Redsauce's Software QA Blog

Kit Consulting, cybersecurity and not die trying

Posted by Pablo Gómez

{1570}

1. What is the Kit Consulting?

These past weeks, in Redsauce I’ve had to answer this question quite a few times in the field of cybersecurity. A lot. By the third time, I realized that online information was either very brief, required reading 90 pages (from 54,064 to 54,154) of Order TDF/436/2024 in the BOE, or wasn’t quite written the way I liked. So, I decided to make my own “cheat sheet.” It turned out so handy that I came to consider it a Cultural Heritage-worthy piece worth sharing with all of you. The conversations go something like this:


- Listen, I heard that someone told a friend about this Kit Consulting thing. What’s it about?

  • In short, the Kit Consulting is a Spanish Government aid program, active since May 10, 2024, aimed at supporting SMEs in their digital transformation process through specialized consulting. The available funds range from €12,000 to €24,000 and will be available until December 31, 2024. The full information is available in the BOE, but as a mental safeguard, I’ve already made a summary for you.

- Wow, up to €24,000. Not bad. And what can I use it for? Does cybersecurity “count”?

  • It seems that Spain is a bit behind in 10 digital areas, three of which are related to cybersecurity. They’re offering a maximum aid of €6,000 for each area, so up to €18,000 in total for cybersecurity support. How does that sound?

- Well, tell me more! And hey, is this the same as the Digital Kit?

  • No, it’s like the royals of England; they’re in the same family but are different from each other. The difference between the two Kits is that while the Digital Kit helps SMEs acquire digitalization solutions, the Kit Consulting program funds consulting services for digital transformation but does not finance acquisitions.

2. Requirements to Be a Beneficiary

- But, is this available to everyone? Can anyone get their own digital advisor?

  • Anyone who, as you’ve guessed, meets certain requirements. Here’s the list—let’s see what you think:

    1. Have a tax residence in Spain.

    2. Be classified as a small or medium-sized enterprise, that is, with between 10 and 250 employees.

    3. Be registered in the Census of Entrepreneurs, Professionals, and Withholders of the State Tax Administration Agency or the equivalent Tax Administration Foral census, which must reflect the economic activity effectively carried out as of the application date.

    4. Not be considered a company in crisis.

    5. Be up to date with tax obligations and Social Security.

    6. Not be subject to a pending recovery order after a previous European Commission decision declaring the aid illegal and incompatible with the common market.

    7. Not be subject to any other prohibitions specified in Article 13, Section 2, of Law 38/2003, of November 17, General Subsidies. These prohibitions will also apply to companies that are continuations or derivatives of other companies in which these conditions occurred.

    8. Not exceed the de minimis aid limit in line with the applicable regulations provided in Article 2, Section 4, of Order TDF/436/2024.

3. Accessing the Grant Application

- Well, we meet all the requirements! What’s the first step?

  • Simple. From the public administration’s main page, go to the Kit Consulting application process, where you will need to authenticate as a company. Having an electronic certificate will make things a lot easier.

Acceso al trámite del Kit Consulting

4. Filling Out the Application Form



Once in the portal, by clicking “Access the application,” you’ll reach the wizard that helps fill out all the necessary information to apply for the grant: https://sedepkd.red.gob.es/oficina/wizard/wizard.do.


Once completed, all that’s left is to wait for the case to be processed.


Formulario de solicitud



5. Grant Awarded? Selecting Your Digital Consultant and Services

(Two or three weeks later…)

- I got an email saying I was awarded the €18,000 grant! Coffee’s on me!

  • I’ll take that coffee! Now, with the grant, you need to select a digital consultant from the catalog and the services you’re interested in. For cybersecurity, we’ll start with the Basic Plan, which will then open the doors to the Advanced and Certification options. You’ll need to contact the digital consultant of your choice and sign a private contract to formalize the service. This contract is required to establish the relationship between the beneficiary company and the digital consultant.

6. Formalizing the Service Agreement

- Wow, that’s a lot… Where should I start again?

  • Don’t worry, take a breath. Luckily, there’s a common platform for managing both the Digital Kit and Kit Consulting programs. Through it, we can manage grants, application statuses, and consultant agreements. From there, you’ll also manage agreements, accept consultant proposals, cancel agreements, etc.

    That’s where you need to start to create the agreement. Here’s an image:

Espacio digitalizador kit digital y consulting


This other image shows the steps in managing the grant—just 5 steps. Easy, right?

