Local authorities
The National Cryptologic Centre offers all its support so that Local Entities have secure systems for the exercise of their competences, both for Provincial Councils, Island Councils and Town Councils, whatever their size, with special attention to achieving the most possible and pragmatic adaptation to the ENS in those entities with difficulties in achieving it.
The special characteristics that frame the administrative actions of the smallest Local Entities and their limited resources mean that compliance with the National Security Framework (ENS) and its subsequent Certification are obligations that are difficult to fulfil on an individual basis. For this reason, it seems necessary to develop specific actions that include multi-agency compliance and implementation mechanisms aimed at homogeneous groups of these entities, as well as a Specific Certification Framework that includes an audit and certification procedure that optimises the aforementioned resources.

__ Itinerary of actions of the Certification Framework in the ENS for Local Authorities
1. Alignment with the ENS - County Council or equivalent body
Activity
Adequacy of the information systems of the Provincial Council or equivalent body to the provisions of the ENS (BASIC category):
- Information Security Policy.
- Internal Regulations.
- Security Procedures.
- Development of Service Sheets (determination of security levels for each dimension).
- Categorisation of the information system.
- Obtaining the provisional DA.
- Risk analysis.
- Obtaining the definitive DA.
- Implementation of the required security measures.
Support
- CCN *
- To be determined by the County Council or equivalent body
Supporting documentation:
- CCN-STIC Guide 883
- Annex III CCN-STIC 883
* The reference to the CCN comprises the CCN's own resources plus those allocated by the CCN to this type of project.
2. Alignment with the ENS - Provincial Council or equivalent body
Activity
Obtaining Certification of Conformity with the ENS (BASIC category) of the information systems used for the provision of services to the local authorities dependent on the Provincial Council or equivalent body.
Support
- Certification Body accredited by ENAC
3. Recognition of the Technical Audit Body
Activity
Recognition of the Technical Audit Body with the capacity to carry out audits and issue Certificates of Conformity in the ENS (OAT-Diputación or equivalent body).
- Constitution of the Technical Audit Body of the Provincial Council or equivalent body.
- Inclusion of the activity of auditing the information systems of the dependent entities among the functions of the Provincial Council or equivalent body.
Support
- CCN
Supporting documentation:
- CCN-STIC Guide 122
4. Technological infrastructure EE.LL.
Activity
Determination of Similar Technological Infrastructure in the Local Agencies
Support
- To be determined
5. Selection of the MCE-ENS’ Local Agencies
Activity
Selection of the dependent Local Agencies that, in a first phase, will make up the ENS Specific Certification Framework (MCE-ENS).
Support
- To be determined
6. Selection of representative sample (MR)
Activity
Selection of the Local Agency members of the MCE-ENS that will form part of the representative sample (MR).
Support
- To be determined
7. Creation of COMSEG
Activity
Creation of the Security Committee of the Provincial Council or equivalent body (with the participation of the dependant Local Agencies to be determined).
Support
- CCN-STIC Guide 883
- Annex I, III CCN-STIC 883
8. Joint Adequacy Plan
Activity
Development and approval of the Joint Adequacy Plan, including:
- Information Security Policy.
- Internal Regulations.
- Security Procedures.
- Development of Service Sheets (determination of security levels for each dimension).
- Categorisation of the information system.
- Obtaining the provisional DA.
- Risk analysis.
- Obtaining the definitive DA.
Support
- CCN
Supporting documentation:
- CCN-STIC Guide 883
- Annex I CCN-STIC 883
9. MR's compliance with the ENS
Activity
Implementation of the security measures of Annex II of the ENS (Operational Framework and Protection Measures) in the Local Agencies of the MR.
Support
- To be determined
Supporting documentation:
- CCN-STIC Guide 883A
- CCN-STIC Guide 804
10. Internal audit
Activity
Development of an internal audit of the RM's LL.S.
Support
- TAO-Deputation or equivalent body
Supporting documentation:
- CCN-STIC Guide 883A
- CCN-STIC Guides 303, 411, 802, 808
11. Certification Audit/span>
Activity
Development of the Certification Audits of the MR’s Local Agencies by one (or several) ENS Certification Entity(ies) accredited by ENAC.
Support
- ENS Certification Entity(ies)
12. Issuance of APC
Activity
Granting of the Provisional Approval of Conformity (APC) to the MCE-ENS’ Local Agencies.
Awarding of the APC Distinctive.
Publication of the award on the CCN website.
(This is the start of the 2-year period to obtain the ENS Compliance Certification).
Support
- CCN
13. Definitive adaptation of the Local Agencies adhering to the Certification Framework
Activity
Implementation of the security measures of Annex II of the ENS (Operational Framework and Protection Measures) in the Local Agencies of the rest of the MCE-ENS.
Support
- To be determined
Supporting documentation:
- CCN-STIC Guide 883A
- CCN-STIC Guide 804
14. Certification Audit(s)
Activity
Development of the Certification Audits to the MCE-ENS’ Local Agencies by the Technical Audit Body of the Provincial Council or equivalent body.
(Two years are available for this)
Support
- TAO-Provincial Council or equivalent body
Supporting documentation:
- CCN-STIC Guides 122, IC-01, 303, 411, 802, 808
__ Documents of interest:
The New Guide 883 provides a roadmap to facilitate the Implementation of the National Security Framework for the Local Agencies. Adequacy Plans are presented as well as the set of security measures of Annex II of the ENS that are applicable, adapted and associated to the different population ranges (Specific Compliance Profiles). For the first time, the Provincial Councils are included.
This guide replaces the previous CCN-STIC 883 and Annex II of CCN-STIC 803 which presented an example of a catalogue of assets and their valuation for Local Agencies.