1 November 2023

Testing opereting effectiveness through DigiD audit

Recently, the DigiD working group of the Norea published the new NOREA Handreiking ICT Security Assessment DigiD 4.0. In this blog we briefly discuss the most important addition to the manual: Testing the operation of a number of standards.

Testing Operation effectiveness

In the past, the audit of the DigiD connection was always limited to testing the set-up and existence of implemented measures. The design concerns a procedure or process description and the existence is demonstrated by means of a single example that the procedure in question is actually complied with. As already announced last year, the testing of the functioning will be added to the audit for 5 standards. For operation, it must be demonstrated in retrospect over a period of time that the procedure has always been complied with.

For testing the operation, 2023 is still a transitional year: from submission period 1 January - 1 May 2024 (for 2023) DigiD access holders may have the 5 standards tested for operation, from submission period 1 January -1 May 2025 this is mandatory.

The new manual provides guidance on how to test the operation and how the 2023 transition year may be part of the audit: Specifically, this means that for ENSIA/DigiD year 2023 a test audit may be performed on the operation, which is reported in an internal report with possible improvement actions. This internal report is intended solely for the organization's own use and any findings will not be reported to supervisory authorities. We perform the test audit, in accordance with the guidance, over a period of 3 months prior to the date of the regular ENSIA/DigiD audit (judgment date).

1. U/TV.01 Access Security.

This requires demonstration that the process of access security and rights management has been sufficiently controlled. Changes in roles and assignment of roles must be authorized and ensure that authorization checks are performed and recorded with sufficient frequency and depth. During the audit, provide an overview of relevant personnel mutations from the HR department. The auditor will make a partial observation on a number of mutations and performed checks whether they were carried out in accordance with the procedures.

2. U/WA.02 Incident management

Ensure that sufficient controls are in place that security incidents are recognized and handled in accordance with the procedure. During the audit, provide an overview of all incidents labeled security incident and/or data breach. The auditor will make a partial observation as to whether these incidents have been handled properly.

3. C.08 Change Management.

It must be demonstrated that changes cannot be made uncontrolled. In addition, provide an overview of all changes during the audit. Depending on the software, this may include updates and/or form changes. The auditor will make a partial observation whether these changes have been implemented in accordance with the procedure.

4. C.07 Logging and signaling (not in scope for connection holder)

It must be demonstrated that logging and associated alarms have been carefully arranged. The auditor will make a partial observation on logging with associated alarms and compliance with follow-up.

5. C.09: Patch management (not in scope for the connection holder).

This is similar to change management (C.08) but specifically focused on patches of supporting ICT facilities. Here it must be demonstrated that patches were implemented in a timely manner during the audit period. The auditor will conduct a partial observation on patches implemented and compliance with the patch management policy.

Audit preparation

For all nomes, we assume that the organization has its own internal controls and has already prevented or detected and corrected any errors. For this reason, the auditor will report a "does not comply" for one found error in the partial observation. It is therefore important to set up these internal controls yourself and report clearly on them. This will be included in the assessment of operation.

With a good set-up of the procedures and internal controls, the test for functioning will not involve a lot of extra administrative burden. Our experience is that the most important point of attention concerns demonstrability. In practice, the lines of communication are often short, so much is handled verbally. Formalize such a verbal agreement, for example, with a confirmation by e-mail and save all documents.

The pilot audit on 2023 will help to be completely ready for the audit year 2024.

Do you have questions about this blog or want to know what 2-Control can do for your organization? If so, contact one of our auditors here.