Law 40/2015 includes security among the principles of action of the public administrations and includes the National Security Framework (ENS), applicable to the entire Public Sector, which offers a common approach to security principles, requirements and measures.
The National Security Framework (ENS) provides the Public Sector in Spain with a common security approach for the protection of the information it handles and the services it provides; it promotes the continuous security management, which is key for the digital transformation in a context of cyberthreats; at the same time it facilitates cooperation and provides an uniform set of requirements to the Industry, constituting as well a reference of good practices.
The ENS was published by the "Royal Decree 3/2010 of 8 January, which regulates the National Security Framework in the field of Electronic Administration", which is mainly responsible for establishing the security policy in the use of electronic means through the basic principles and minimum requirements that adequately guarantee the security of the information processed. It was subsequently amended by Royal Decree 951/2015, in light of the experience gained from its implementation since its publication in January 2010, the results of the security status report provided for in its article 35; the evolution of technology and cyberthreats and the international and European regulatory context.
The main objective of the ENS is to create the necessary conditions of security in the use of electronic media, through measures to ensure the security of systems, data, communications, and electronic services, allowing the exercise of rights and the fulfillment of duties through these means.
Other objectives, which are also important, although they may be of a more instrumental nature, are to promote the continuous management of security, regardless of specific impulses or their absence; to promote prevention, detection and correction for a better resilience in the scenario of cyberthreats and cyberattacks; to promote a homogeneous treatment of security that facilitates cooperation in the provision of digital public services when different entities are involved, which is essentially achieved thanks to the common elements and language that must guide the actions of public sector entities, as well as facilitating the communication of the requirements of information security to the Industry; and, why not, also serve as a model of good practice.
The above-mentioned basic principles (6) guide decisions on security matters, while the application of minimum requirements (15) allows an adequate protection of the handled information and the services provided.
75 SECURITY MEASURES INCLUDED IN THE ENS
The organisational framework consists of a set of measures relating to the overall organisation of security.
The operational framework is made up of the measures to be taken to protect the operation of the system as an integral set of components for one purpose.
Protection measures will focus on specific assets, according to their nature, with the level required in each security dimension.