Fases del Kit Consulting

7. Performance of services

The provision of Advisory Services by the Member Digital Advisor shall be carried out within a maximum period of three months from the validation of the Agreement for the Provision of Advisory Services.

8. Issuance of the invoice

  • (One month after a fruitful and revealing cybersecurity analysis...).

- That's a tough one, my friend. You don't know where you stand cybersecurity-wise until they turn your infrastructure upside down. Similar to when your mother-in-law walks into your kitchen for the first time. The consultant is preparing my invoice, what can I expect?


Indeed, after the provision of services, the digital consultant issues a single invoice to the beneficiary company.


This invoice reflects the total cost of the service minus the amount of the subsidy granted, clearly indicating that it has been financed by the Kit Consulting program.


In your case: you have contracted the basic cybersecurity service and you sign the service agreement with a Digital Advisor for an amount of €6,000 plus €1,260 VAT.


THE DIGITAL CONSULTANT

The digital consultant will issue a single invoice to you, the beneficiary company, reflecting the total service amount, corresponding VAT, and the subsidy amount.


The invoice should contain the following information:

  • Service description: Cybersecurity advisory services.

  • Service amount: €6,000.

  • VAT (21%): €1,260.

  • Total with VAT: €7,260.

  • Discount applied by the digital consulting grant: €6,000 (covered by the subsidy, reflected on the invoice by subtracting the taxable base).

  • Amount payable by you as the beneficiary company: €1,260 (corresponding to VAT).

THE BENEFICIARY COMPANY

You must directly pay the digital consultant the VAT amount, which in this case is €1,260.


The subsidy amount (€6,000) is managed and paid by Red.es directly to the digital consultant once the service has been provided and justified in accordance with program regulations.

9. Submission of Justification Through the Grant Management Portal

- Got it. But I’m wondering, how do they determine that the service is complete? The consultant organized the documentation, saved meeting info… but what do they do with it?

  • That’s the crux of the matter! The documentation generated during the service is submitted through the grant management portal, where you must fill out documents with evidence of meetings held, documents presented, etc.

    The technical documentation and results required for justification, as outlined in Article 31.6.a of Order TDF/436/2024, dated May 10, 2024, include:

BASIC

  1. Evidence of holding the initial in-person meeting for advisory service provision, to be specified in each call for proposals.

  2. Evidence of holding intermediate meetings, to be specified in each call for proposals.

  3. Evidence of holding the final in-person meeting after advisory service provision, which includes the results obtained and the beneficiary’s agreement to the service provided, to be specified in each call for proposals.

  4. Initial Diagnosis:

    Preparation of a Vulnerability Analysis, which includes:

    • Inventory and information collection of the systems and sources to be evaluated.

    • Audit of identified assets and penetration tests (pentesting).

    • List of detected vulnerabilities.

    • List of vulnerable devices and services.

  5. Results:

    Development of a business protection plan covering the needs identified within the organization by defining a Security Policy that specifies measures to be implemented on the media and systems accessing information:

    • User management. Authentication, strong password policy.

    • Email/server/end-point protection.

    • Backup copies with specific anti-ransomware mechanisms.

    • Regular software updates and patching.

      Development of a business continuity plan focused on the protection of the organization's people and systems and the timely restoration of critical processes, services, and infrastructure in the event of interruption or disaster. The plan must include at least the following key points:

    • Security incident management.

    • Vulnerability management.

    • Response and recovery measures.

      Legal compliance: measures for GDPR compliance, including record-keeping and inventory of personal data processing activities.

  6. Use case: Vulnerability analysis with test results and recommendations.

    • AS-IS diagram representing the elements of the organization’s information systems and how they relate to each other.

    • Results of penetration testing: a report of the tests performed, including a summary, methodology used, findings, and impact.

  7. Service invoice (in Facturae format).

  8. Confirmation of the service and proof of payment of non-subsidizable expenses by the beneficiary.

  9. Statements from the advisor and beneficiary indicating that no other subsidy was received for the same type of service.

  10. Proof of compliance with publicity obligations.

ADVANCED

  1. Evidence of holding the initial in-person meeting for advisory service provision, to be specified in each call for proposals.

  2. Evidence of holding intermediate meetings, to be specified in each call for proposals.

  3. Evidence of holding the final in-person meeting after advisory service provision, which includes the results obtained and the beneficiary’s agreement to the service provided, to be specified in each call for proposals.

