One of the biggest success stories of our company has been the adaptation for certification in the National Security Scheme (ENS) made to Esycsa. For this reason, we would like to explain to you how the process has been from the very beginning.
Esycsa is part of the Etra Group, a leading company in mobility, energy, security and technological services. Etra Group provides and manages the technology for more than half of the urban traffic in Spain, among other multiple services.
It should be noted that the traffic contract, which is part of the scope of the project carried out, is the first contract of its kind to be certified in Spain. This contract covers the management and maintenance services of traffic regulation and control systems for the Vigo City Council for a duration of 8.5 years and for 35.6 million euros.
Its main innovation is the deployment of a vehicle communication system that will function as a platform for cooperative services. The new platform is an innovative system that aims to open a permanent two-way communication channel between the urban traffic infrastructure and the vehicles that circulate, with the purpose of improving road safety, traffic flow and reducing pollution.
THE CHALLENGE
The National Security Scheme establishes basic principles and minimum requirements for the adequate protection of information systems. In this case, Esycsa, as a provider of technological services to a Public Administration, has the duty to comply with the ENS.
Information security is paramount and not having a management system in place means that you do not have effective protection against different risks and threats, and therefore do not have the mechanisms in place to deal with a security incident with guarantees.
INPROSEC SOLUTION
The main objective of the project was to obtain medium-level certification in the National Security Scheme in force within approximately one year. At the same time, the aim was to increase the levels of maturity in information security and personal data protection, using as a basis the measures already in place at Esycsa.
Inprosec has collaborated in the following tasks:
- Analysis of the initial situation: as a first step, an analysis of the initial situation was carried out, the objective of which was to determine Esycsa’s situation at that time with regard to the degree of compliance with the ENS, thus detecting the shortcomings of the information security management system and being able to determine the actions necessary to remedy them.
- Asset inventory and risk analysis: Esycsa had an inventory of information system assets, which had also been used for the preparation of the Risk Analysis. However, there were some shortcomings that were addressed, as well as the necessary updates and maintenance for proper risk management.
- Preparation of the declaration of applicability: the assessment and categorisation carried out in the asset inventory was taken into account to determine the category to be assigned to the information system, and to identify which controls are applicable to that category.
- Preparation of the Work Plan: With all this information, the Work Plan was drawn up, which indicated the actions to be carried out in order to solve the existing deficiencies so that Esycsa could be certified within the established timeframe. It took into account both the documents to be drawn up and the technical measures to be implemented, establishing an order of priorities.
- Defining, implementing and improving security controls: During this stage, the following actions derived from the previously defined Work Plan were carried out:
-
- Development of safety regulations and procedures: starting with the Security Policy and the Security Regulations, the entire body of documentation required for the medium level of compliance was defined.
- Implementation of security processes and technical measures: the necessary system configurations and changes were made and Esycsa’s processes were modified to facilitate compliance with the ENS.
- Management approval and communication of the ISMS: as the last step of this stage, the ISMS was approved by the company’s management and the changes were communicated.
-
- ENS Security Status Report and preparation for certification: in the last stage, Esycsa was guided to complete and report the Security Status in the INES platform. Subsequently, an internal audit was carried out (with an external provider) to identify points for improvement, which were worked on prior to the external certification audit. The final certification was granted on 20/09/2021, following corrections.
RESULTS
The adaptation to the National Security Scheme, including the improvement or implementation of security controls, served to achieve the following benefits in Esycsa:
- ENS certification achieved since 2021 (requirement as a service provider for the management and maintenance of traffic regulation and control systems for Vigo City Council in the 8.5-year contract worth 35.6 million euros).
- Increasing maturity levels in information security and personal data protection.
- Improvement in the organisation of the service.
- Improving the awareness of suppliers, contract staff and the municipal managers themselves.
- Improved mechanisms and recovery times in the event of system failure, contributing to greater resilience of the city.
- Greater control in the IT administration of the Systems.