The security audit according to the LOPD
The Articles 96 and 110 of the RLOPD establish the obligation of both computer files and non automated or manual, which you have to apply the measures medium or high , to conduct safety audits every two years to verify compliance the security measures in the information systems and the data processing and storage facilities that support or house the files of these security levels, whether automated or manual. techwadia
Likewise, and extraordinarily, an audit must be carried out whenever modifications are made to the information system that may affect compliance with the security measures implemented, in order to verify their adaptation, adequacy and effectiveness.
The audit report
The audit consists of the review and analysis of each of the security measures applied to the medium and high-level files, which must be reflected in a report in which the following must be identified.
1. The degree of compliance for each of the measures.
2. The deficiencies and omissions detected.
3. The necessary corrective or complementary measures.
4. The data, facts and observations that evidence the analysis and conclusions reached.
5. The recommendations proposed by the auditor.
In addition, you will need to understand the review of:
1. Norms, standards, security policies and criteria.
2. Existing procedures.
3. Control mechanisms and systems.
4. Security systems: data encryption, password storage, etc.
5. Security devices on doors, cabinets, filing cabinets, etc.
People who must do it
The regulations on data protection do not determine who should be in charge of carrying out the audits, so the person responsible for the file may choose between:
1. Be carried out by the staff of the organization itself : for this, it will be necessary to have staff with the necessary knowledge.
2. Entrust it to specialized companies : said person in charge must comply with the provisions of the regulations on data protection related to the provision of services.
Aspects when conducting an audit
The audit team will have to consider, when conducting a security audit, the following aspects:
1. The information systems that process the files.
2. The premises and their owners.
Procedure for conducting an audit
The file manager , or the person designated to do so, must coordinate its completion and assign the necessary means and resources to carry it out.
In addition, you must provide the audit team with the following information:
1. The structure of the organization and those responsible for it.
2. The existence or not of the person in charge of the treatment.
3. The security document.
4. The list of authorized persons.
5. The one related to information systems.
6. All the information necessary to comply with this measure.
What should an audit analyze?
The audit may cover one or more files , corresponding to one or more information systems.
1. In general, the following will be analyzed:
1. The relationship between files and information systems.
2. The processing mode of each system.
2. In particular, the audit team will analyze:
1. The functions and obligations of the staff.
2. The list of authorized persons.
3. Access control procedures and passwords.
4. The mechanisms implemented to achieve access controls.
Once the audit is completed, the audit team will issue an audit report in which it must assess compliance with each of the auditable points according to data protection regulations.
If the audit covers several files, the report must indicate, for each file, compliance with each of the security measures, regardless of whether some have been jointly assessed.
The audit reports must be analyzed by the competent security officer, advising the person responsible for the file of the conclusions so that they can initiate the necessary measures to correct the weaknesses found.