The National Security Framework of Spain

Guide Share Europe, 10 October 2011

Good afternoon, Ladies and Gentlemen,

I appreciate very much the invitation of GSE to speak here today.

My talk is a bit different from the others in this event. It is about the National Security

Framework of Spain. This Security Framework introduces common security elements

applicable to eGovernment services and it is in the service of the right of citizens to

interact electronically with their government.

This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry

through their main associations. Both Frameworks are part of the well known effort of

Spain to develop eGovernment.

The aim of the Security Framework would be to ensure that the overall approach to

information security throughout all public administrations is both coherent and efficient, by

identifying synergies and eliminating duplication of work.

ContentsSo the contents of my presentation today are the following:

• First of all, the context of the NSF.

• Then, the legal basis: eGoverment services and security.

• Next, the National Security Framework, we will see the main aspects.

• After that, how do we collaborate

• And finally, conclusions.

1

The context of the NSF: eGovernment Services

The objective of eGovernment servicesOur government has committed to the development of eGovernment services; in fact

the right of the citizens to interact with public administrations by electronic means is

recognized by law.

We all expect that eGovernment will help to improve our quality of life and reduce the administrative burdens on business in their interaction with public administrations. We

also expect that eGovernment will also contribute to growth and to extend the benefits of a digital society to all with the idea of no one left behind.

eGoverment services in Spain are provided in a complex scenario which involves the

interaction of the General State Administration, 17 regional governments and 2

autonomous cities, plus over 8,000 municiplalities; together with the relationships with EU

institutions and agencies and other Member States.

Why security is important for eGovernment servicesWe, as citizens, expect that eGoverment services are provided under conditions of trust and security comparable to those we find when we go personally to the offices of the

Administration.

As a result of the advance in the development of eGovernment, there is a growing proportion of electronic versus paper documents or information, and, increasingly,

there is no paper in administrative proceedings. For instance, our Administration can establish that interactions have to be done by electronic means when certain

collectives of legal or personal entities with professional, technical and economical

capabilities are involved.

Information on electronic means is exposed to potential risks from the threat of

malicious or illegal actions, errors or failures and accidents or disasters. Unfortunately,

these threats are not only due to vulnerabilities associated with technological developments, they are also due to the fact that these technologies are being used to

attack systems.

ICT is increasingly used in cybercrime and politically motivated attacks, as we have

2

seen in recent times. For instance, in 2010 our ministries suffered 30 highly critical attacks;

addressed mainly against the availability of services and to steal data.

And Public Bodies are interconnected and interdependent; information and services cannot be secured by partial approaches. There is a need for a comprehensive framework to address security.

International context The NSF follows the recommendations of the OECD, EU, as well as standards and

experiences from other countries. We have taken into account the international context

so as to be aligned to main security trends and to ensure consistency with international developments.

The OECD Guidelines for information and network security is a main reference. Let´s

remeber that the principles include “... risk evaluation, security design and implementation,

security management and re-evaluation.”

And also the Implementation Plan for the OECD Guidelines which states that “Government should develop policies that reflect best practices in security management

and risk assessment... to create a coherent system of security.”

Standards in the field of IT security are obviously another relevant source; their

development has grown considerably in the last decade.

In the European Union, the Digital Agenda for Europe recognizes the rising cybercrime and low trust as one of the 7 main obstacles to be overcome.

In relation to other countries, the FISMA, Federal Information Security Management

Act, of the USA is a main reference, because of its overall approach from the vision and legal basis to the provision of standards and guidelines. We have also analysed

the approaches in Germany, the UK and France.

The legal framework: eGovernment Services and security

eGovernment Law 11/2007We have a strong legal basis for eGovernment. The eGovernment Law 11/2007

3

recognises the citizens’ right to interact with Public Administration by electronic means.

In consequence there is an obligation of public administrations to enable electronic

access to their services.

This eGovernment Law lays down a number of principles; some of them address explicitly security, such as the ones which refer to

(I) the protection of personal data;

(II) security in the implementation and use of electronic means by public

administrations;

(III) and proportionality in the implementation of security measures according to the information and services to be protected and their context.

Also the rights recognized to the citizens include the notion of security, as the right to security and confidentiality of information in the files, systems and applications of

Public Administrations.

And finally article 42 of the eGovernment Law creates the National Security Framework.

