PAe - published the guide CCN-STIC 802 of audit of the national security
accesskey _ mod _ content

Published the guide CCN-STIC 802 of audit of the national security

30 may 2017

ENS Logo

The Guide CCN-STIC reflected all aspects to take into consideration when developing and implementing an audit of the NHIS, including the definition of the scope, object, requirements for the audit team and the model of confidentiality agreement.

The CCN-CERT has published in its website (Opens in new window) the Guide CCN-STIC 802 of audit of the national insurance Scheme (NHIS) (Opens in new window) whose aim is to channel a homogeneous way the realization of the audits, either ordinary or extraordinary, establishing minimum premises in their implementation, as provided for in article 34 Royal Decree 3/2010 of 8 january (Opens in new window) , which regulates the NHIS.

The NCC recalls that the article 34 states that the information referred to in the royal decree will be subject to ordinary audited at least once every two years to verify compliance with the requirements of the present national security.

The information systems of High or medium category, including those of private sector companies that provide services to public entities are obliged to the realization of a regular audit, at least every two years and an extraordinary whenever substantial changes occur in the information system.

With an exceptional, must be carried out this audit whenever substantial change in the information system, which may affect the security measures required.

Audit guide

The Guide CCN-STIC 802 reflected among other sections, one devoted to frame of reference and the object of the audit, as indicated in the document, you must be “ issuing an opinion independent and objective manner, based on the principles of integrity, fair presentation, due professional care, confidentiality, independence and approach based on evidence, on the implementation of such a way that allows those responsible for, take appropriate steps to remedy the shortcomings identified, if any ”.

The definition of the scope of the audit team, the audit planning and their evidence, the preparation and presentation of findings, as well as the presentation of the report and the final opinion are other points of the document. Next to them, six annexes to the requirements for the auditor, the incorporation of technical experts, the model of confidentiality agreement, a glossary and bibliography.

Original source of news (Opens in new window)

  • Security
  • Interoperability