We have heard some news in these first months of 2018 related to the National Security Scheme (ENS), mandatory compliance framework in terms of IT security in Public Administration field.
In February, LEET Security was accredited as certification entity in accordance with the ENS, and in April the approval resolutions of two new Technical Security Instructions were published in the Official Government Bulletin; whose objective is to properly develop the implementation of requirements and measures included in the ENS (Royal Decree 3/2010).
On the one hand, the resolution of March 27, 2018 approves the Technical Security Instruction for Information Systems Security Audit (BOE-A-2018-4573). And secondly, the resolution of April 13, 2018 approves the Technical Security Instruction for Security Incidents Notification (BOE-A-2018-5370).
The purpose of the Audit Security Technical Instruction is to establish the conditions for carrying out the audits provided for in article 34 of Royal Decree 3/2010. According to the regulation, the MEDIUM and HIGH category information systems are subject to passing a security audit at least every two years; whereas BASIC category systems only require a self-evaluation, which can be developed by the same system operations staff.
With respect to the audit implementation , the instruction expresses the audit team obligation about collecting the relevant evidence that supports the report conclusions.
The instruction emphasizes the Certification Authority independence, and dwells that the audit activities can't include consultancy tasks or security measures implementation.
On the other hand, it also regulates how the audit reports should be. Specifically, it must collect the system classification, provide objective evidence, classify the findings, expose the conclusions obtained, and deliver the judgment. In this sense, the following judgments are identified: favourable when there aren't non-conformities, favourable with non-conformities when the non-conformities existence is proven, and unfavourable in the event that non-conformities can't be resolved with a corrective actions plan ; which requires the completion of an extraordinary audit that verifies the appropriate measures adoption . In order to deepen audit final opinion the CCN-STIC Guide 824 can be consulted.
General Data Protection Regulation is referenced via an additional provision at the end of the instruction. In this regard, it states that if the audited systems include personal data processing, this regulation must be complied with, and the Data Protection Officer must be informed of it.
As will be remembered, the ENS compliance not only applies to public administrations, but extends to suppliers that provide them with technological solutions or services. Therefore, in order to offer IT services or solutions to any of the public administrations (municipalities, CCAA, public universities, general state administration), it must be taken into account that it will be necessary be in possession of ENS declaration or certification.
On the other hand, the National Cryptological Center has released the list of private entities that currently have compliance certification, which is available in the CCN-CERT web page. For each organization certified information systems, their category, the supported services, and the grant date (the systems require to be audited at least every two years) are listed. This information can be very useful to the public administrations when selecting their external suppliers.
Whether or not we are required to have the ENS compliance certification, we shouldn't forget that rating the service not only functions as regulatory compliance, but also to improve cybersecurity capabilities. This is why the rating of any IT service is highly recommended; both to ensure the availability of the service, and to give confidence to customers; and in this way differentiate itself from the competition.
The advantage provided by LEET Security as a certifying entity is that it has integrated and conveniently mapped the ENS controls within its referential; so that the services under evaluation can obtain both the ENS Conformity Certification and the LEET Cybersecurity Rating as the result of a single audit process.
All you need is LEET.
Suscribe our Newsletter by clicking here.
You can follow us on twitter.com/leet_security