New ENS, how to address the main novelties
Thirteen years ago, Spain took a significant step in cybersecurity by publicly releasing a Royal Decree that positioned it prominently within Europe. The publication of the National Security Scheme (ENS) in the State Official Newsletter in 2010 gave impetus to a security transformation to adapt to the technological threats that were beginning to emerge.
Last year, Royal Decree 311/2022 was published, which represented a significant update to the National Security Scheme.
Was this evolution necessary?
Absolutely. These years since the first publication have seen considerable technological advancement, but also significant changes in cybersecurity. Threats have evolved, and cybercrime has escalated at a considerable rate. Although a slight revision of the ENS was carried out in 2015, the latest with the publication of the new Royal Decree in 2022 is much deeper, both in scope and concept.
What are the most significant changes?
Firstly, on a strategic level, align the Scheme with the 2019 National Cybersecurity Strategy and its associated plan. Give greater impetus to preventive capacity and surveillance. Being able to protect and anticipate threats, as well as extend that protection beyond the classic defensive perimeter of an organization: the supply chain plays a very significant role in this regard.
Many concepts remain or are slightly adapted. Such is the case with maintaining security levels, the need for an organisational management based on roles and responsibilities, or the existence of essential elements such as the security policy or risk analysis as a structuring element.
On the other hand, there is a thorough review in Annex II regarding security measures. Some of the most important issues that can be extracted from the Scheme review are as follows:
- More flexibility when applying measures. The increase in protection based on security levels is carried out through reinforcements, which can be combined to obtain the best feasible conditions.
- Designation of specific compliance profiles for entities or specific sectors. These profiles establish a statement of applicability, as well as the specification of measures that must be implemented. A clear example is that of Universities defined through the CCN-STIC-881 guide, in which we find roles such as the Information System and Security Responsible of the educational centre.
- Increase in measures that are applicable from the medium level, when previously they were only required at the high level. For example, the use of certified components.
- Alignment with services provided from clouds and key measures on critical exposure surface issues such as differentiation in authentication measures when the process is performed in externally or internally published services. For example, not always requiring two-factor authentication and only requiring it in specific situations.
- The incorporation of new security measures that involve other actors, such as OP.EXT.3 specifically related to the supply chain.
Threats have evolved, and cybercrime has escalated at a considerable rate
Therefore, organisations must consider that there are many measures to take into account and must be implemented to adequately comply with the National Security Scheme.
How long is the deadline to comply?
Well, the regulation itself establishes it through the sole transitory provision of adaptation. The new information systems that are covered by the National Security Scheme will be directly subject to the new Royal Decree.
Those that already exist, including private sector contractors, will have 24 months to comply from the publication of the Royal Decree. Its entry into force was established the day after its publication in the State Official Newsletter. This was done on May 3, 2022.
It seems like enough time, but there are relevant issues to consider that may take time to achieve proper compliance. The application of certain measures must be adequately evaluated as it may entail certain impacts, including the time required for adaptation.
How can we help you?
At Sidertia Solutions, as the cybersecurity area of the Izertis Group, we have extensive experience in the National Security Scheme. We have actively participated in multiple actions related to this regulation. But we have also operated in others that are not that common, which has allowed us to have a very significant view of the need for this regulation and its application. Among these, we can mention as an example the experience of the work teams in scenarios for protecting sensitive information, the support provided to the National Cryptologic Centre in the development of the CCN-STIC guides, or the joint development of applications such as ANA or CLARA.
Considering these issues, at Sidertia and with the full operational force of the different technological areas of Izertis, we have prepared an offering to help you comply with this regulation.
New ENS GAP Analysis
If you currently have the certification of conformity with the National Security Scheme (ENS), you know that you have a period of time to carry out the adaptation to the new standard. Obviously, all the effort made so far is a very important path travelled, but it is relevant to know what you need to adapt.
Through this analysis service in which we can accompany you, you can know your initial situation and what the goal to be achieved is, that is, which elements are those where efforts should be focused to align with the new revision of the scheme. We can prepare a joint path to achieve success, taking as a starting point what already exists.
ENS Diagnosis and RoadMap
If, on the other hand, you face the situation of having to comply from scratch, either due to a new need or to determine to explore that possibility of alignment with the scheme, and you do not know the impact or effort involved, we can help you.
We can carry out a diagnosis that determines your need for alignment with ENS, a first evaluation of the categorisation of the handled information and services provided, together with a first version of the applicability in the organisation. This way, you can know how to carry out the adaptation and we help you to propose a strategy maximizing the resources already available in your organisation.
ENS Security Audit
Complying with the National Security Scheme also implies a constant evaluation of alignment with the standard, what we call "continuous improvement". Although the certification process involves an accredited entity verifying the suitability of the security management system aligned with the scheme, the regulation itself includes the internal audit process. Article 31 of the ENS outlines this audit, which must be distinguished from the certification audit described in Article 38. As stipulated by the standard, these security audits may be requested by the organisation's security manager or the National Cryptologic Centre.
Having expert advice will prevent us from oversizing technical efforts, which will ultimately have a negative impact on time and costs
At Sidertia, our inspection team conducts various audit analyses aligned with the CCN-STIC-303 guide, including compliance audits of ENS security. With us, you will not only find an auditing team but also an accompanying team to find the best solutions to resolve identified findings and be adequately prepared for the certification audit.
Carrying out a complete adaptation to the ENS from scratch can be manageable or, on the contrary, difficult to tackle if not faced in the right way. Unfortunately, we have seen organizations that have almost given up on their initial attempts to address ENS compliance on their own and then, with the proper support, have achieved the goal. But they are aware of having lost valuable time and having made considerable personal efforts. Having expert advice will prevent us from oversizing technical efforts, which will ultimately have a negative impact on time and costs.
In addition, adapting to ENS does not have a fixed manual. Each organisation has its peculiarities, services, processes, products, and everything must align appropriately. Exploring the ENS path is not simply developing four procedures and making it seem like we are following them. It is something deeper. But once success is achieved, the organisation will have advanced in cybersecurity maturity. It will be knowledgeable about its technological environment and much better prepared to face the increasingly common cyber threats.
Allow us to accompany you on that path and, with Sidertia's experience in ENS and all the strength of the Izertis Group to work hand in hand in the organisation's technological development, make that path much more manageable.