PAe - published in the technical instruction BOE security security Audit information systems
the accesskey _ mod _ content

Published in the technical instruction BOE security security Audit information systems

04 April 2018

This new ITS joins the already published on status report about the security and accordance with ENS.

The Technical safety instruction security audit (Opens in new window) sets the conditions for conducting audits, ordinary or extraordinary, under Article 34 Real Decreto 3/2010, de 8 de enero, por el que se regula el Esquema Nacional de Seguridad en el ámbito de la Administración Electrónica (ENS) (Opens in new window)

The audits should be conducted in order to determine the degree in accordance with ENS and must allow responsible take appropriate measures to fill the gaps and, in its case, enabling obtaining the certification of conformity.

Cabe recordar que para obtener esta Certificación, los sistemas de información de categoría MEDIA o ALTA precisarán superar una Auditoría de Seguridad, al menos cada dos años. Asimismo, los informes de auditoría emitidos podrán ser requeridos por el CCN-CERT (Opens in new window) before any aggression received in information systems of public administrations (Article 37 of ENS).

For the development of audits, the resolution now published notes that should be carried out according to their own ITS and, where appropriate, to national and international standards on audits, including the guides CCN-STIC 802 audit guide (Opens in new window) , CCN-STIC 804 Guide of implantation (Opens in new window) and CCN-STIC 808 Verificación del cumplimiento de las medidas en el ENS (Opens in new window) .

In this ITS, after the object and scope, addresses issues such as the purpose of the audit of safety, dutifully and regulations; the definition of the scope and purpose of audit of safety; the execution of the audit of security; the audit report; entities of public Sector Auditing; and in an additional provision, questions relating to personal data.

The ENS expected, in his article 29 (2) the instructions security techniques (Opens in new window) as essential elements to achieve an appropriate, uniform and consistent implementation of the requirements and measures contained therein. These instructions security techniques specific aspects that regulate the daily reality has been particularly significant, such as: report of the State of security; Notification of security incidents; Audit of safety; Line with the National security Scheme; acquisition of Security products; Cryptology of employment in the National security Scheme; Interconnection Scheme in the National security and Safety requirements outsourced environments.

  • Security
  • Interoperability
General access point
General access point