Safety inspections and verification
The security audit shall go into the details of the system to the level that it considers to provide sufficient and relevant evidence within the scope established for the audit.
The National Cryptologic Center carries out security inspections that allow verifying the security implemented in a System and that the services and resources used comply with the minimum specified and required in the security policy (especially in all those systems that handle classified information) within the established security audit process.
The scope of the audit is determined by the scope, objective, activities to be performed, means and techniques to be applied which, together with periodicity, translate into different types of inspection in accordance with the attached table. The levels indicated are a response to compliance by the safety government (Levels 1 and 2) and to the technical audit (Levels 3, 4 and 5).
Types of Safety Inspections
LEVEL 1 | LEVEL 2 | LEVEL 3* | LEVEL 4 | LEVEL 5 | |
REACH | Knowledge of the governance of the System security | Improved "global" security management | Objective recognition that the System operates within the defined security framework | Real and complete" knowledge of the criticality and risk of the System. | Real and estimated" knowledge of the criticality and risk of the System. |
SCOPE | Element (product, service, device, application...) and System | Element (product, service, device, application...) and System | Element (product, service, device, application...), System and Interconnection | Element (product, service, device, application...), System and Interconnection | Element (product, service, device, application...), System and Interconnection |
OBJECTIVE | Determine the services provided and System architecture | Determine the properties and safety functions of the System | Determine the level of security of a System and its degree of compliance with the security policy. Assessment of system configuration and existing vulnerabilitie | Get to know the system configuration, the area of exposure to vulnerabilities, and existing threats | Get to know the area of exposure to existing vulnerabilities and threats |
ACTIVITIES | Analysis | Analysis Manual Verification |
Analysis Manual Verification Automatic Verification Safety assessment |
Analysis Manual Verification Automatic Verification White Box Security Test |
Analysis Manual Verification Automatic Verification Black Box Intrusion Test |
MEDIA AND TECHNIQUES | Review Documentation | Review Documentation Configuration Management Questionnaires (ST&E Plan) Interviews |
Review Documentation Configuration Management Questionnaires (ST&E Plan) Interviews Security Tools |
Vulnerability analysis and system security assessment tools and techniques | Asset identification tools and vulnerability assessment and exploitation techniques |
PERIODICITY | Periodic and in accordance with the Security Policy, Accreditation Procedure and Corrective Action Plan. | Periodic and in accordance with the Security Policy, Accreditation Procedure and Corrective Action Plan. | Periodic and in accordance with the Security Policy, Accreditation Procedure and Corrective Action Plan. | Exceptionally, depending on the sensitivity of the system, or periodically if so established by the security policy. | Exceptionally, depending on the sensitivity of the system, or periodically if so established by the security policy. |
* Recommended for systems handling classified information / ENS