at the same time, as a driver of the digital society. OECD highligths it as an important aspect of eGovernment readiness.

9

Why the National Security Framework is needed

Objectives

Create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services.

Provide common languange and elements of security to guide Public Administrations in the implementation of ICT security.to facilitate interaction between Public Administrations and to communicate security requirements to the Industry.

Provide an common approach to security which enables cooperation to deliver eGoverment services. The NSF complements the National Interoperability Framework.

Facilitate the continuous management of security, regardless of the impulses of the moment or lack thereof.

10

+ Stimulate the Industry

http://www.ametic.es/

AMETIC: multi-sector partnership of companies in the fields of electronics, telecommunications and digital content.

11

Contents

The context: eGovernment servicesThe legal basis: eGov services and security

The National Security Framework

How do we collaborateConclusions

12

The Basic principles to be taken into

account in decision about security.

The minimum requirements which allow an adequate protection of information.

How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the riks to which they are exposed.

Security audit.

Response to security incidents (CERT).

Security certified products, to be considered in procurement.

National Security Framework

Main elements

13

National Security Framework

Security policy

Public Administrations will have a security policy on the basis of the basic principles and minimum requirements.

In order to satisfy the minimum requirements, proportional security measures will be adopted taking into account:

System category, on the basis of the evaluation of the security dimensions.

Law and rules about personal data protection.

Decisions to manage identified risks.

Regular audits will be carried out (for systems falling under Medium or High categories).

14

The following basic principles should considered when taking decisions about security:

Security as an integral processevery process is concernedinvolves equipment, facilities, people, and processes

Risk managementrisk analysis is mandatory; the rest is negotiable

Prevention, reaction and recoveryDefense in depth

defence in depthphysical, logical, organisational

Periodic re-evaluationdynamic and reactive

Segregation of dutiesSecurity role is separated from operational role

Basic principles

15

Minimum requirements

74

The security policy will be based on the basic principles and it will be developed to meet the following minimum requirements:

16

Fulfilment of minimum requirements

To meet the minimum requirements, security measures will

be selected considering the following:The category of the system, Basic, Medium and High, depending on the evaluation of the security dimensions (availability, authenticity, integrity, confidentiality, traceability), taking into account the impact of a security breach. Who? higher management: information owner service owner.

The provisions in the legislation on protection of personal data.

The decisions taken to manage identified risks.

17

operational– planning– access control– operation– external services– continuity– monitoring

asset protection– facilities– personnel– equipment– communications– media– software– information– services

organizational– security policy– security

regulations– security

procedures– authorization

process

Security measures

+ use of common infrastructures and services and security guidelines provided by CCN.

18

Organisations providing e-government services have to ...

How to

Evaluate information and services (system

categorisation)

Prepare and adopt a statement of applicability

Carry out risk analysis

AuditEvery 2 years (H/M)

Implement, operate, and monitor the

security

Improve security

Prepare and adopt a security policy

Define roles and appoint persons

19

Periodic audit to assess compliance with NSF.

Use of widely recognized audit criteria and standards. Audit reports to be analysed by the security manager that will communicate his conclusions to the operational manager to apply the required changes.

Security of information systems shall be audited:Security policy defines roles and functions.There are procedures for resolving conflicts.People have been designated for those roles according to the principle of "separation of roles”. There is a risk analysis, approved, and periodic.Compliance to security measures, according to system category and security requirements.There is a formal management system.

Audits

According to the category of the system:Category LOW: self-evaluationCategory MEDIUM – HIGH: periodic (e.g. aligned with personal data audits)

20

Security Guidelines• 801 – Roles and responsibilities• 802 – Auditing guide• 803 – Valuation of systems• 804 – Implementation guidance• 805 – Information security policy• 806 – Security implementation plan• 807 – Use of cryptography• 808 – Inspection of compliance• 809 – Statement of conformity• 810 – Creation of a CERT/CSIRT• 811 – Networking in the Nat. Security Framework• 812 – Security in web applications• 814 – Security in e-mail• …

Risk analysis methodology and software tools• MAGERIT – Risk analysis methodology• PILAR – Risk Analysis and Manag. Tool

• Early warning services in admin. network Red SARA• CERT services• Certification services (certified security products)• Training

Implementation support

Guidelines and tools

21

Government CERT

CCN-CERT

Support and coordination of other national CERTS. International point of contact. Support and coordination in

incident resolution: incident response; may request audit reports from attacked systems Research and dissemination. Awareness and training for the

public sector. Reporting of vulnerabilities (Early

Warning System) Support to the building of CERT

capabilities in other administrations.

https://www.ccn-cert.cni.es/

22

National Evaluation and Certification Scheme

The NSF recognizes the role of certified products to fulfill the minimum requirements proportionately. Recognizes the role of the Certification Body (CCN). Certification is an aspect to consider when purchasing security

products. Depending on the security level, preferably use certified products. It includes a model clause for Technical Specifications.

http://www.oc.ccn.cni.es/index_en.html

23

Criteria and recommendations to build and improve interoperability:

Integral, multidimensional and multilateral approach.

Takes into account dimensions: Organisational, Semantic, Technical

Use of standards.

Use of common infrastrutures and services for multilateral interactions.

Reuse of applications and other information objects.

e-Signature and certificates.

e-Document: recovery and preservation.

+ Tecnical Guides & supporting instruments. http://administracionelectronica.gob.es/recursos/pae_000002017.pdf

http://www.epractice.eu/en/cases/eni

National Interoperability Framework(Royal Decree 4/2010)

24

Contents

The context: eGovernment servicesThe legal basis: eGov services and securityThe National Security Framework

How do we collaborate

Conclusions

25

How do we collaborate?

Coordinated by MPTAP + CCN with the collaboration of all Public Administrations + opinion of Industry.

*> 200 expertsWith different profiles(IT, legal, archives, ...)

Universities (CRUE)Justice (EJIS)+

26

Contents

The context: eGovernment servicesThe legal basis: eGov services and securityThe National Security FrameworkHow do we collaborate

Conclusions

27

The NSF provides a legal framework to align security of eGovernment services across public administrations.

A global and coherent approach to security.

It applies proportionality: balance between the minimum requirements, information and services to be protected and their risks.

It references security measures, the WHAT, but there is freedom on HOW to implement them.

It takes into account the state of the art and principal terms of reference from EU, OECD, standardization, others.

The NSF is a key element of the Spanish Security strategy.

Cooperation: participation of all Public Administrations; and of the private sector through Industry associations.

Challenge: Provide guidance, tools and training to facilitate implementation of the NSF and resolve common issues and difficulties.

Conclusions

28

http://www.enisa.europa.eu/act/sr/files/country-reports/?searchterm=country%20reports

http://www.epractice.eu/en/factsheets/

http://administracionelectronica.gob.es/recursos/pae_000002018.pdf

https://www.ccn-cert.cni.es/index.php?lang=enhttp://www.oc.ccn.cni.es/index_en.html

To know more about IT security and Spain

http://administracionelectronica.gob.es

www.lamoncloa.gob.es/NR/.../EstrategiaEspanolaDeSeguridad.pdf

29

Thank you very much for your

attention