The National Security Scheme (ENS) and the Onesait Platform (part I)

The purpose of Spain’s National Security Scheme (hereinafter ENS after the acronym in Spanish) is the creation of measures to guarantee the security of systems, data, communications, and electronic services.

In this context, network and information security is understood as the ability of networks or information systems to resist, with a certain level of confidence, accidents and illicit or malicious actions that compromise the availability, authenticity, integrity and confidentiality of the data, either stored or transmitted, and of the services that said networks and systems offer or make accessible.

To comply with the foregoing, the security dimensions and their levels, the category of the systems, the appropriate security measures and the periodic security audit are determined.

System Categories

Dimensions

The determination of the category of a system is based on the assessment of the impact that an incident affecting the security of the information or systems would have on the organization.

In order to be able to determine the impact that an incident affecting the security of information or systems would have on the organization, and to be able to establish the category of the system, the following dimensions of security will be taken into account, which will be identified by their corresponding initials in capital letters in Spanish:

  • Disponibilidad – Availability
  • Autenticidad – Authenticity
  • Integridad – Integrity
  • Confidencialidad – Confidentiality
  • Trazabilidad – Traceability

Levels of a security dimension

Information or services may be affected in one or more of its security dimensions. Each security dimension affected will be assigned to one of the following levels: LOW, MEDIUM or HIGH. If a security dimension is not affected, it will not be assigned to any level.

  • LOW level: it will be used when the consequences of a security incident that affects any of the security dimensions entail a limited damage on the functions of the organization, on its assets or on the affected individuals.
  • MEDIUM level: it will be used when the consequences of a security incident that affects any of the security dimensions entail serious damage to the organization’s functions, on its assets or on the affected individuals.
  • HIGH level: it will be used when the consequences of a security incident that affects any of the security dimensions entail a very serious damage on the functions of the organization, on its assets or on the affected individuals.
Limited damageSerious damageVery serious damage
The appreciable reduction in the organization’s capacity to effectively meet its current obligations, even though it continues to perform them.The significant reduction in the organization’s ability to effectively meet its fundamental obligations, even though it continues to perform them.The annulment of the capacity of the organization to attend to any of its fundamental obligations and that these can continue to be performed.
Suffering minor damage to the organization’s assets.Suffering significant harm to the organization’s assets.Suffering of very serious, and even irreparable, damage to the assets of the organization.
The formal breach of any law or regulation, which is rectifiable.
Material non-compliance with any law or regulation, or formal non-compliance that is not rectifiable.Serious breach of any law or regulation.
Causing minor damage to some individual, which, even being annoying, can be easily repaired.Cause significant damage to an individual, which is difficult to repair.Causing serious damage to an individual, which is difficult or impossible to repair.
Others of a similar nature.Others of a similar nature.Others of a similar nature.

When a system handles different information and provides different services, the level of the system in each dimension will be the highest of those established for each information and each service.

Category of an information system

Three categories are defined: BASIC, MEDIUM and HIGH.

  • An information system will be of HIGH category if any of its security dimensions reaches the HIGH level.
  • An information system will be of MEDIUM category if any of its security dimensions reaches the MEDIUM level, and none reaches a higher level.
  • An information system will be of BASIC category if any of its security dimensions reaches the LOW level, and none reaches a higher level.

Security measures

Measurement frameworks

Security measures are divided into three groups:

  • Organizational framework [org]: made up by the set of measures related to the global organization of security.
  • Operational framework [op]: made up by the measures to be taken to protect the operation of the system as an integral set of components for a given purpose.
  • Protection measures [mp]: they focus on protecting specific assets, according to their nature and the quality required by the security level of the affected dimensions.

Selection of security measures

For the selection of security measures, the following steps will be followed:

  1. Identification of the types of assets present.
  2. Determination of relevant security dimensions.
  3. Determination of the level corresponding to each security dimension.
  4. Determination of the category of the system.
  5. Selection of the appropriate security measures from among those contained in the following point.

The list of selected measures will be formalized in a document called Declaration of Applicability, signed by the person responsible for system security.

Table of Security Policies

The correspondence between the security levels required in each dimension and the security measures is specified in the following table:

