As is well known, information security could not depend solely on the goodwill (and competence) of system administrators in implementing security measures, which were often not documented and their effectiveness was not measured on a regular basis. In order to avoid this dependence, in 2010, the National Security Scheme (Esquema Nacional de SeguridadThe ENS (RD 3/2010) established the basis for the implementation of an Information Security Management System (ISMS), standardizing which measures should be applied based on an ongoing risk analysis.
During these 12 years, much has changed, even more so in cybersecurity, to justify an update of the ENS, taking into account the state of new technologies (e.g. the growing use of cloud services), the updates in both European and national regulations and, especially, because of the exponential increase in the number of cyber threats.
Therefore, on May 5, 2022, RD 311/2022 came into force , repealing the former ENS (RD 3/2010). Although it retains some key elements in its structure, such as the Basic Principles, Minimum Requirements and Security Measures, it has undergone a thorough revision, taking into account the aforementioned updates, as well as the simpler wording, the inclusion of new terms or the modification of some of them and, especially relevant, the review of the Annex II controls that determine which measures to apply.
It is important to note that, as was previously the case, the ENS is aligned with the National Cybersecurity Strategy aimed at improving the security and resilience of networks and information systems in Public Administrations (AAPP).
Who should upgrade to the new ENS?
The new ENS is application to the entire public sector as established by Law 40/2015, likewise to those who deal with classified information, without prejudice to the application of Law 9/1968 on Official Secrets and other special regulations and, not least, to private entities that provide services or provide solutions to the public sector.
What is new in the new ENS?
Starting with the Basic Principles, the new ENS introduces the concept of continuous monitoringThis concept involves the automatic collection of security events (e.g. through the use of a SIEM) and, if necessary, the re-evaluation and updating of security measures according to the risk at any given time.
Continuing with the Minimum Requirements, the term “default security” is changed to “least privilege”, which implies that information systems are designed and configured granting the minimum privileges necessary for their correct performance. Also, as a point to highlight in the Minimum Requirements, the definition of a POC (Point of Contact or Person of Contact) for external services is incorporated, a definition that will serve to identify a contact person on information security matters in the event that a Public Administration contracts an external service.
With regard to security measures, modifications have been made in order to provide greater flexibility in the application of the defined controls. This modification is based on the incorporation of two new concepts: Base RequirementThe company’s security measures are complied with at each checkpoint; and Security Reinforcement, This flexibility can be achieved by adding complementary measures (optional or mandatory) in certain cases, thus improving the robustness of the control.
In addition to the conceptual change identified, the three main blocks that were differentiated in the old ENS (Organizational Framework, Operational Framework and protection measures) have been retained. Comparing both decrees, 9 security measures have been eliminated (e.g. those related to alternative facilities or the protection of the activity register).
On the other hand, 26 measures have been modified, highlighting a greater requirement in 20 controls (e.g. Identification, Protection against harmful code or Protection of personal data) and a simplification in the other 6 (e.g. Segregation of duties or Qualification of information). Finally, six new controls have been added, the most important of which are System Interconnection, Surveillance and Cloud Services. Thus, in total, in contrast to the old ENS, the number of security controls has been reduced from 75 to 73.
The CCN continues to be an essential pillar for Public Administrations in complying with the ENS. The company assumes four main roles, such as the promotion of awareness and training actions for public administration personnel together with INAP, the coordination at state level of the response to security incidents, the development of security guides and warnings, and the validation and publication of compliance profiles. The latter is especially important since it facilitates the adaptation to the entities whose profile is applicable, helping to identify essential assets, their valuation, as well as the controls to be applied.
It is worth mentioning that currently there is already a compliance profile for universities updated to the new ENS, and it is expected that the CCN will gradually publish new compliance profiles for other areas.
Last but not least, the new ENS aims to reflect its commitment to the environment by introducing the “Do no Significant Harm” concept, defined to make it clear that any action taken to achieve compliance with the ENS must respect the principle of “no significant harm” to the environment and the conditions of climate and digital labeling (e.g. reducing paper consumption or optimizing energy efficiency).
What is the deadline to comply with the new ENS?
The single transitory provision establishes a period of 24 months to adapt to the pre-existing information systems, which means that the deadline would be May 5, 2024. However, for systems developed and implemented after the entry into force of the new ENS, they will have to comply with it from their conception.
Oesía has wide experience in the adaptation of both public and private organizations to the ENS and the ISO 27001 standard in the whole national territory. Being one of the leading providers of cybersecurity services in Spain with more than 100 highly qualified professionals with the most valued certifications in the sector (CISA, CISM, CISSP…). Administrations such as the Ministry of Justice, the Health Service of the Community of Madrid, the Regional Government of Andalusia or the Xunta de Galicia, among many others, have trusted in Oesía for their processes of adaptation to the ENS.
José García, Alberto Ibiza