"/ >

PAe - published in the technical instruction BOE security security Audit information systems
the accesskey _ mod _ content

Published in the technical instruction BOE security security Audit information systems

04 April 2018

Esta nueva ITS se une a las ya publicadas sobre informe del estado de la seguridad y conformidad con el ENS.

The Technical safety instruction security audit (Opens in new window) sets the conditions for conducting audits, ordinary or extraordinary, under Article 34 Real Decreto 3/2010, de 8 de enero, por el que se regula el Esquema Nacional de Seguridad en el ámbito de la Administración Electrónica (ENS) (Opens in new window)

The audits should be conducted in order to determine the degree in accordance with ENS and must allow responsible take appropriate measures to fill the gaps and, in its case, enabling obtaining the certification of conformity.

Cabe recordar que para obtener esta Certificación, los sistemas de información de categoría MEDIA o ALTA precisarán superar una Auditoría de Seguridad, al menos cada dos años. Asimismo, los informes de auditoría emitidos podrán ser requeridos por el CCN-CERT (Opens in new window) ante cualquier agresión recibida en los sistemas de información de las Administraciones Públicas (artículo 37 del ENS).

Para el desarrollo de las auditorías, la Resolución ahora publicada señala que deberán realizarse conforme a la propia ITS y, cuando corresponda, a las normas nacionales e internacionales sobre auditorías, entre ellas las Guías CCN-STIC 802 audit guide (Opens in new window) , CCN-STIC 804 Guide of implantation (Opens in new window) and CCN-STIC 808 Verificación del cumplimiento de las medidas en el ENS (Opens in new window) .

In this ITS, after the object and scope, addresses issues such as the purpose of the audit of safety, dutifully and regulations; the definition of the scope and purpose of audit of safety; the execution of the audit of security; the audit report; entities of public Sector Auditing; and in an additional provision, questions relating to personal data.

The ENS expected, in his article 29 (2) the instructions security techniques (Opens in new window) as essential elements to achieve an appropriate, uniform and consistent implementation of the requirements and measures contained therein. These instructions security techniques specific aspects that regulate the daily reality has been particularly significant, such as: report of the State of security; Notification of security incidents; Audit of safety; Line with the National security Scheme; acquisition of Security products; Cryptology of employment in the National security Scheme; Interconnection Scheme in the National security and Safety requirements outsourced environments.

  • Security
  • Interoperability
General access point
 
General access point