The Codex of Business Writing Software for Real-World Solutions 2.pptx
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
1. 1
Madrid, 16 November 2016
Miguel A. Amutio
Secretaría General de Administración Digital
Ministerio de Hacienda y Función Pública
Cloud Security Alliance EMEA Congress
Using cloud services:
Compliance with the Security
Requirements of the Spanish
Public Sector
2. 2
Why and What is the National Security
Framework (NSF- ENS)
Compliance with the NSF-ENS
Challenges and conclusions
Contents
3. 3
1. Why and what is
the National Security
Framework
4. 4
Digital public services
The new administrative laws
(39/2015 and 40/2015) foresee a
paperless Administration on the
basis of working fully with
electronic means.
Digital public services are provided
in a complex scenario in Spain.
Potential risks.
5. 5
Why the NSF-ENS
Create the necessary conditions of trust,
through measures to ensure IT security for the exercise of rights and the
fulfillment of duties through the electronic access to public services.
Promote the continuous management of
security, regardless of the impulses of the moment .
Promote prevention, detection and
correction.
Promote a common approach to security which
enables cooperation to deliver eGoverment services. The NSF complements
the National Interoperability Framework.
National Security Framework (NSF) = Esquema Nacional de Seguridad (ENS)
6. 6
The National Security Framework
It is a legal text (Royal Decree 3/2010).
It establishes the security policy for the use of ICT by the
Public Sector.
To be followed by the Public Sector in Spain.
Developed through ‘technical security instructions’
It is a key element of the National Cybersecurity Strategy.
7. 7
The Basic principles to be taken into account in
decision about security.
The minimum requirements which allow an
adequate protection of information.
Categorization of systems and risk
management for the adoption of
proportionate security measures according to
information and services to be protected and to the
risks to which they are exposed.
Security audit to verify compliance with the NSF.
Response to security incidents (CERT).
Use of security certified products, to be
considered in procurement.
Awareness and training.
NSF-ENS, Main elements
All entities of the Public Sector will have a security
policy, formally adopted, on the basis of the basic principles
and minimum requirements.
8. 8
operational
– planning
– access control
– operation
– external services
– continuity
– monitoring
asset protection
– facilities
– personnel
– equipment
– communications
– media
– software
– information
– services
organizational
– security policy
– security
regulations
– security
procedures
– authorization
process
Security measures
+ use of common infrastructures and services and security guidelines provided by CCN.
9. 9
Public entities, should, as SP 800-144 says:
• Carefully plan the security and privacy aspects of
cloud computing solutions before engaging them.
• Deploy
o Understand the public cloud computing
environment offered by the cloud provider ->
assess and manage risk accurately
o Ensure that a cloud computing solution satisfies
organizational security and privacy requirements.
o Ensure that the client-side computing environment
meets organizational security and privacy
requirements for cloud computing.
• Maintain accountability over the privacy and security
of data and applications implemented and deployed in
public cloud computing environments.
Using Cloud, Public entities should
…
10. 10
For instance:
In case of use of cloud services, the following measures deserve special
attention:
[Org.4] Authorization process
[Op.acc.4] Access rights management process
[Op.exp.7] Incident management
[Op.exp.11] Cryptographic Key Protection
[Op.ext] External services
There are measures that should not be transferred to the CSP:
Categorization of the system (Annex I)
Security policy [org.1]
Security policy [org.2]
Risk analysis [op.pl.1] (coordinate)
Authorization process [org.4] (to coordinate)
Daily management [op.ext.2] (coordinate)
Incident management [op.exp.7] (coordinate)
Protection of customer equipment [mp.eq.]
