The National Security Scheme (ENS) and the Onesait Platform
Introduction
The purpose of Spain’s National Security Scheme (hereinafter ENS after the acronym in Spanish) is the creation of measures to guarantee the security of systems, data, communications, and electronic services.
In this context, network and information security is understood as the ability of networks or information systems to resist, with a certain level of confidence, accidents and illicit or malicious actions that compromise the availability, authenticity, integrity and confidentiality of the data, either stored or transmitted, and of the services that said networks and systems offer or make accessible.
To comply with the foregoing, the security dimensions and their levels, the category of the systems, the appropriate security measures and the periodic security audit are determined.
System Categories
Dimensions
The determination of the category of a system is based on the assessment of the impact that an incident affecting the security of the information or systems would have on the organization.
In order to be able to determine the impact that an incident affecting the security of information or systems would have on the organization, and to be able to establish the category of the system, the following dimensions of security will be taken into account, which will be identified by their corresponding initials in capital letters in Spanish:
Disponibilidad – Availability
Autenticidad – Authenticity
Integridad – Integrity
Confidencialidad – Confidentiality
Trazabilidad – Traceability
Levels of a security dimension
Information or services may be affected in one or more of its security dimensions. Each security dimension affected will be assigned to one of the following levels: LOW, MEDIUM or HIGH. If a security dimension is not affected, it will not be assigned to any level.
LOW level: it will be used when the consequences of a security incident that affects any of the security dimensions entail a limited damage on the functions of the organization, on its assets or on the affected individuals.
MEDIUM level: it will be used when the consequences of a security incident that affects any of the security dimensions entail serious damage to the organization’s functions, on its assets or on the affected individuals.
HIGH level: it will be used when the consequences of a security incident that affects any of the security dimensions entail a very serious damage on the functions of the organization, on its assets or on the affected individuals.
Limited damage | Serious damage | Very serious damage |
|---|---|---|
- The appreciable reduction in the organization’s capacity to effectively meet its current obligations, even though it continues to perform them. - Suffering minor damage to the organization’s assets. - The formal breach of any law or regulation, which is rectifiable. - Causing minor damage to some individual, which, even being annoying, can be easily repaired. -Others of a similar nature. | The significant reduction in the organization’s ability to effectively meet its fundamental obligations, even though it continues to perform them. - Suffering significant harm to the organization’s assets. - Material non-compliance with any law or regulation, or formal non-compliance that is not rectifiable. - Cause significant damage to an individual, which is difficult to repair. -Others of a similar nature. | The annulment of the capacity of the organization to attend to any of its fundamental obligations and that these can continue to be performed. - Suffering of very serious, and even irreparable, damage to the assets of the organization. - Serious breach of any law or regulation. - Causing serious damage to an individual, which is difficult or impossible to repair. -Others of a similar nature. |
When a system handles different information and provides different services, the level of the system in each dimension will be the highest of those established for each information and each service.
Category of an Information System
Three categories are defined: BASIC, MEDIUM and HIGH.
An information system will be of HIGH category if any of its security dimensions reaches the HIGH level.
An information system will be of MEDIUM category if any of its security dimensions reaches the MEDIUM level, and none reaches a higher level.
An information system will be of BASIC category if any of its security dimensions reaches the LOW level, and none reaches a higher level.
Security measures
Measurement Frameworks
Security measures are divided into three groups:
Organizational framework [org]: made up by the set of measures related to the global organization of security.
Operational framework [op]: made up by the measures to be taken to protect the operation of the system as an integral set of components for a given purpose.
Protection measures [mp]: they focus on protecting specific assets, according to their nature and the quality required by the security level of the affected dimensions.
Selection of security measures
For the selection of security measures, the following steps will be followed:
Identification of the types of assets present.
Determination of relevant security dimensions.
Determination of the level corresponding to each security dimension.
Determination of the category of the system.
Selection of the appropriate security measures from among those contained in the following point.
The list of selected measures will be formalized in a document called Declaration of Applicability, signed by the person responsible for system security.
Table of Security Policies
The correspondence between the security levels required in each dimension and the security measures is specified in the following table (Links lead to information in Spanish):
|
|
|
| op | Operational framework |
|
|
|
| Planning | |
category | applies | + | ++ | Risk analysis | |
category | applies | + | ++ | Architecture of security | |
category | applies | = | = | Acquisition of new components | |
D | n.a. | applies | = | Sizing / Capacity management | |
category | n.a. | n.a. | applies | Certified components | |
|
|
|
| Access control | |
A T | applies | = | = | Identification | |
I C A T | applies | = | = | Access requirements | |
I C A T | n.a. | applies | = | Segregation of duties and tasks | |
I C A T | applies | = | = | Access rights management process | |
I C A T | applies | + | ++ | Authentication mechanism | |
I C A T | applies | + | ++ | Local login | |
I C A T | applies | + | = | Remote login | |
|
|
|
| Exploitation | |
category | applies | = | = | Inventory of assets | |
category | applies | = | = | Security configuration | |
category | n.a. | applies | = | Configuration management | |
category | applies | = | = | Maintenance | |
category | n.a. | applies | = | Change management | |
category | applies | = | = | Protection against malicious code | |
category | n.a. | applies | = | Incident management | |
T | applies | + | ++ | User activity log | |
category | n.a. | applies | = | Incident management log | |
T | n.a. | n.a. | applies | Protection of activity logs | |
category | applies | + | = | Protection of cryptographic keys | |
|
|
|
| External services | |
category | n.a. | applies | = | Hiring and service level agreements | |
category | n.a. | applies | = | Daily management | |
D | n.a. | n.a. | applies | Alternative means | |
|
|
|
| Service continuity | |
D | n.a. | applies | = | Impact analysis | |
D | n.a. | n.a. | applies | Continuity plan | |
D | n.a. | n.a. | applies | Periodic tests | |
|
|
|
| System monitoring | |
category | n.a. | applies | = | Intrusion detection | |
category | applies | + | ++ | Metrics system |