National Security Framework (ENS)

Local authorities

The National Cryptologic Centre offers all its support so that Local Entities have secure systems for the exercise of their competences, both for Provincial Councils, Island Councils and Town Councils, whatever their size, with special attention to achieving the most possible and pragmatic adaptation to the ENS in those entities with difficulties in achieving it.

Abstract - Certification Framework in the ENS for Local Authorities

The special characteristics that frame the administrative actions of the smallest Local Entities and their limited resources mean that compliance with the National Security Framework (ENS) and its subsequent Certification are obligations that are difficult to fulfil on an individual basis. For this reason, it seems necessary to develop specific actions that include multi-agency compliance and implementation mechanisms aimed at homogeneous groups of these entities, as well as a Specific Certification Framework that includes an audit and certification procedure that optimises the aforementioned resources.

Download

County Council or equivalent body as certification body of the ENS

Pinche para ampliar

__ Itinerary of actions of the Certification Framework in the ENS for Local Authorities

Itinerary of actions of the Certification Framework in the ENS for Local Authorities

Clic to enlarge

You can consult the details of each of the phases of application of the Certification Framework in the ENS for Local Entities (14) by selecting the number at the top.

1. Alignment with the ENS - County Council or equivalent body

Activity

Adequacy of the information systems of the Provincial Council or equivalent body to the provisions of the ENS (BASIC category):

Information Security Policy.
Internal Regulations.
Security Procedures.
Development of Service Sheets (determination of security levels for each dimension).
Categorisation of the information system.
Obtaining the provisional DA.
Risk analysis.
Obtaining the definitive DA.
Implementation of the required security measures.

Support

CCN *
To be determined by the County Council or equivalent body

Supporting documentation:

CCN-STIC Guide 883
Annex III CCN-STIC 883

* The reference to the CCN comprises the CCN's own resources plus those allocated by the CCN to this type of project.

2. Alignment with the ENS - Provincial Council or equivalent body

Activity

Obtaining Certification of Conformity with the ENS (BASIC category) of the information systems used for the provision of services to the local authorities dependent on the Provincial Council or equivalent body.

Support

Certification Body accredited by ENAC

3. Recognition of the Technical Audit Body

Activity

Recognition of the Technical Audit Body with the capacity to carry out audits and issue Certificates of Conformity in the ENS (OAT-Diputación or equivalent body).

Constitution of the Technical Audit Body of the Provincial Council or equivalent body.
Inclusion of the activity of auditing the information systems of the dependent entities among the functions of the Provincial Council or equivalent body.

Support

CCN

Supporting documentation:

CCN-STIC Guide 122

4. Technological infrastructure EE.LL.

Activity

Determination of Similar Technological Infrastructure in the Local Agencies

Support

To be determined

5. Selection of the MCE-ENS’ Local Agencies

Activity

Selection of the dependent Local Agencies that, in a first phase, will make up the ENS Specific Certification Framework (MCE-ENS).

Support

To be determined

6. Selection of representative sample (MR)

Activity

Selection of the Local Agency members of the MCE-ENS that will form part of the representative sample (MR).

Support

To be determined

7. Creation of COMSEG

Activity

Creation of the Security Committee of the Provincial Council or equivalent body (with the participation of the dependant Local Agencies to be determined).

Support

CCN-STIC Guide 883
Annex I, III CCN-STIC 883

8. Joint Adequacy Plan

Activity

Development and approval of the Joint Adequacy Plan, including:

Information Security Policy.
Internal Regulations.
Security Procedures.
Development of Service Sheets (determination of security levels for each dimension).
Categorisation of the information system.
Obtaining the provisional DA.
Risk analysis.
Obtaining the definitive DA.

Support

CCN

Supporting documentation:

CCN-STIC Guide 883
Annex I CCN-STIC 883

9. MR's compliance with the ENS

Activity

Implementation of the security measures of Annex II of the ENS (Operational Framework and Protection Measures) in the Local Agencies of the MR.

Support

To be determined

Supporting documentation:

CCN-STIC Guide 883A
CCN-STIC Guide 804

10. Internal audit

Activity

Development of an internal audit of the RM's LL.S.

Support

TAO-Deputation or equivalent body

Supporting documentation:

CCN-STIC Guide 883A
CCN-STIC Guides 303, 411, 802, 808

11. Certification Audit/span>

Activity

Development of the Certification Audits of the MR’s Local Agencies by one (or several) ENS Certification Entity(ies) accredited by ENAC.

Support

ENS Certification Entity(ies)

12. Issuance of APC

Activity

Granting of the Provisional Approval of Conformity (APC) to the MCE-ENS’ Local Agencies.

Awarding of the APC Distinctive.

Publication of the award on the CCN website.

(This is the start of the 2-year period to obtain the ENS Compliance Certification).

Support

CCN

13. Definitive adaptation of the Local Agencies adhering to the Certification Framework

Activity

Implementation of the security measures of Annex II of the ENS (Operational Framework and Protection Measures) in the Local Agencies of the rest of the MCE-ENS.

Support

To be determined

Supporting documentation:

CCN-STIC Guide 883A
CCN-STIC Guide 804

14. Certification Audit(s)

Activity

Development of the Certification Audits to the MCE-ENS’ Local Agencies by the Technical Audit Body of the Provincial Council or equivalent body.

(Two years are available for this)

Support

TAO-Provincial Council or equivalent body

Supporting documentation:

CCN-STIC Guides 122, IC-01, 303, 411, 802, 808

Cycle of continuous safety improvement

Clic to enlarge

Activities 13 and 14 comprise the Continuous Safety Improvement Cycle, and cover the following tasks by the Security Office-vSOC and the Technical Audit Body (OAT).

__ Documents of interest:

Approaching the cyber security governance framework

Cybersecurity handbook for local authorities

ENS Certification Framework for Local Authorities. Compliance verification process

Volume 1 - Strategic security guidance for local authorities

Volume 2 - Guide for local authorities with less than 2,000 inhabitants

CCN-STIC-883 ENS Implementation Guide for Local Bodies

The New Guide 883 provides a roadmap to facilitate the Implementation of the National Security Framework for the Local Agencies. Adequacy Plans are presented as well as the set of security measures of Annex II of the ENS that are applicable, adapted and associated to the different population ranges (Specific Compliance Profiles). For the first time, the Provincial Councils are included.

This guide replaces the previous CCN-STIC 883 and Annex II of CCN-STIC 803 which presented an example of a catalogue of assets and their valuation for Local Agencies.

Download

Annexes guide CCN-STIC-883