Activities that probably the CSP should not carry out:
Electronic signature [mp.info.4]
Time stamps [mp.info.5]
User identification [op.acc.1]
Access requirements [op.acc.2]
Management of access rights [op.acc.4]
Authentication mechanism [op.acc.5]
User activity log [op.exp.5]
Protection of activity records [op.exp.10]
Protection of cryptographic keys [op.exp.11]
Consideration of Who does What
11. 11
Cloud services and the NSF-ENS
2 SECURITY REQUIREMENTS
2.1 ROLES AND FUNCTIONS
2.2 CATEGORIZATION (ENS - ANNEX I)
2.2.1 COMMUNITIES
2.3 RECOMMENDATIONS
2.4 PROTECTION MEASURES (ENS - ANNEX II)
2.5 ADDITIONAL RESTRICTIONS
3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION
4 INTERNAL REGULATIONS
5 PROCUREMENT
5.1 DESCRIPTION OF SERVICE
5.2 SUBCONTRACTING
5.3 PROTECTION OF INFORMATION
5.4 SERVICE LEVELAGREEMENTS
5.5 ACCESS TO SERVICE
5.6 GEOGRAPHICAL CONDITIONERS
5.7 RESPONSIBILITIES AND OBLIGATIONS
5.8 REGISTRATION OF ACTIVITY
5.9 TERMINATION OF SERVICE
6. OPERATION
6.1 OPERATING SECURITY PROCEDURES
6.2 FOLLOW-UP OF THE SERVICE
6.3 CHANGE MANAGEMENT
6.4 INCIDENT MANAGEMENT
6.5 BACKUP AND RECOVERY OF DATA
6.6 CONTINUITY OF THE SERVICE
6.7 TERMINATION
7 SUPERVISION AND AUDIT
ANNEX A. ENS COMPLIANCE
12. 12
Annex A contains the controls of standards 27002 and the CCM
matrix, together with their correspondence to meet the ENS
requirements.
(…)
(…)
NSF-ENS, 27000 and CCM
15. 15
Compliance with the NSF-ENS
TECHNICAL SECURITY INSTRUCTION - COMPIANCE WITH THE
NATIONAL SECURITY FRAMEWORK
INDEX
I. Object.
II. Scope.
III. Procedures for determining compliance.
IV. Declaration of Compliance with the National Security Framework of BASIC
category systems and its publicity.
V. Certification of Compliance with the National Security Framework of systems
of category MEDIUM or HIGH and its publicity.
VI. Requirements of the certifying entities.
VII. Solutions and services provided by the private sector.
Annex I. Contents of the Declaration of Compliance with the National Security
Framework.
Annex II. Declaration of Compliance with the National Security Framework.
Annex III. Content of the Certification of Compliance with the National Security
Framework.
Annex IV. Certificate of Compliance with the National Security Framework.
16. 16
Providers are often engaged in the provision of
solutions or services (through, for example, cloud
services) for systems under the scope of the NSF.
Solutions or services should comply with the
requirements of the NSF-ENS and have the
corresponding Declarations or Certifications of
Compliance.
Declaration of Compliance with the NSF-ENS
(category BASIC)
Certification of Compliance with the NSF-ENS
(mandatory for categories MEDIUM or HIGH, voluntary for
category BASIC)
Providers: same procedures as for the Public Sector
Requirements for providers
17. 17
Accreditation by ENAC
according to UNE-EN ISO /
IEC 17065: 2012, for the
certification of systems within the
scope of ENS.
In case of NOT having the
accreditation:
1. They will request
accreditation to the ENAC.
2. They will inform of the
acceptance of the request
to the CCN.
3. They can begin their
certification activities on
a temporary basis, having
12 months to obtain it.
Requirements for Certifiers
19. 19
The National Security Framework (NSF-ENS):
Promotes a common approach to cybersecurity in the Public
Sector of Spain, adapted to its requirements
Independent audits are the basis for the Security Report and for the
compliance with the NSF-ENS.
Compliance with the NSF-ENS is applicable to:
Entities of the Public Sector
Providers of solutions and services (e.g. Cloud services) engaged in
systems under the scope of the NSF-ENS.
Public entities should have an understanding of security issues
in the cloud computing environment and ensure security
requirements.
Under development: specific compliance requirements to
certify cloud service providers for systems falling under ENS.
Challenges & Conclusions
20. 20
Challenges:
Progress in cibersecurity of entities of the
Public Sector.
Improve the implementation of the security
measures.
Extend the implementation of the NSF-ENS to all
kind of information systems of the Public Sector in
Spain.
