The main purpose of this block is to provide a detailed and clear description of the different controls to be assessed necessary to ensure that security requirements are met, including logical, physical, personnel and archive security.

Security procedure

  • Physical security

It refers to the physical controls that you have in place. The most basic ones are: having fire prevention measures, access controls, etc...

o 3.1.1 Is a regular review of access lists carried out to ensure that only authorized persons have access?

Access lists are records that control who is authorized to access certain areas or physical resources. They should be reviewed regularly to ensure that only authorized personnel maintain access, removing those who no longer require permissions.

  • Logical security

It refers to technological controls that you have in place to secure your equipment (computers, etc.) from any access by a third party. The most basic ones are: having a password that is longer than X characters, that must be changed periodically, that must contain special characters, etc.

o 3.2.1 Do they have logical access control policies: roles and responsibilities, password quality, clean tables (screen locking) and good security practices ?

Logical access control policies ensure that only authorized individuals can access systems according to their roles and responsibilities. They include requirements for secure passwords (complex, with expiration and history), automatic screen locking in case of inactivity (clean slate), and general good practices such as the use of antivirus, firewalls and security training for staff. These measures minimize the risk of unauthorized access and protect information.

o 3.2.2 Are there clearly defined authorization levels to limit access according to roles and responsibilities?

Authorization levels are classifications that determine who can access information or resources based on roles and responsibilities within the organization. These levels ensure that only authorized personnel can access sensitive data, minimizing the risk of exposure or inappropriate use.

o 3.2.3 Do you have controls implemented to prevent improper access to information systems (two-factor authentication for systems, inability to access depending on the assigned role, etc.)?

Controls to prevent improper access to systems include measures such as multi-factor authentication (MFA), which requires more than one verification method to access systems, and limiting access based on the role assigned to each user. These measures ensure that only authorized individuals can access the specific resources they need, reducing the risk of intrusions and improper use of information.

o 3.2.4 Is there a clear procedure for reporting loss or theft of devices that may contain confidential information?

A lost or stolen device notification procedure is a set of defined steps that must be followed when it is discovered that a device with confidential information has been lost or stolen. The goal is to minimize the risks associated with information loss and ensure a quick and effective response.

  • Personnel safety

It refers to controls related to personnel. For example, leave procedures, training, etc.

o 3.3.1 Are access permissions regularly reviewed as job responsibilities change?

Access permissions are the rights granted to employees to access certain areas, systems, or information within an organization. This helps prevent unauthorized access and maintain information security.

or 3.3.2 Have all operators who have been deregistered been notified to the AOC Consortium through the person responsible and has the certificate of the operator in question been revoked?

This control verifies whether the termination of operators has been managed correctly. It includes formal notification to the AOC Consortium by the corresponding person in charge and the revocation of the digital certificate associated with the operator. This ensures that former operators cannot access the systems or services, avoiding possible security risks arising from unauthorized users.

o 3.3.3 Do certificate holders diligently guard their cards, as well as their PIN and PUK?

Holders of digital certificates are responsible for carefully guarding their cards and associated codes (PIN and PUK). This includes keeping the cards in a safe place, protecting the PIN from unauthorized disclosure, and safely storing the PUK. This diligent custody is essential to prevent unauthorized use of digital certificates and protect the security of the organization's information.


or 3.3.4 In the event of participation by external personnel, have they signed a confidentiality clause with the Registration Entity?

External personnel working with the Registry Entity must sign a confidentiality clause. This ensures that collaborators not directly employed by the organization, but with access to sensitive information, are legally obligated to maintain confidentiality. This practice protects sensitive data, complies with data protection regulations and establishes a legal basis for possible actions in the event of non-compliance, thus maintaining the security and integrity of the Registry Entity's information.

o 3.3.5 For all certificate holders with a position or representative, has the validity of this position been verified during the validity of the certificate or has its revocation been requested?

Holders of digital certificates with a position or representative hold these positions for the duration of the certificate. If a holder no longer holds the position or has representation, revocation of the certificate must be requested. This process is essential to maintain the integrity and validity of certificates, ensuring that only currently authorized persons have valid certificates, and thus complying with established security regulations and policies.

Consult the audit questionnaire for subscribing entities.

You might be interested in:

For any queries you can contact the audit support email.