  4. Initial Diagnosis:

    • Preparation of a vulnerability analysis, which includes:

    • Classification of vulnerabilities found in each service and device, based on risk level.

    • Recommendations and measures to adopt.

  5. Results:

    Development of a business protection plan covering the needs identified within the organization.

    • Security Policy: measures to be implemented on the media and systems accessing information:

    • Data encryption and cloud security, backup policy.

    • VPN configurations and virtual desktops, multi-factor authentication (MFA) access procedures.

    Active surveillance policy and procedure, where necessary systems and configurations for continuous security monitoring are defined, as well as adjustments for new technologies.

    • Network and service monitoring.

    • Email monitoring.

    Cybersecurity awareness plan for employees.

    • Permitted uses of ICT in the company.

    • Training resources and materials, such as guides, videos, and phishing simulations, to reinforce training.

    Definition or review of the Information Security Policy approved by Management.

    • Determining the scope of ISMS for ISO27001.

    • Security categorization of information systems for ENS.

    • Roles, responsibilities, and commitment and leadership of Management.

    Support for contracting managed security services (protection, detection, and response).

  6. Use case: Vulnerability analysis with test results and recommendations.

    • AS-IS diagram representing the elements of the organization’s information systems and how they relate to each other.

    • TO-BE diagram: preparation of a diagram that includes the media and information systems recommended to meet the organization’s needs based on penetration test results.

    • Recommendations and measures to adopt.

    • Benchmark for contracting services that cover the recommendations and measures to adopt, focusing on:

      • Vulnerability management: real-time continuous security monitoring.

      • Incident response: support and guidance in case of intrusion.

  7. Service invoice (in Facturae format).

  8. Confirmation of the service and proof of payment of non-subsidizable expenses by the beneficiary.

  9. Statements from the advisor and beneficiary indicating that no other subsidy was received for the same type of service.

  10. Proof of compliance with publicity obligations.

CERTIFICATION PREPARATION

  1. Evidence of holding the initial in-person meeting for advisory service provision, to be specified in each call for proposals.

  2. Evidence of holding intermediate meetings, to be specified in each call for proposals.

  3. Evidence of holding the final in-person meeting after advisory service provision, which includes the results obtained and the beneficiary’s agreement to the service provided, to be specified in each call for proposals.

  4. Results:

    • ISMS manual detailing the PDCA cycle for continuous improvement and the set of policies, procedures, and guidelines, along with resources and activities collectively managed by the organization to protect essential information assets.

    • Statement of applicability shared for ISO27001 and ENS approved by the Security Manager, aligned for ENS with CCN-STIC 804 and matching service categorization. ISMS controls should be based on risk assessment and treatment procedures.

    • Cybersecurity training program: professional training in skills for critical roles and functions, addressing security awareness points and identifying personnel needs by profile and department.

    • Advanced security policies and procedures based on the standard and ISMS scope, including:

      • Crisis management.

      • Business continuity.

    • Definition of a cybersecurity metrics system for periodic re-evaluation, with KPIs to help mitigate risks by continuously measuring performance against established security objectives. Examples of KPIs include total number of security incidents, Mean Time to Identify (MTTI)/Mean Time to Detect (MTTD) a security breach, etc.

    • ISMS internal audit plan and report. The plan must define frequency and execution dates, scope, audit methodology, and the assignment of stakeholders for planning, conducting, and reporting results. The plan should cover physical locations, organizational units, activities, processes, start and end dates. Internal audits must be conducted by personnel not involved in ISMS implementation to ensure objectivity and impartiality.

  5. Service invoice (in Facturae format).

  6. Confirmation of the service and proof of payment of non-subsidizable expenses by the beneficiary.

  7. Statements from the advisor and beneficiary indicating that no other subsidy was received for the same type of service.

- And that’s all? What a relief, I was expecting installment payments, two hundred justifications, multiple invoices, a healthy kidney…

  • Yes, that’s all. It’s quite a bit, but if we weigh the effort made by the beneficiary company against the benefits received, I think it’s worth it. Definitely worth it.

- I agree. Let’s go for the advanced! Another coffee?

Tags

Cybersecurity
Development
QA

About us

You have reached the blog of Redsauce, a team of experts in QA and software development. Here we will talk about agile testing, automation, programming, cybersecurity… Welcome!