Extend the use of common services offered by
the General State Administration.
Promote the compliance with the NSF-ENS.
Challenges & Conclusions
22. 22
Public Sector
Law 40/2015
Institutional Public
SectorGeneral State
Administration
Autonomous Communities
Local Entities
Law 39/2015
Public Entities and Public
Law Entities
Entities of Private Law
(Administrative powers)
Public Universities
Public Law Corporations
Linked
or
depend
ent
Linked
or
depend
ent
The Public Sector in Spain
The use of cloud services has been expanding also for public sector organizations. The adoption of these services creates new risks that must be managed according to personal data regulations requirements and also, according to Security Requirements for Spanish Public Administration established at “Esquema Nacional de Seguridad” (ENS). Thus, public sector organizations ensure the protection of information handled and services provided. Because the very nature of cloud services requires specific guidance to help meet those security requirements. Compliance with the ENS is required for Spanish public sector entities, and should be considered by private sector organizations involved in providing technology solutions or the provision of services to public entities through cloud services.
Provide common languange and elements of security
to guide Public Administrations in the implementation of ICT security.
to facilitate interaction between Public Administrations and
to communicate security requirements to the Industry.
El proveedor puede disponer de certificaciones o acreditaciones en materia de seguridad. Estas certificaciones pueden simplificar la auditoría completa del servicio prestado, en su condición de evidencias de cumplimiento a valorar por el equipo auditor. Por ejemplo:
Auditorías recomendadas por ENISA para proveedores de servicios en la nube [ENISA-CCSL]
Sistema de Gestión de la Seguridad de la Información (SGSI) [ISO/IEC 27001:2013]
Sistema de Gestión de la Continuidad [ISO 22301:2012]
Cloud Controls Matrix [CCM]
Annex A contains the controls of standards 27002 and the CCM matrix, together with their correspondence to meet the ENS requirements. It is to be hoped that future versions of this guide will incorporate other security profiles that have well-de fi ned, de facto international support.
SOLUTIONS AND SERVICES PROVIDED BY THE PRIVATE SECTOR
Private sector organizations are often involved in the provision of technological solutions or in the provision of services to public entities (through, for example, cloud services).
When private sector organizations provide services or provide solutions to public entities that are required to comply with the ENS, they must be able to exhibit the corresponding Declaration of Conformity with the ENS (in the case of category systems BASIC) or the Certification of Conformity with the ENS (mandatory, in the case of MEDIA or ALTA category systems, and of voluntary application in the case of BASIC category systems), using the same procedures as those required for public entities.
It is the responsibility of contracting public entities to notify private sector operators involved in the provision of technological solutions or the provision of services, the obligation that such solutions or services conform to the provisions of the ENS and have the corresponding Declarations or Certifications of Conformity, as indicated in this Guide.
When the provision of solutions or provision of services subject to compliance with the ENS is carried out by private sector organizations, they shall use the same documentary models used for Declarations, Certifications or Compliance Badges contained in this guide , Replacing the references to the public entities by the ones corresponding to the private entities. Likewise, the Conformity Badges, when displayed by such private operators, must link to the corresponding Declarations or Certifications of Conformity, which will always be accessible on the website of the economic operator in question.
In addition to the National Cryptological Center, public entities that use solutions or services provided or rendered by private sector organizations that exhibit a Declaration or Certification of Conformity with the ENS may at any time request from such operators the corresponding Self-Assessment or Audit Reports , In order to verify the appropriateness and adequacy of the aforementioned manifestations.
Private sector organizations provide solutions or services to public entities (through, for example, cloud services).
Private sector providers should be able to exhibit the corresponding:
Declaration of Compliance with the ENS-NSF (in the case of category systems BASIC)
or the Certification of Conformity with the ENS-NSF (mandatory, in the case of MEDIA or ALTA category systems, and of voluntary application in the case of BASIC category systems), using the same procedures as those required for public entities.
It is the responsibility of contracting public entities to notify providers of solutions or of services, the obligation that such solutions or services should conform to the provisions of the ENS-NSF and have the corresponding Declarations or Certifications of Compliance.