L'the main purpose of this block is to provide a detailed i clear description of the different controls a evaluate necessary to ensure that security requirements are met, including-the llogical, physical, personnel isecurity of l'file.

<a href="https://suportaoc.powerappsportals.com/article/KA-07269/DownloadKbAttachmentFile/0593702a-0d2b_ _TRA__0__f011-8c4e-6045bd9ffce9?kbAttachmentId=257e2ab9-3736-f011-8c4d-0022487f50fc" rel="noopener noreferrer" target="_blank">Security procedure

  • Physical security

It refers to the physical controls that you have in place. The most basic ones are: having fire prevention measures, access controls, etc...

o What are access lists?
Access lists are records that control which people are authorized to access certain areas and physical resources. They should be reviewed regularly to ensure that only authorized personnel maintain access, removing those who no longer require permission.

o What are considered key areas?
Key areas are critical areas within a facility that require special protection, such as server rooms, confidential files o control centers. This helps a prevent unauthorized access i and facilitates rapid response r to security incidents.

o Who are the security personnel o guards?
Security personnel o guards are professionals responsible for physically monitoring the facilities to prevent intrusions, thefts o and security incidents.

o What are the physical security measures?
Physical security measures are intended to protect information storage devices, such as servers and storage drives, from unauthorized access and physical damage. These measures may include secure rooms, restricted access systems, surveillance cameras, and environmental controls such as temperature sensors and fire.

o What is an asset inventory?
An asset inventory is a document that records i details all the assets of an organization, which can be physical o digital, with the aim of l assisting in the management of information security. This inventory allows you to identify, assess i manage the risks associated a these assets to protect - them adequately.

  • logic security

a refers to technological controls that you have in place to secure your equipment (computers, etc.) from any access by a third party. The most basic ones are: having a password that is longer than X characters, that must be changed periodically, that must contain special characters, etc.

o What is llogical security?
Cybersecurity is a set of measures designed to protect computer systems and digital data against various threats (unauthorized access, misuse, modification, and destruction). These measures include the use of firewalls, antivirus software, secure passwords, and security education. The main threats they combat are malware, distributed denial of service (DDoS) attacks, and brute force attacks to crack passwords.

o What are access privileges?
Access privileges refer to the rights o permissions that are granted to a users o systems to access a specific resources within a network o computer system. These privileges determine what a user o process can do within the system, such as view, modify, delete, o execute certain files o applications.

o What are security monitoring tools?
Security monitoring tools are systems that detect i unusual o suspicious activities on networks, servers i devices. They include intrusion detection systems (IDS), firewalls, audit logs, i traffic analysis tools. These tools help a identify potential threats i security vulnerabilities in real time.

o Procedures for a responding to a security events i possible intrusions
Procedures for responding to security events include protocols for detecting, containing, eradicating, and recovering from threats. These include notification of response teams, isolation of affected systems, incident analysis, and restoration of services. Follow-up investigations are also conducted to prevent future incidents.

o Process established to a manage i apply security patches
An established process for a managing i applying security patches is a set of steps i organized practices that ensure that updates i security fixes provided by software manufacturers to address vulnerabilities, bugs o security issues in applications, operating systems o other system components, are managed i applied in a systematic, controlled i efficient manner in an organization.

o What are known vulnerabilities?
Known vulnerabilities are weaknesses in software systems that can be exploited by attackers. They are tracked through security reports and updates from manufacturers. Patches, software updates, and strengthened security configurations are applied to mitigate them.

o Safe practices during software development
Secure code development involves following a set of practices that minimize risks i vulnerabilities. First, it is essential to perform input validations to avoid injection attacks. It is also necessary to ensure-that the code adequately manages authentications i authorizations, preventing unauthorized access. L'use of encryption of sensitive data is essential to guarantee-confidentiality. A Furthermore, secure error management must be carried out that does not reveal critical information. Finally, the code must be regularly audited i tested to identify i and correct vulnerabilities before they reach a production.

o Security testing i vulnerability analysis
Security testing i vulnerability analysis are assessments that identify security flaws in internally developed applications. These tests include vulnerability scans, penetration tests, i code review to detect errors. L's goal is to correct weaknesses before they can be exploited by attackers.

o Post--incident follow-up
Post-incident analysis is key to improving security measures and responding to future incidents. It helps identify the root cause of the problem, ensuring that specific actions are taken to prevent it from happening again. It also helps to understand the real impact of incidents, providing valuable lessons for the entire organization. Furthermore, this process helps to reduce detection time, diagnosis, and mitigation, improving overall effectiveness against potential threats.

  • Personnel safety

a refers to personnel-related controls. For example, leave procedures, training, etc.

o Procedure for a reporting the loss o theft of devices that may contain confidential information
A procedure for a loss notification o theft is a set of defined steps that must be followed when it is discovered that a device with confidential information has been lost o stolen. L's objective is to minimize the risks associated a information loss i ensure a rrapid i effective response.

o Access permissions
Access permissions are the rights granted to employees to access a certain areas, systems o information within an organization. This helps a prevent unauthorized access i a maintain information security.

o Final process of l'employment
The end-of-employment process for removing access privileges is a set of steps that apply when an employee leaves an organization. It includes the immediate revocation of all access permissions to systems, sensitive information areas, and the return of any computer credentials.

o Security responsibilities when leaving l'organization
Security responsibilities upon leaving the organization include ensuring that employees understand their obligations even after their employment relationship ends, helping to protect the organization against potential security risks.

  • l'file security

Refers to a related controls l'file. For example, access controls, security processes.

o Are there clear policies on the handling of confidential files?
Confidential file handling policies are guidelines that establish how sensitive information should be managed, stored, shared, and destroyed. The goal is to protect information from unauthorized access and ensure compliance with privacy regulations.

o Recovery testing to a ensure-that files can be restored-effectively
Recovery testing is a simulation o test that is performed to verify that file systems can be effectively restored after an incident, such as data loss o or system failure. These tests involve restoring data from backups i to ensure that they are working properly.

o Are there clearly defined authorization levels to a limit l access according to roles i responsibilities?
Authorization levels are classifications that determine who can access a information o resources based on roles i responsibilities within l'organization. These levels ensure that only authorized personnel can access a sensitive data, minimizing the risk of exposure o to inappropriate use.

Check the <a href="https://suportaoc.powerappsportals.com/article/KA-07299/DownloadKbAttachmentFile/4f40d333-0d2b_ _TRA__0__f011-8c4e-6045bdf32139?kbAttachmentId=9209ae83-3636-f011-8c4d-0022487f50fc" rel="noopener noreferrer" target="_blank">ER idCAT audit questionnaire

You might be interested in:

  • <a href="https://suport-eridcat.aoc.cat/hc/ca/articles/22030868852125" rel="noopener noreferrer" target="_blank">Audit: document management requirements i archive
  • <a href="https://suport-eridcat.aoc.cat/hc/ca/articles/22148731597725" rel="noopener noreferrer" target="_blank">Audit: operational requirements
  • <a href="https://suport-eridcat.aoc.cat/hc/ca/articles/22030284473373" rel="noopener noreferrer" target="_blank">Why an audit?

For any queries you can contact the <a href="mailto:auditoria.scd@aoc.cat" rel="noopener noreferrer" target="_blank">support email a l'auditoria.