cybersecurity and encryption
National Security Scheme
This is the regulation that establishes the security policy that must be applied to the electronic media used by the Public Administration, and establishes the security measures necessary to guarantee the security of the information.
What is ENS?
The National Security Scheme (ENS), regulated by Royal Decree 3/2010, of January 8, 2010, which regulates the National Security Scheme in the field of Electronic Administration, is a mandatory standard for the information systems of Public Administrations. It is based on international information security principles and deals with the protection of information, systems and services.
The ENS seeks to establish confidence that information systems provide their services and safeguard information in accordance with their functional specifications, without interruptions or out-of-control modifications, and without the information coming to the knowledge of unauthorized persons.
To this end, it must be developed and perfected in parallel with the evolution of the services and, as they are consolidated, the requirements of these services and the infrastructures that support them.
The ENS is necessary to establish common aspects and methodologies, related to security, in the implementation and use of electronic media by the Public Administrations, in order to create the necessary conditions for confidence in the use of the aforementioned electronic media, allowing the exercise of rights and the fulfillment of duties through these media.
The ENS consists of basic principles and minimum requirements for an adequate protection of information, in order to ensure access, integrity, availability, authenticity, confidentiality, traceability and conservation of data, information and services used in electronic media, managed in the exercise of their competences.
Proportionality is one of the essential principles of the ENS, since it is necessary to categorize information systems in order to determine the security measures, which must be proportionate to the nature of the information handled, the services provided and the risks to which they are exposed.
The basic principles of the ENS establish reference points for decision making, aimed at securing information and services. The ultimate purpose of information security is to ensure that an administrative organization can meet its objectives using information systems.
The following basic principles should be taken into account in security decisions:
- Integral security.
- Risk management.
- Prevention, reaction and recovery.
- Lines of defense.
- Periodic reevaluation.
- Differentiated function.
ENS compliance requirements
All senior public administration bodies must formally have a security policy that articulates the ongoing management of security, which will be approved by the head of the corresponding senior body.
This security policy shall be established in accordance with the basic principles indicated above and shall be developed by applying the following minimum requirements:
- Organization and implementation of the security process.
- Risk analysis and management.
- Personnel management.
- Authorization and access control.
- Protection of facilities.
- Acquisition of products.
- Default security.
- System integrity and updating.
- Protection of information stored and in transit.
- Prevention against other interconnected information systems.
- Record of activity.
- Security incidents.
- Business continuity.
- Continuous improvement of the security process.
In order to comply with the minimum requirements established in the ENS, the security measures indicated in Annex II shall be applied, taking into account:
- The assets that constitute the system.
- The category of the system, as provided for in Article 43 thereof.
- Decisions taken to manage the risks identified.
What is your objective?
The purpose of the ENS is to establish the security policy for the use of electronic media within the scope of this Law, and it is made up of the basic principles and minimum requirements that adequately guarantee the security of the information processed.
The purpose of this law is to create the necessary conditions of confidence in the use of electronic media, through measures to guarantee the security of systems, data, communications and electronic services, allowing citizens and public administrations to exercise their rights and fulfill their duties through these media.
The main objectives of the ENS are as follows:
- To create the necessary conditions of trust in the use of electronic media that allow citizens and Public Administrations to exercise their rights and fulfill their duties through these media.
- To introduce the common elements and methodologies that should guide the actions of public administrations in the area of IT security.
- To provide a common language to facilitate the interaction of public administrations, as well as the communication of information security requirements to the industry.
Benefits of compliance
The ENS is a legal standard that deals with the protection of information and services, therefore it contemplates and requires the continuous management of security through a management system that provides benefits related to:
- Improvement of the degree of trust of citizens in the use of the services provided by the entity through electronic means.
- Promotes regulatory compliance in terms of information security and data protection.
- Compliance with legal requirement if services are provided to the Public Administration.
- It provides a competitive and differential advantage over other suppliers.
The ENS is considered the reference security regulation for Public Administrations. For this reason, various regulations are contemplating their application to strengthen their own regulation. This is the case of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights, which in its First Additional Provision establishes that the ENS shall include the measures to be implemented in the event of processing of personal data to prevent its loss, alteration or unauthorized access, adapting the criteria for determining the risk in the processing of data to that established in Regulation (EU) 2016/679 (RGPD).
Public administrations and public sector entities must apply to the processing of personal data the corresponding security measures provided for in the ENS, as well as promote a degree of implementation of equivalent measures in companies or foundations linked to them subject to private law. In addition, in cases where a third party provides a service under a concession, management entrustment or contract, the security measures shall correspond to those of the originating public administration and shall comply with the ENS.
Who must comply with this Regulation
The ENS applies to the public sector comprising:
- The General State Administration.
- The Administrations of the Autonomous Communities.
- The Entities that make up the Local Administration.
- The institutional public sector.
The institutional public sector is made up of:
- Any public bodies and public law entities linked to or dependent on the Public Administrations.
- Private law entities linked to or dependent on the Public Administrations, which shall be subject to the provisions of the rules of this Law that specifically refer to them, in particular to the principles set forth in Article 3, and in any case, when they exercise administrative powers.
- The public universities shall be governed by their specific regulations and, supplementarily, by the provisions of this Law.
The following are considered to be Public Administrations: the General State Administration, the Administrations of the Autonomous Communities, the Entities that make up the Local Administration, as well as the public bodies and public law entities linked to or dependent on the Public Administrations.
In addition, organizations, public or private, when providing services or providing solutions to public entities, which are subject to compliance with the ENS, must be able to display the corresponding Declaration of Conformity with the ENS, when dealing with BASIC category systems, or the Certification of Conformity with the ENS, when dealing with MEDIUM or HIGH category systems, in accordance with the Resolution of October 13, 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instruction of Conformity with the National Security Scheme, using the same procedures as those required for public entities and provided that the category of the information system has been determined by the contracting public entity.
ENS compliance with our OSV solution
Our ENS compliance solution proposal defines the necessary controls to ensure information security under the approach of this regulatory framework.
This solution responds to the requirements established by the ENS in order to generate the highest level of confidence in the use of electronic media established by the Public Administrations.
For this reason, active liability measures will be adopted to ensure comprehensive data security. Privacy and information security must contemplate the aspects of prevention, reaction and resilience to ensure that threats to them do not materialize or seriously affect the information they handle or the services they provide. In this sense, access to the information systems shall be identified, controlled and limited, special attention shall be paid to the information stored or in transit and the security measures corresponding to the nature of the medium in which they are located shall be applied. In addition, communications between information systems and other external systems , as well as the interconnection points between the networks that support such communications, shall be adequately protected .
Do you need me to comply with the
Contact our specialists and they will advise you on what is best for your company.