The purpose of Spain’s National Security Scheme (hereinafter ENS after the acronym in Spanish) is the creation of measures to guarantee the security of systems, data, communications, and electronic services.
In this context, network and information security is understood as the ability of networks or information systems to resist, with a certain level of confidence, accidents and illicit or malicious actions that compromise the availability, authenticity, integrity and confidentiality of the data, either stored or transmitted, and of the services that said networks and systems offer or make accessible.
To comply with the foregoing, the security dimensions and their levels, the category of the systems, the appropriate security measures and the periodic security audit are determined.
The determination of the category of a system is based on the assessment of the impact that an incident affecting the security of the information or systems would have on the organization.
In order to be able to determine the impact that an incident affecting the security of information or systems would have on the organization, and to be able to establish the category of the system, the following dimensions of security will be taken into account, which will be identified by their corresponding initials in capital letters in Spanish:
- Disponibilidad – Availability
- Autenticidad – Authenticity
- Integridad – Integrity
- Confidencialidad – Confidentiality
- Trazabilidad – Traceability
Levels of a security dimension
Information or services may be affected in one or more of its security dimensions. Each security dimension affected will be assigned to one of the following levels: LOW, MEDIUM or HIGH. If a security dimension is not affected, it will not be assigned to any level.
- LOW level: it will be used when the consequences of a security incident that affects any of the security dimensions entail a limited damage on the functions of the organization, on its assets or on the affected individuals.
- MEDIUM level: it will be used when the consequences of a security incident that affects any of the security dimensions entail serious damage to the organization’s functions, on its assets or on the affected individuals.
- HIGH level: it will be used when the consequences of a security incident that affects any of the security dimensions entail a very serious damage on the functions of the organization, on its assets or on the affected individuals.
|Limited damage||Serious damage||Very serious damage|
|The appreciable reduction in the organization’s capacity to effectively meet its current obligations, even though it continues to perform them.||The significant reduction in the organization’s ability to effectively meet its fundamental obligations, even though it continues to perform them.||The annulment of the capacity of the organization to attend to any of its fundamental obligations and that these can continue to be performed.|
|Suffering minor damage to the organization’s assets.||Suffering significant harm to the organization’s assets.||Suffering of very serious, and even irreparable, damage to the assets of the organization.|
|The formal breach of any law or regulation, which is rectifiable.||Material non-compliance with any law or regulation, or formal non-compliance that is not rectifiable.||Serious breach of any law or regulation.|
|Causing minor damage to some individual, which, even being annoying, can be easily repaired.||Cause significant damage to an individual, which is difficult to repair.||Causing serious damage to an individual, which is difficult or impossible to repair.|
|Others of a similar nature.||Others of a similar nature.||Others of a similar nature.|
When a system handles different information and provides different services, the level of the system in each dimension will be the highest of those established for each information and each service.
Category of an information system
Three categories are defined: BASIC, MEDIUM and HIGH.
- An information system will be of HIGH category if any of its security dimensions reaches the HIGH level.
- An information system will be of MEDIUM category if any of its security dimensions reaches the MEDIUM level, and none reaches a higher level.
- An information system will be of BASIC category if any of its security dimensions reaches the LOW level, and none reaches a higher level.
Security measures are divided into three groups:
- Organizational framework [org]: made up by the set of measures related to the global organization of security.
- Operational framework [op]: made up by the measures to be taken to protect the operation of the system as an integral set of components for a given purpose.
- Protection measures [mp]: they focus on protecting specific assets, according to their nature and the quality required by the security level of the affected dimensions.
Selection of security measures
For the selection of security measures, the following steps will be followed:
- Identification of the types of assets present.
- Determination of relevant security dimensions.
- Determination of the level corresponding to each security dimension.
- Determination of the category of the system.
- Selection of the appropriate security measures from among those contained in the following point.
The list of selected measures will be formalized in a document called Declaration of Applicability, signed by the person responsible for system security.
