To carry out the process of Certification/Conformity with the ENS, it is necessary to elaborate an Adequacy Plan (Phase 5 of the Process) that will include the four (4) previous phases of the process (Security Policy, System Categorization, Risk Analysis and Statement of Applicability/Compliance Profile).
The plan of adequacy shall contain the following information:
- Prepare and approve the Security Policy, including the definition of roles and allocation of responsibilities
- Categorize the systems according to:
- Assessment of the information handled
- Services provided and their assessment
- Personal data
- Perform risk analysis, including the assessment of existing security measures.
- Prepare and approve the Statement of Applicability of the Measures in Annex II of the ENS and Compliance Profile..
- Prepare an Adequacy Plan for the improvement of security, based on the shortcomings detected, including estimated deadlines for implementation.
To facilitate the Security Implementation phase, the following CCN-STIC Guidelines have been developed:
- CCN-STIC-803 Assessment of Systems in the ENS
- CCN-STIC-807 Employment Cryptology in the ENS
- CCN-STIC 808 Verification of compliance with ENS measures
- CCN-STIC-811 Interconnection in the ENS
- CCN-STIC-812 Web Service Protection
- CCN-STIC-814 Mail Service Protection
- CCN-STIC-820 Protection against DOS
- CCN-STIC-821 Security Standards in the ENS
- CCN-STIC-822 Security procedure in the ENS
- CCN-STIC-826 Security Implementation
- CCN-STIC-835 Metadata Deletion
- CCN-STIC-836 ENS - VPN Security
The conformity of the information systems in the scope of the ENS with MEDIUM or HIGH categories will be determined by means of a formal audit procedure which, on a regular basis, verifies compliance with the requirements set out in the ENS, at least every two years. Exceptionally, this audit shall be carried out whenever there are significant modifications in the system considered that could affect the security measures to be adopted.
To determine the conformity of the information systems in the scope of the ENS with the BASIC category, it will be sufficient to carry out a self-assessment procedure that, on a regular basis, verifies compliance with the requirements set out in the ENS, at least every two years. Exceptionally, this self-assessment shall be carried out whenever there are significant modifications in the system considered that could affect the security measures to be adopted.
Since auditing is mandatory for MEDIUM and HIGH category systems, there is nothing to prevent a BASIC category system from also undergoing a formal conformity verification audit, and this possibility is always desirable.
As shown in Annex I of the ENS, conformity with the standard of a specific information system necessarily involves adopting and declaring that the security measures required for that system have been implemented, according to its category (BASIC, MEDIUM or HIGH), and ensuring that such measures are maintained throughout the life cycle of the system.
The bodies to which the ENS applies are required to complete and report on the Security Status. To comply with this mandate, the CCN has developed the INES (National Security Status Report) project to facilitate the work of all bodies:
INES. Report on the State of the Security in the ENS
Information security management is a constantly changing process. Changes in the organization, threats, technologies and/or legislation are an example where continuous improvement of our systems is necessary. It is therefore necessary to set up a permanent process, which will involve, among other things:
- Information Security Policy Review.
- Review of services and information and their categorization.
- Updating the risk analysis, at least annually.
- Conducting audits, at least biennially.
- Review of security measures.
- Review and update of procedures.
- Security Status review. INES.
Cycle of continuous improvement
The Spanish Federation of Municipalities and Provinces (FEMP), with the collaboration of the National Cryptologic Centre, has published the Book of Recommendations: Itinerary of Adaptation to the National Security Scheme (ENS). It describes the guidelines, requirements and the steps to be followed in order to define a personalised roadmap for adapting local authorities to the ENS, taking into account the definition and legal framework of the scheme, the roles to be adopted according to the competences within the organisation, the model to be followed divided into various phases, actions, tasks and levels as well as different measurement systems. It also includes the protection measures that should be implemented in the premises of town halls, personnel management, equipment and communications, information media, computer applications, information and services provided.