Esquema Nacional de seguridad, ENS
It’s been a few years since technology burst into our lives daily. The extraordinary use we make of it and the unstoppable evolution of disruptive technologies, represent an enormous challenge for cybersecurity. This growing dependence of society on technology has increased the risks and threats that its use entails, requiring responses adapted to constantly renewed needs.
Challenges and threats
The challenges presented by technological dependence result from a series of interrelated factors, such as the evolution of cyber threats with the development of new techniques and tools to compromise the security of systems, networks, and data. This includes sophisticated malware, social engineering attacks, and advanced evasion techniques. Additionally, the attack surface has expanded significantly with the proliferation of Internet-connected devices on the Internet of Things (IoT), cloud, and virtualisation. Every connected device represents a potential entry point for cybercriminals.
The massive accumulation of data caused by the digitalisation of information is another vulnerability we face as a society. Protecting this data, much of which is sensitive and private, is crucial to ensuring people’s privacy and avoiding identity theft or “phishing.”
Given the increase in cyber threats, governments, both at the European and national levels, have made an effort to increase levels of cybersecurity through the evolution of regulations and standards that guarantee data security and privacy.
This effort has resulted in the updating of two key regulations for cybersecurity in our country: Royal Decree 311/2022 of May 3, which regulates the National Security Scheme (ENS) and the standard ISO/IEC 27001 Information Security, cybersecurity, and Privacy Protection & Information security management systems.
What is the National Security Scheme (ENS)?
The National Security Scheme (ENS) is a regulatory and reference framework established in Spain based on Spanish legislation and European regulations related to information security to create the necessary conditions of trust in the use of electronic means through measures to guarantee the security of systems, data, communications and electronic services, which allows the citizen and the public administration to exercise their rights and fulfil their duties through these media.
The ENS was born in 2010 with Royal Decree 3/2010, of January 8, establishing the principles and requirements to protect information confidentiality, integrity, availability, and authenticity in public entities and organisations.
Key Changes of the New National Security Scheme (RO 311/2022)
In 2022, the previous decree was repealed, and Royal Decree 311/2022 of May 3 came into force. This decree includes new objectives such as:
- The designation of an information security point or person of contact (POC) designated by the service provider
- The protection of the supply chain within the continuity of the service so that the supplier guarantees the provision of the service in the event of suffering a contingency, a measure required in the HIGH category
- The new principle of continuous surveillance for permanent assessment of the state of asset security
- Notification of security incidents to CNN-CERT and INCIBE-CERT
- Professionalism and training are required of those responsible for security in an organisation, in addition to the already existing measures of security training and awareness for users of the organisation, which must guarantee adequate training for those responsible for security and a safety culture within the organisation. Both the CCN and the INAP offer awareness and training programs.
- New security measures are established, including mandatory measures and optional or reinforcement measures.
- Cloud services
- Systems Interconnection
- Supply chain protection
- Reinforcement of security measures in controls
- Grouping of alternative means in the control of service continuity.
- Other devices connected to the network
The deadline for adaptation to the new ENS for public and private entities that provide services or solutions to public administrations is May 5, 2024.
What applications, services or systems are included in the scope of application of the ENS?
The ENS must be complied with in all the services that the Administration provides to the citizens, including services such as:
- Electronic offices
- Electronic records
- Information Systems accessible electronically by citizens
- Information Systems for the exercise of rights
- Information Systems for the fulfilment of duties
- Information Systems to collect information and status of the administrative procedure
What benefits does the application and compliance of the ENS provide?
By establishing a common information security framework for the public sector and providers collaborating with the Administration, the ENS guarantees coherence and uniformity in security management in different entities and organisations, establishing standards.
One of its main objectives is to address the security of all the assets that make up an information system with a global approach to security: security of facilities, communications, SW, system operations, users, etc.
The ENS establishes security measures and controls that help protect sensitive information, with the obligation to comply with applicable regulations regarding protecting personal data, financial information and other essential assets. Additionally, it promotes identifying, assessing and managing information security risks, allowing public and private organisations to make informed decisions about effectively protecting their assets.
In the face of possible cyberattacks or other problems, the ENS ensures that organisations can maintain essential services even in crises, promoting business continuity.
Compliance promotes information security awareness and employee training, which helps create a security culture. In addition, confidence is generated in the management of information by public sector entities and organisations. Citizens and businesses trust that their data will be handled securely.
The different security levels contemplated in the ENS
The National Security Scheme (ENS) in Spain defines three categories of security: Basic, Medium and High. This categorisation of the system will be determined by the assessment that has been made of the information and services in their different security dimensions, establishing the system category, the highest value given to a security dimension.
The ENS itself defines in its Annex II the security measures that must be complied with, differentiating, as the previous royal decree had already done, between measurements of the organisational framework, operational measures and specific protection measures for each type of asset in total, 73 measures whose application will depend on the category of the system, increasing its application from the Basic category to the High category, in which the 73 measures established in Annex II of the standard must be applied.
Víntegris is certified with the ENS HIGH level by applying the 73 security controls required in the standard
The high level of the ENS offers greater protection and security for critical public sector information and guarantees a more effective response to advanced threats.
Among its advantages, we find:
- Greater protection of sensitive information: The high level of the ENS applies to information with a high classification level, which means that more rigorous protection is provided to the most critical and sensitive information of the public sector, with protection measures when it is stored and in transit with encryption of it
- Better resistance to advanced threats: High-level security measures are designed to address more sophisticated and persistent cyber threats, such as targeted or advanced attacks, requiring continuous vigilance
- Stronger access control: Stricter access controls are established at this level, limiting who can access critical information. This significantly reduces the risk of unauthorised access.
- Robust continuity plan: More detailed business continuity and disaster recovery plans are required at the high level of the ENS, ensuring the availability of critical services in crises.
- Increased emphasis on auditing and monitoring: Requiring continuous monitoring and conducting internal audits at a high level helps detect and respond to potential security threats or incidents quickly.
- Increased public trust: Compliance with the high level of the ENS demonstrates a strong commitment to information security and can increase public trust in government services and information management.
- Advanced Incident Preparedness: A more detailed and effective incident response plan is required at this level, allowing faster and more efficient action on security events.
Although putting these measures into practice involves additional effort and cost in terms of implementation and maintenance, at Víntegris, we value the advantages this level of security brings our clients.