With the commitment to continue improving the efficiency and effectiveness of information security and the protection of personal data, the University of Valencia Science Park Foundation(FPCUV) has obtained the recertification of Conformity with the National Security Scheme, which has been developed within the Transforma ENS project and has been supported by the Valencian Innovation Agency (AVI).
Mariano Serra, in charge of the Transforma ENS Program project and responsible for the ICT Systems area of the FPCUV, emphasizes that obtaining the ENS Compliance recertification RD 311/2022 for the Basic category, "confirms that the FPCUV has a mature and efficient information security management system. It means building trust with third parties and is fundamental because it represents a guarantee of compliance with the legally required information security measures and requirements".
In its development process throughout 2023, the FPCUV had the support of Mobiliza Consulting, an advanced services company housed at the PCUV. In this way, as Serra explains, "Mobiliza helped to adapt the previous information security management system based on the ENS RD 3/2010 to the new security measures in accordance with the ENS RD 311/2022". To this end, the advanced services company, "carried out the internal validation audit and finally accompanied us throughout the certification audit," adds the head of the ICT Systems area of the FPCUV.
For the recertification, audited by the certification entity accredited by the National Accreditation Entity (ENAC), Audertis, the FPCUV "adopted an orderly process to comply with RD 311/2022 of May 3, following the technical security instructions published by the Secretary of State for Digitalization and Artificial Intelligence and the security guides published by the National Cryptographic Center, in particular the 800 series guides," says Mariano Serra.
"With regard to security measures, the 2010 ENS includes 44 security measures as minimum requirements, to comply with the 56 security measures included in the ENS RD 211/2022 for the Basic category, 38 security procedures have been revised, 16 updates have been made and 2 new procedures have been developed: incident management and protection of cloud services and changes have been introduced in the risk analysis", highlights Serra.
"With respect to security measures, the 2010 ENS includes 44 security measures as minimum requirements, to comply with the 56 security measures included in the ENS RD 211/2022 for the Basic category, 38 security procedures have been revised, 16 updates have been made and 2 new procedures have been developed: incident management and protection of cloud services and changes have been introduced in the risk analysis", Mariano Serra, head of the ICT Systems area of the FPCUV
The objectives of the ENS include the creation of the necessary conditions of trust in the use of electronic media, through measures to guarantee security, enabling citizens and public administrations to exercise their rights and fulfill their duties through these media; the introduction of common elements to guide the actions of public administrations in the area of information technology security; and a common language to facilitate the interaction of public administrations, as well as the communication of information security requirements to the industry.
ENS certification is categorized into three levels - basic, medium or high - defined according to the five dimensions of information security: availability, integrity, confidentiality, traceability and authenticity. Thus, an information system will be of high category if any of its security dimensions reaches the high level, and of the same in the other levels contemplated by this information security certification. In the case of the FPCUV, the category is basic, due to the typology of the organization's assets, when considering the five dimensions.
"A project is soon to be tackled to automate the logs under an event and security information management tool, so that we can better exploit the data already available, analyze it and thus more efficiently prevent potential threats to the system. Another issue to be addressed will be to adapt our systems to the security of information in the cloud"
Future of ENS Conformity Certification at the FPCUV
As strong points with respect to other information security certificates such as ISO/IEC 27001, Serra points out that "in that standard the certification cycle is 3 years, while in the ENS the cycle is 2 years, subject to an annual internal review or monitoring process". On the other hand, he points out that "ISO considers the three classic dimensions of security: availability, integrity and confidentiality, while the ENS considers five dimensions, the three previous ones together with traceability and authenticity".
The certification obtained by the FPCUV has a two-year expiration, which means that the entity will have to undergo an external audit process again to maintain the certificate in 2026. "At the FPCUV we apply some security measures that we consider necessary but are mandatory for the high level category, such as the Continuity Plan that we deployed in 2022. This plan sets out the actions to be taken in the event of an interruption of the ICT services provided by the FPCUV, and there is an annual commitment to test the business continuity scenarios defined by this plan and to adapt or improve them according to the results of the tests," explains the project manager of the Transforma ENS Program.
"A project to automate the logs under an event and security information management tool will soon be tackled, so that we can better exploit the data already available, analyze it and thus more efficiently prevent potential threats to the system. Another issue to be addressed will be to adapt our systems to the security of information in the cloud," concludes Serra.