DimensionsSecurity measures
AffectedLow (L)Medium (M)High (H)orgOrganizational framework
categoryapplies==[org.1]Security Policy
categoryapplies==[org.2]Safety regulations
categoryapplies==[org.3]Security procedures
categoryapplies==[org.4]Authorization process
opOperational framework
[op.pl]Planning
categoryapplies++ +[op.pl.1]Risk analysis
categoryapplies++ +[op.pl.2]Architecture of security
categoryapplies==[op.pl.3]Acquisition of new components
Dn.a.applies=[op.pl.4]Sizing / Capacity management
categoryn.a.n.a.applies[op.pl.5]Certified components
[op.acc]Access control
A Tapplies==[op.acc.1]Identification
I C A Tapplies==[op.acc.2]Access requirements
I C A Tn.a.applies=[op.acc.3]Segregation of duties and tasks
I C A Tapplies==[op.acc.4]Access rights management process
I C A Tapplies++ +[op.acc.5]Authentication mechanism
I C A Tapplies++ +[op.acc.6]Local login
I C A Tapplies+=[op.acc.7]Remote login
[op.exp]Exploitation
categoryapplies==[op.exp.1]Asset inventory
categoryapplies==[op.exp.2]Security configuration
categoryn.a.applies+[op.exp.3]Configuration management
categoryapplies==[op.exp.4]Maintenance
categoryn.a.applies+[op.exp.5]Change management
categoryapplies==[op.exp.6]Protection against harmful code
categoryn.a.applies=[op.exp.7]Incident management
Tapplies++ +[op.exp.8]User activity log
categoryn.a.applies=[op.exp.9]Incident management log
Tn.a.n.a.applies[op.exp.10]Protection of activity logs
categoryapplies+=[op.exp.11]Protection of cryptographic keys
[op.ext]External Services
categoryn.a.applies=[op.ext.1]Hiring and service level agreements
categoryn.a.applies=[op.ext.2]Daily management
Dn.a.n.a.applies[op.ext.9]Alternative means
[op.cont]Service continuity
Dn.a.applies=[op.cont.1]Impact analysis
Dn.a.n.a.applies[op.cont.2]Continuity plan
Dn.a.n.a.applies[op.cont.3]Periodic tests
[op.mon]System monitoring
categoryn.a.applies=[op.mon.1]Intrusion detection
categoryapplies++ +[op.mon.2]System of metrics
mpProtection measures
[mp.if]Protection of installations and infrastructures
categoryapplies==[mp.if.1]Separate areas with access control
categoryapplies==[mp.if.2]Identification of people
categoryapplies==[mp.if.3]Conditioning of premises
Dapplies+=[mp.if.4]Electrical energy
Dapplies==[mp.if.5]Fire protection
Dn.a.applies=[mp.if.6]Protection against floods
categoryapplies==[mp.if.7]Equipment entry and exit registration
Dn.a.n.a.applies[mp.if.9]Alternative installations
[mp.per]Personnel management
categoryn.a.applies=[mp.per.1]Job description
categoryapplies==[mp.per.2]Duties and obligations
categoryapplies==[mp.per.3]Awareness
categoryapplies==[mp.per.4]Training
Dn.a.n.a.applies[mp.per.9]Alternate staff
[mp.eq]Protection of equipment
categoryapplies+=[mp.eq.1]Job station clearing
An.a.applies+[mp.eq.2]Job station blocking
categoryapplies=+[mp.eq.3]Protection of portable devices
Dn.a.applies=[mp.eq.9]Alternative means
[mp.com]Protection of communications
categoryapplies=+[mp.com.1]Secure perimeter
Cn.a.applies+[mp.com.2]Confidentiality protection
I Aapplies++ +[mp.com.3]Authenticity and integrity protection
categoryn.a.n.a.applies[mp.com.4]Network segregation
Dn.a.n.a.applies[mp.com.9]Alternative means
[mp.si]Protection of information carriers
Capplies==[mp.si.1]Labeling
I Cn.a.applies+[mp.si.2]Cryptography
categoryapplies==[mp.si.3]Custody
categoryapplies==[mp.si.4]Transportation
Capplies+=[mp.si.5]Deletion and destruction
[mp.sw]Protection of software
categoryn.a.applies=[mp.sw.1]Development
categoryapplies++ +[mp.sw.2]Acceptance and commissioning
[mp.info]Protection of Information
categoryapplies==[mp.info.1]Personal data
Capplies+=[mp.info.2]Information rating
Cn.a.n.a.applies[mp.info.3]Encryption
I Aapplies++ +[mp.info.4]Electronic signature
Tn.a.n.a.applies[mp.info.5]Time stamps
Capplies==[mp.info.6]Document cleanup
Dapplies==[mp.info.9]Backup copies
[mp.s]Protection of services
categoryapplies==[mp.s.1]Protection of e-mail
categoryapplies=+[mp.s.2]Protection of services and web applications
Dn.a.applies+[mp.s.8]Protection against denial of service
Dn.a.n.a.applies[mp.s.9]Alternative means

  • Color code:
    • Green color specifies that a certain measure is applied in systems of BASIC category or higher.
    • Yellow to indicate the measures that are beginning to be applied in the MEDIUM category or higher.
    • Pink to indicate the measures that are only applicable in the HIGH category.
  • To indicate that a given security measure must be applied to one or more security dimensions at a given level, the term «applies» is used.
  • «n.a.» means «not applicable».
  • To indicate that the requirements of a level are equal to those of the lower level, the == sign is used.
  • To indicate the increase in requirements graduated according to the level of the security dimension, the signs + and ++ are used.
  • To indicate that a measure specifically protects a certain security dimension, it is made explicit by its initial in Spanish (Availability/Disponibilidad [D], Authenticity/Autenticidad [A], Integrity/Integridad [I], Confidentiality/Confidencialidad [C] and Traceability/Trazabilidad [T]).

Security Audit

The audit levels that are carried out on the information systems will be as follows:

Audit of BASIC category systems

BASIC category information systems, or lower, will not need to perform an audit. A self-assessment carried out by the same personnel that manages the information system, or whomever she delegates, will suffice.

The result of the self-assessment must be documented, indicating whether each security measure is implemented and subject to regular review and the evidence that supports the previous assessment.

The self-assessment reports will be analyzed by the competent security manager, who will submit the conclusions to the person in charge of the system so that the appropriate corrective measures can be taken.

Audit of MEDIUM or HIGH category systems

The audit report will rule on the degree of compliance with the ENS, identify its deficiencies and suggest the possible corrective or complementary measures that are necessary, as well as the recommendations that are considered appropriate.

It must also include the methodological audit criteria used, the scope and objective of the audit, and the data, facts and observations on which the conclusions drawn are based.

The audit reports will be analyzed by the competent security manager, who will then present her conclusions to the system manager so that the appropriate corrective measures can be taken.


As you can see, the National Security Scheme is serious and very exhaustive, considering a large number of concepts, situations and elements.

The Onesait Platform takes this scheme into account, counting on a large number of these measures resolved by the design of its architecture. In the next post, we will analyze these resolved subsections one by one so that you know first-hand how we solve them.

One thought on “The National Security Scheme (ENS) and the Onesait Platform (part I)

Leave a Reply

Your email address will not be published.