The MDIA has recently issued its first round of consultation for 2019 entitled Enhanced Systems Audit/or Guidelines, which is aimed at setting out the need to introduce the notion of Enhanced Systems Audit (ESA), obligatory for ITAs that are either deemed to be safety-critical, or operate in a domain for which the relevant Lead Authority requires additional security.
Nonetheless, this document identifies which ITAs will require an Enhanced Systems Audit, who can perform an audit, and the additional requirements which are placed on the Applicant and the Systems Auditor when applying for the Certification of such ITAs with the Malta Digital Innovation Authority.
At the current moment, the MDIA has two types of Systems Audits:
- The first one is designed for ITA applicants; and
- The second type is an ongoing audit for already-established ITAs.
New applicants are subject to a Type 1 audit, where the Systems Auditor delves into whether the description of the ITA is accurately presented and whether the controls included in the description are suitably designed to meet the applicable criteria. On the other hand, ITAs which are already active are periodically subject to a Type 2 audit which includes an opinion on the operating effectiveness of the controls during the period covered such audit.
Therefore, this proposal of creating an Enhanced Systems Audit (ESA) for High-Risk ITAs will be the third type of Systems Audit available.
For a service provider to be recognised as an ESA, it must:
- Form part of a legal organisation which employs at least 250 persons with an annual revenue of not less than 10,000,000 sustained for the previous three (3) years.
Be covered by a Professional Indemnity Insurance (PII) policy for an amount of at least 5,000,000.