Objective:
Compliance of the Llinars del Vallès City Council with current security regulations according to the National Security Framework (ENS).
Llinars del Vallès City Council
Adaptation to the National Security Framework (ENS) of the Llinars del Vallès City Council
The Llinars del Vallès City Council is a local public entity that clearly understands that new technologies are a present-day tool for efficiency and effectiveness, complementing the in-person services provided by the administration. Therefore, the Llinars City Council has committed to digital policies with an administration that is open 24 hours a day, 365 days a year. This commitment has earned several recognitions in recent years.
Their need
The Llinars del Vallès City Council aimed to standardize its situation to fulfill its obligations by establishing a security policy for the use of electronic means, following basic principles and minimum requirements that allow for adequate information protection according to the guidelines set by the National Security Framework (ENS).
Citizens trust that the services available through electronic means are provided under security conditions equivalent to those offered in person. Both the information and the services offered are subject to threats and risks arising from malicious or illegal actions, errors or breaches, and accidents or disasters. Law 11/2007, of June 22, on citizens’ electronic access to Public Services, establishes the principles and rights of citizens to communicate with Public Administrations through electronic means, creating the National Security Framework (ENS).
The ENS is mandatory for all entities within the Spanish public sector at the state, regional, and local levels. This includes:
- Bodies of the General State Administration
- Managing entities and common services of Social Security
- State agencies and autonomous bodies
- Public Law entities with their own legal personality linked to or dependent on the General State Administration, autonomous communities, and local entities
- Public universities and other public bodies linked to them
- Public business entities and other public organizations
Public Administration providers are also required to comply with it.
Complying with the ENS is not only a legal obligation but also helps preserve the reputation and trust of public organizations.
Our solution
In 2010, the commercial relationship between the Llinars del Vallès City Council and NexTReT began to define an adaptation plan to the National Security Framework (ENS). NexTReT proposed actions, as well as planning and an assessment of the resources necessary to carry them out.
The service initiated at that time, and which is still in place, includes advisory and consultancy services related to ENS compliance, as well as external and internal security audits, reviews of existing security policies and regulations, and follow-up meetings of the Security Committee, among others.
The different phases of the adaptation project were approached at three levels:
Organizational Framework
- Establishment of the Information Security Committee
- Appointment of a Data Protection Officer (DPO)
- Interviews and audits with various departments or areas to identify assets and assess security dimensions to categorize the system
- Definition of a Security Policy and Security Regulations
- Development of the Security Operational Regulatory Framework (CNSO)
- Development of Security Operational Procedures (POS)
Operational Framework
- Risk analysis
- Conducting Ethical Hacking audits
- Intrusion detection and prevention measures using the firewall IPS filter
- Application of security policies
- Implementation of Two-Factor Authentication (2FA)
- Business continuity measures
Protection Measures
- Continuous Training and Awareness for Users
- Protection Measures – Perimeter Security
- Network Monitoring
- Internet Browsing Traceability
- File Server Traceability
The ENS establishes a series of security measures to ensure the protection of information within the public administration in Spain. These measures cover several areas, with some of the most important being:
- Risk Management: The ENS requires public entities to conduct periodic risk assessments to identify existing threats and vulnerabilities and to establish measures to mitigate the risk.
- Security Policy: Public entities must define and document an information security policy that sets out principles and objectives to be followed within the organization.
- Physical Security: Physical security measures must be implemented to protect information assets, such as surveillance systems, physical access controls to facilities, and protection against fire and natural disasters.
- Information Systems Security: Requirements must be established to protect information systems, including user authentication and authorization, password management, data encryption, patch and update management, and protection against malware and other cyberattacks.
- Incident Management Security: Procedures and resources must be in place to detect, manage, and respond to information security incidents effectively, minimizing impact and restoring operations as quickly as possible.
- Data Protection: Measures must be established to protect the confidentiality, integrity, and availability of data, including policies for data classification and labeling, access control, backup creation, and record management.
- Training and Awareness: Training and awareness programs on information security must be provided to staff to promote a culture of security and ensure compliance with these policies.
Results
The Llinars del Vallès City Council has experienced a very significant and tangible improvement, as well as an evolution, with the implementation of security controls initiated in 2010 in collaboration with NexTReT and continuing to the present.
You can read the implementation of the Information Security Policy and the Statement of Compliance with the ENS by the Llinars del Vallès City Council on their website:
“We have experienced a very significant, tangible improvement and evolution with the implementation of the security controls carried out.”
Albert Pagès