CCN-CERT, Soluciones de Ciber Seguridad

Safety inspections and verification

The security audit shall go into the details of the system to the level that it considers to provide sufficient and relevant evidence within the scope established for the audit.

The National Cryptologic Center carries out security inspections that allow verifying the security implemented in a System and that the services and resources used comply with the minimum specified and required in the security policy (especially in all those systems that handle classified information) within the established security audit process.

The scope of the audit is determined by the scope, objective, activities to be performed, means and techniques to be applied which, together with periodicity, translate into different types of inspection in accordance with the attached table. The levels indicated are a response to compliance by the safety government (Levels 1 and 2) and to the technical audit (Levels 3, 4 and 5).

Types of Safety Inspections

LEVEL 1 LEVEL 2 LEVEL 3* LEVEL 4 LEVEL 5
REACH Knowledge of the governance of the System security Improved "global" security management Objective recognition that the System operates within the defined security framework Real and complete" knowledge of the criticality and risk of the System. Real and estimated" knowledge of the criticality and risk of the System.
SCOPE Element (product, service, device, application...) and System Element (product, service, device, application...) and System Element (product, service, device, application...), System and Interconnection Element (product, service, device, application...), System and Interconnection Element (product, service, device, application...), System and Interconnection
OBJECTIVE Determine the services provided and System architecture Determine the properties and safety functions of the System Determine the level of security of a System and its degree of compliance with the security policy. Assessment of system configuration and existing vulnerabilitie Get to know the system configuration, the area of exposure to vulnerabilities, and existing threats Get to know the area of exposure to existing vulnerabilities and threats
ACTIVITIES Analysis Analysis
Manual Verification
Analysis
Manual Verification
Automatic Verification
Safety assessment
Analysis
Manual Verification
Automatic Verification
White Box Security Test
Analysis
Manual Verification
Automatic Verification
Black Box Intrusion Test
MEDIA AND TECHNIQUES Review Documentation Review Documentation
Configuration Management
Questionnaires (ST&E Plan)
Interviews
Review Documentation
Configuration Management
Questionnaires (ST&E Plan)
Interviews
Security Tools
Vulnerability analysis and system security assessment tools and techniques Asset identification tools and vulnerability assessment and exploitation techniques
PERIODICITY Periodic and in accordance with the Security Policy, Accreditation Procedure and Corrective Action Plan. Periodic and in accordance with the Security Policy, Accreditation Procedure and Corrective Action Plan. Periodic and in accordance with the Security Policy, Accreditation Procedure and Corrective Action Plan. Exceptionally, depending on the sensitivity of the system, or periodically if so established by the security policy. Exceptionally, depending on the sensitivity of the system, or periodically if so established by the security policy.

* Recommended for systems handling classified information / ENS

Este sitio web utiliza cookies propias y de terceros para el correcto funcionamiento y visualización del sitio web por parte del usuario, así como la recogida de estadísticas. Si continúa navegando, consideramos que acepta su uso. Puede cambiar la configuración u obtener más información consultando nuestra Política de Cookies.