The National Security Office – Oficina Nacional de Seguridad (ONS) was created in 1983 as the working body of the CNI Secretary of State Director to accomplish his classified information protection related duties.

ONS’ fundamental mission is to watch over the fulfilment of rules relative to classified information protection, both at national and international level, as the information handed out to governments or to enterprises in virtue of international treaties or agreements signed by Spain (article 4f of Law 11/2002, 6 May, regulating CNI).

The National Intelligence Centre is the public institution responsible for providing the President and the Government of Spain with information, analysis, studies and proposals that allow for the prevention and avoidance of any danger, threat or aggression against the independence or territorial integrity of Spain, its national interests and the stability of its institutions and the rule of law.

Its establishment in 2002 was driven by the need to create a modern and specialized Intelligence Service, capable of facing new domestic and international challenges.

The CNI is governed by the principle of accountability to the legal system, and operates within the framework of the missions set out by the Law 11/2002 of 6 May regulating the CNI and by the Organic Law 2/2002, of 6 May, regulating preliminary judicial control of the CNI.

The Secretary of State Director of the CNI is appointed by a Royal Decree at the behest of the Minister of the Presidency, and receives a five-year mandate, notwithstanding the capacity of the Council of Ministers to replace him or her at any time.

The National Cryptology Centre (CCN), is the organization responsible for coordinating the different organizations’ activities in the Public Administration, using resources or encryption procedures and ensuring the security of the information technologies in all areas, keeping informed concerning the coordinated acquisition of the cryptology material and it is also responsible for providing training for Public Administration resources who specialise in this field.

The CCN was created in 2004, by means of the Spanish Royal Decree 421/2004, assigned to CNI (National Centre of Intelligence). In fact, theSpanish Act 11/2002, of May 6, which regulates the CNI, entrusts to the said Centre, all functions regarding the security of information technologies and protection of classified information, while the responsibility of running the National Cryptology Centre is conferred to the Secretary of State Director. That is why the CCN shares environments, procedures, regulations and resources with the CNI.

The CCN-CERT is the Information Security Incident Response Capability of the National Cryptologic Centre, CCN. This service was created in 2006 as the Spanish National Governmental CERT and its functions are set out in Law 11/2002 regulating the National Intelligence Centre, RD 421/2004 regulating the CCN and RD 311/2022, of 3 May, which regulates the National Security Framework.

In compliance with this regulation, the CCN-CERT ensures protection from cyber attacks on classified systems and systems belonging to Public Administrations, and to companies and organizations of strategic interest (those essential for Spanish security and economy).

Its mission is to strengthen cybersecurity in Spain. The CCN-CERT is the national alert and response centre, and helps provide quick and effective solutions to cyber attacks and counter cyber threats in a proactive manner. It provides state coordination between the different Incident Response Teams and Cybersecurity Operation Centers.

The ultimate goal of the CCN-CERT is to guarantee a safer and trustworthy cyberspace by protecting classified information (pursuant to article 4.F of Law 11/2002) and sensitive information, preserving the Spanish technological heritage, training experts, implementing security policies and procedures, and by using and developing the most adequate technology to this aim.

More Information:

Public and private organisations have an increasing dependency on information technologies to fulfil their mission and reach their business objectives. The purpose of Magerit is directly related to the generalised use of IT systems, communications, and electronic media, which bring evident benefits for the users but which is also subject to certain risks that must be kept under control by means of security countermeasures that generate confidence in the use of these media.

Magerit is of interest to anyone working with mechanised information and the computer systems that handle it. If this information, or the services that are provided thanks to it, are of value, this methodology will allow owners and administrators to know how much of this value is at risk and will help them to protect it.

Knowing the risks to which working elements are subject is simply essential to be able to manage them. This fact has given rise to a large number of informal guides, methodical approaches and support tools, all of which aim at an objective analysis to know how safe (or unsafe) systems are. The great challenge of all these approaches is the complexity of the problem they face, a complexity in the sense that there are many elements to be considered and that, if they are not rigorous, the conclusions will be unreliable. This is why a methodical approach is required that leaves no room for improvisation and does not depend on the whim of the analyst.

Even though serious responsibilities for complying with the organisation's objectives have been placed in the hands of information systems, doubts about their security continue to arise. Those affected, often not technicians, wonder if they can place their trust on these systems. Each failure lowers the trust on information systems, especially when the investments made in defending the means of work do not rule out failures. The ideal situation is that systems do not fail. But the reality is that most of us are used to living with systems that fail. The matter is not as much the absence of incidents, but the confidence that they are under control; it is known what failures may occur and what to do when they do occur. Fear of the unknown is the main source of lack of confidence and, as a result, knowledge brings confidence: knowing the risks allows them to be faced and controlled.

Download:

Book I: The Method

Book II: Catalogue of Elements

Book III: Techniques

More Articles …

Page 4 of 7

Ministerio de Defensa
CNI
CCN
CCN-CERT