The Royal Decree 3/2010The Spanish NSF is a legal text, Royal Decree 3/2010, which develops the provisions about

security foreseen in the eGovernment Law. The NSF establishes the security policy for

eGovernment services. It consists of the basic principles and minimum requirements to

enable adequate protection of information, to be followed by all Public administrations.

It is also a key element of the Spanish Security Strategy, appoved in June this year.

Let's remember that the legal framework has a direct impact in eGovernment quality

of service as well as in the perception of the citizens and, at the same time, as a driver of

the digital society. OECD highligths it as an important aspect of eGovernment readiness.

Objectives of the NSFThe objectives of the NSF are the following:

• To create the necessary conditions of trust, through measures to ensure IT

security for the exercise of rights and the fulfillment of duties through the electronic

4

access to public services.

• To facilitate the continuous management of security, regardless of the impulses

of the moment or lack thereof.

• To provide common languange, concepts and elements of security. this common approach is helpful:

◦ to provide guidance to Public Administrations in the implementation of ICT

security,

◦ to enable cooperation to deliver eGoverment services

◦ and to facilitate the interaction between Public Administrations. The NSF complements the National Interoperability Framework.

• To facilitate the communication of security requirements to the Industry.

Surely, it is easy to imagine what this means in terms of calls for tenders, technical

specifications, predictive offer. The Industry finds all Public Administrations speaking

the same language.

Objectives of the NSF, to stimulate Industry• And, why not? to stimulate the IT Industry. AMETIC, the multi-sector partnership

of companies in the fields of electronics of Spain, telecommunications and digital

content, is collaborating to promote the adoption of the NSF.

The National Security Framenwork

The main elements of the NSFWhich are the main elements of the NSF?

• The basic principles to be taken into account in decisions about security.

• The minimum requirements which allow an adequate protection of information.

• How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and

services to be protected and to the riks to which they are exposed.

• Security audits.

• Response to security incidents (CERT).

• Security certified products, to be considered in procurement.

5

The security policyPublic Administrations will have a security policy on the basis of the basic principles and

minimum requirements.

How to satisfy the minimum requirements? Proportional security measures will be adopted taking into account:

• System category, on the basis of the evaluation of the security dimensions.

• Law and rules about personal data protection.

• Decisions to manage identified risks. In the end risk analysis is the key element

to determine the proporcionate and adequate security meausres according to the

information and services to be protected.

And regular audits will be carried out (for systems falling under Medium or High categories).

Basic principlesThe following six basic and sound security principles should considered when taking

decisions about security:

• Security as an integral process: every process is concerned; it involves

equipment, facilities, people, and processes.

• Risk management: risk analysis and management is essential.

• Prevention, reaction and recovery.

• Defense in depth: physical, logical, organisational.

• Periodic re-evaluation: dynamic and reactive

• Segregation of duties: security role is separated from operational role

Minimum requirementsThe security policy will be based on the basic principles and it will be developed to meet the following minimum requirements:

6

These requirements may sound familiar since they are lined with well known standards.

Fulfilment of requirementsTo meet these minimum requirements, security measures will be selected considering

the following:

• The category of the system, Basic, Medium and High, depending on the evaluation of

the security dimensions (availability, authenticity, integrity, confidentiality, traceability).

• System categorisation is relevant to modulate the balance between the importance

of the information handled, the services provided and the security effort required,

depending on the risks to which they are exposed, based on the criterion of the

principle of proportionality.

• The categorisation is made on the basis of the evaluation of the impact that an incident would have in the security of the information or services with damage to the availability, authenticity, integrity, confidentiality or traceability, as security

dimensions.

• The evaluation of the consequences of a negative impact on the security is based on their repercussion on the organisation’s capacity to achieve its objectives,

the protect assets, to provide its services, and comply with the law and the rights of

citizens.

• Always taking into account the provisions in the legislation on protection of personal

data and decisions taken to manage identified risks.

7

Security measuresThere is a reference in the NSF to security measures. There are three general classes of security measures:

• Organisational: includes measures related to global security.

• Operational: includes the measures to protect the system's operation as a

comprehensive set of components.

• Asset protection: includes measures to protect specific assets (facilities,

personnel, equipment, communications, information media, applications,

information, services), according to their nature and requirements.

The NSF tells the WHAT, but there is freedom on HOW to implement them.

