From the National Security Scheme (ENS) and the National Interoperability Scheme (ENI) derives the obligation for all Public Administrations (AAPP) to complete an Adaptation Plan to their forecasts.
Specifically, when drawing up the Adaptation Plan to the ENS, the security policy document must be approved.
When starting these works, it is important to identify beforehand the starting point of each organization and establish a specific roadmap, while integrating security as an integral process.
It is the security policy of each organization that must detail the attributions of each person in charge and what are the coordination and conflict resolution mechanisms.
Despite this, if the objective is to treat security as a transversal and integral process, it seems reasonable that the organization of security should also be considered from a double perspective: on the one hand, the security of information systems and on the other, the security of the data that is managed, that is to say, the responsibilities derived from compliance with the ENS and the regulations on personal data protection.
Different formulas exist for the organization of security. A proposal from the perspective of comprehensive management and with the desire to simplify internal structures would be to opt for a security organization structured in two collegiate bodies: the commission and the security sub-commission. These bodies would assume the roles and functions of the security organization established in the ENS - except for the role of system security administrator -, as well as the roles and functions derived from the data protection regulations of nature staff
Article 156. National Interoperability Scheme and National Security Scheme.
"1. The National Interoperability Scheme comprises the set of criteria and recommendations regarding security, conservation and standardization of information, formats and applications that must be taken into account by public administrations to make technological decisions that guarantee interoperability.
2. The National Security Scheme aims to establish the security policy in the use of electronic media within the scope of this Law, and is made up of the basic principles and minimum requirements that adequately guarantee the security of the information processed. "