Table of Security Policies
The correspondence between the security levels required in each dimension and the security measures is specified in the following table:
|Affected||Low (L)||Medium (M)||High (H)||org||Organizational framework|
|category||applies||+||+ +||[op.pl.1]||Risk analysis|
|category||applies||+||+ +||[op.pl.2]||Architecture of security|
|category||applies||=||=||[op.pl.3]||Acquisition of new components|
|D||n.a.||applies||=||[op.pl.4]||Sizing / Capacity management|
|I C A T||applies||=||=||[op.acc.2]||Access requirements|
|I C A T||n.a.||applies||=||[op.acc.3]||Segregation of duties and tasks|
|I C A T||applies||=||=||[op.acc.4]||Access rights management process|
|I C A T||applies||+||+ +||[op.acc.5]||Authentication mechanism|
|I C A T||applies||+||+ +||[op.acc.6]||Local login|
|I C A T||applies||+||=||[op.acc.7]||Remote login|
|category||applies||=||=||[op.exp.6]||Protection against harmful code|
|T||applies||+||+ +||[op.exp.8]||User activity log|
|category||n.a.||applies||=||[op.exp.9]||Incident management log|
|T||n.a.||n.a.||applies||[op.exp.10]||Protection of activity logs|
|category||applies||+||=||[op.exp.11]||Protection of cryptographic keys|
|category||n.a.||applies||=||[op.ext.1]||Hiring and service level agreements|
|category||applies||+||+ +||[op.mon.2]||System of metrics|
|[mp.if]||Protection of installations and infrastructures|
|category||applies||=||=||[mp.if.1]||Separate areas with access control|
|category||applies||=||=||[mp.if.2]||Identification of people|
|category||applies||=||=||[mp.if.3]||Conditioning of premises|
|D||n.a.||applies||=||[mp.if.6]||Protection against floods|
|category||applies||=||=||[mp.if.7]||Equipment entry and exit registration|
|category||applies||=||=||[mp.per.2]||Duties and obligations|
|[mp.eq]||Protection of equipment|
|category||applies||+||=||[mp.eq.1]||Job station clearing|
|A||n.a.||applies||+||[mp.eq.2]||Job station blocking|
|category||applies||=||+||[mp.eq.3]||Protection of portable devices|
|[mp.com]||Protection of communications|
|I A||applies||+||+ +||[mp.com.3]||Authenticity and integrity protection|
|[mp.si]||Protection of information carriers|
|C||applies||+||=||[mp.si.5]||Deletion and destruction|
|[mp.sw]||Protection of software|
|category||applies||+||+ +||[mp.sw.2]||Acceptance and commissioning|
|[mp.info]||Protection of Information|
|I A||applies||+||+ +||[mp.info.4]||Electronic signature|
|[mp.s]||Protection of services|
|category||applies||=||=||[mp.s.1]||Protection of e-mail|
|category||applies||=||+||[mp.s.2]||Protection of services and web applications|
|D||n.a.||applies||+||[mp.s.8]||Protection against denial of service|
- Color code:
- Green color specifies that a certain measure is applied in systems of BASIC category or higher.
- Yellow to indicate the measures that are beginning to be applied in the MEDIUM category or higher.
- Pink to indicate the measures that are only applicable in the HIGH category.
- To indicate that a given security measure must be applied to one or more security dimensions at a given level, the term «applies» is used.
- «n.a.» means «not applicable».
- To indicate that the requirements of a level are equal to those of the lower level, the == sign is used.
- To indicate the increase in requirements graduated according to the level of the security dimension, the signs + and ++ are used.
- To indicate that a measure specifically protects a certain security dimension, it is made explicit by its initial in Spanish (Availability/Disponibilidad [D], Authenticity/Autenticidad [A], Integrity/Integridad [I], Confidentiality/Confidencialidad [C] and Traceability/Trazabilidad [T]).
The audit levels that are carried out on the information systems will be as follows:
Audit of BASIC category systems
BASIC category information systems, or lower, will not need to perform an audit. A self-assessment carried out by the same personnel that manages the information system, or whomever she delegates, will suffice.
The result of the self-assessment must be documented, indicating whether each security measure is implemented and subject to regular review and the evidence that supports the previous assessment.
The self-assessment reports will be analyzed by the competent security manager, who will submit the conclusions to the person in charge of the system so that the appropriate corrective measures can be taken.
Audit of MEDIUM or HIGH category systems
The audit report will rule on the degree of compliance with the ENS, identify its deficiencies and suggest the possible corrective or complementary measures that are necessary, as well as the recommendations that are considered appropriate.
It must also include the methodological audit criteria used, the scope and objective of the audit, and the data, facts and observations on which the conclusions drawn are based.
The audit reports will be analyzed by the competent security manager, who will then present her conclusions to the system manager so that the appropriate corrective measures can be taken.
As you can see, the National Security Scheme is serious and very exhaustive, considering a large number of concepts, situations and elements.
The Onesait Platform takes this scheme into account, counting on a large number of these measures resolved by the design of its architecture. In the next post, we will analyze these resolved subsections one by one so that you know first-hand how we solve them.