Implementation of the NSFOrganisations providing e-government services will have to:

• Prepare and adopt a security policy

• Define roles and appoint persons

• Evaluate information and services (system categorisation)

• Carry out risk analysis

• Prepare and adopt a statement of applicability

• Implement, operate, and monitor the security

• Carry out audits every 2 years (H/M)

• Improve security

AuditsPeriodic audits to assess compliance with NSF are to be carried out, using widely

recognized audit criteria and standards. Audit reports will be analysed by the security

manager that will communicate his conclusions to the operational manager to apply the

required changes.

Security of information systems shall be audited to examine the following that:

• The security policy defines roles and functions.

• There are procedures for resolving conflicts.

• Persons have been designated for main roles according to the principle of

8

"separation of roles”.

• There is a risk analysis, approved, and periodic.

• Compliance to security measures, according to system category and security

requirements.

• There is a formal management system.

Implementation support Guidelines and toolsThere is a big effort ongoing to provide security guidelines:

801 – Roles and responsibilities

802 – Auditing guide

803 – Valuation of systems

804 – Implementation guidance

805 – Information security policy

806 – Security implementation plan

807 – Use of cryptography

808 – Inspection of compliance

809 – Statement of conformity

810 – Creation of a CERT/CSIRT

811 – Networking in the National Security Framework

812 – Security in web applications

814 – Security in e-mail

…

Together with supporting tools such like the following:

Risk analysis methodology and software tools:

• MAGERIT – Risk analysis methodology

• PILAR – Risk Analysis and Manag. Tool

Early warning services in the administrative network Red SARA

CERT services

Certification services (security certified products)

Training

Government CERT, CCN-CERTThe NSF recognizes the role of the Government CERT, CCN-CERT which provides:

9

• Support and coordination of other national CERTS and international point of contact.

• Support and coordination in incident resolution: incident response; the CERT

may request audit reports from attacked systems.

• Research and dissemination of best practices.

• Awareness and training for the public sector.

• Reporting of vulnerabilities (Early Warning System).

• Support to the building of CERT capabilities in other administrations.

Certified products in the NSFThe NSF also recognizes the role of certified products to fulfill the minimum requirements

proportionately, and the role of the Certification Body (CCN) of the Evaluation and

Certification Scheme.

Certification is an aspect to be considered when purchasing security products.

And depending on the security level, the guideline is to use preferably certified products.

It includes an annex with a model clause for Technical Specifications.

The National Interoperability FrameworkJust a short comment about the National Interoperability Framework, also created by the

eGovernment law.

It has the aim of creating the necessary conditions to ensure an adequate level of organizational, semantic and technical interoperability of systems and applications used

by Public Administrations, in the service of the exercise of rights and the fulfillment of duties through the electronic access to public services; it also pursues providing benefits

in terms of effectiveness and efficiency.

In order to create such conditions, the NIF introduces common elements to guide the

action of the Public Administrations regarding interoperability.

10

How do we collaborateThe cross-border nature of threats and the associated mitigation mechanisms make it

essential to focus on strong cooperation.

The NSF is the result of a collaborative effort coordinated by MPTAP + CCN with the

participation of all Public Administrations (central, regional, local, universities, justice) plus

opinion of Industry through their main associations.

During the last three years more than two hundred experts of Public Administrations have contributed to its elaboration providing different profiles (ICT, legal, archives,

etc...); together with a wide number of experts who have contributed with their opinion

through the main associations of ICT Industry.

Conclusions• The NSF provides a legal framework to align security of eGov services across

public administrations.

• It provides global and coherent approach to security.

• It applies proportionality: balance between the minimum requirements, the nature

of information and services to be protected and their risks.

• It references security measures, it tells the WHAT, but there is freedom on HOW to implement them.

• It takes into account the state of the art and principal terms of reference from EU,

OECD, standardization, other countries.

• The NSF is a key element if the Spanish Security strategy.

• It is an success story about cooperation: It was developed with the participation

of all Public Administrations; also with input from the private sector.

And finally the challenges ahead:

• The main challenge now is to make the NSF a reality and to provide guidance, tools and training to facilitate the implementation of the NSF and resolve

common issues and difficulties.

11

To know more about IT security in SpainWell, for more information about IT security and Spain:

• The NSF is available in English.

• There is a quite comprehensive country report made by ENISA.

• Also the ePractice factsheet of Spain provides a comprehensive overview of

eGovernment in Spain.

• And the websites of the CCN, the Certification Body and the eGovernment Portal provide more information.

Thank you very much for your attentionMiguel A. Amutio

12