Cybersecurity and New Developments at the First National Security Scheme Meeting

Almost 10 years of the National Security Scheme and we ask ourselves, what is the state of Spanish public administrations in terms of security?

On June 18, 2019, was held in the Auditorium of the Fábrica Nacional de la Moneda y Timbre the “I National Security Scheme Meeting“organized by the National Cryptologic Center (CCN), the purpose of which was to take stock of the development and implementation of the ENS to date and, above all, of the new challenges to be faced from now on.

This event brought together more than 350 professionals from the security field, both from the public and private sectors, all of them interested in learning about the evolution of the regulations and their implementation.

The event began with remarks by Javier Candau, Head of the Cybersecurity Department of the CCN, and Miguel Ángel Amutio, Director of the Cybersecurity Planning and Coordination Division of the General Secretariat for Digital Administration.

In their speech both indicated that the implementation of the National Security Scheme in public administrations has increased, and proof of this is that Spain ranks fifth in the European ranking and seventh worldwide in the Global Cybersecurity Index 2018.

In addition, the main novelties of the ENS were presented, with emphasis on:

• Improved alignment and clarity to facilitate security in Digital Administration. Making use of updated references to the legal framework, a scope of application expressed in a clear and current manner, as well as other editorial improvements with the objective of simplifying the information.
• More flexibility to facilitate the application of the ENS to specific needs, by introducing a profiling mechanism to make the application of security measures more flexible.
• Have an updated approach to facilitate response to security trends and needs, reviewing basic principles, minimum requirements, security measures and annexes.

Everything related to cybersecurity is advancing exponentially, what about updates to the National Security Scheme and measures for its implementation?

Carlos Galán, advisor to the NCC, explained the points of the ENS that will be updated.

He placed great emphasis on the low level of maturity in the public administration in general and explained general concepts such as the elaboration of the categorization necessary for the declaration of applicability, the completion of the adequacy plan and the risk analysis.

During the presentation, several scenarios not contemplated by the current ENS were described, which make it difficult to adapt to it, and the so-called “compliance profiles” validated by the CCN were presented as a viable solution.
Compliance Profiles
validated by the CCN.

These
Compliance Profiles
validated involve a set of security measures, the concrete and detailed implementation of each measure and the acceptance of the residual risk obtained after the implementation of the measure.

In this way, compliance with the ENS is facilitated by means of a specific compliance profile, which makes it possible to reduce or increase the incremental level of a measure, eliminate or include the application of the measure, or propose a compensatory measure. In this way, compliance with the ENS is feasible, given the human and economic resources available in the entity.

Special certification cases:

David López, from Cibergob, presented a case of successful compliance with the ENS, exemplifying that successful compliance begins with a correct definition of the scope of certification. The certification of SAS environments, on premise, is completely different from that for in-house developments. In the case of certifying a service where the provider is already ENS certified, it will only be necessary to develop the organizational measures, thus significantly reducing the difficulty.

It was also pointed out during the presentation that the measures for certifying one service should not be the same for other services, so it is easier to do it progressively and first certify one service and then certify the others.

Other topical issues:

In this event, other topics to be taken into account related to current cybersecurity issues were presented, such as:

• Protocols and procedures to be followed to detect and prevent possible disinformation campaigns, explained by speaker Javier Lesaca, from the School of International and Public Affairs of Columbia University.
• The certification of professionals in the field of cryptography and information protection, by Raúl Siles and Alfonso Muñoz of CriptoCert.
• The Head of the CCN’s Products and Technologies Department presented the work carried out by this organization to establish the functional security requirements, which enable the development of ICT security products and their inclusion in the IT Security Products catalog. As a result, administrations have the possibility of acquiring products with greater security guarantees for their deployment.
• Pablo López, Head of the CCN’s Cybersecurity Regulation and Services Area, explained the new incident management model: virtual security operations centers (vSOC).
• The event ended with a round table with the participation of private companies in the sector in conjunction with the CCN, where public-private cooperation in cybersecurity was discussed.

Ultimately, 2020 will see the launch of a new ENS update to facilitate the adaptation of the public and private sectors to the changing cybersecurity environment.