CIBERDEFENSA ORIENTACIONES PARA EL DISEÑO, PLANEAMIENTO, IMPLANTACIÓN Y DESARROLLO DE UNA CIBERDEFENSA MILITAR 59 377. The IT system operational authority is the highest rank of the units, functions or services that the system serves, those that use the system, and which are affected by a failure or interruption of it when performing their tasks. The system operational authority is responsible for defining operational requirements and designating and authorizing users. 378. The IT system technical authority is the highest rank of the communication and information systems (CIS) units in charge of the design, development, administration and sustainability of the system according to the operational requirements established by the operational authority and the security requirements established by the security authority. 379. The IT system security authority is the highest rank of the cyber defense units and is in charge of defining system security requirements and monitoring compliance with security norms. 380. The establishment of the three authorities (operational, technical and security) provides balance and stability to the systems and, therefore, their responsibilities should not be transferred or delegated between them. 381. The IT system security audit is a mechanism that the operational authority has available to reliably know the security level of the IT systems under its responsibility. 382. In an IT system security audit, the auditee is the CIS unit (subordinate to the technical authority) administering the system to be audited and in accordance with the principle of auditor independence (auditee and auditor cannot fall under same authority. Therefore, the auditor should be a unit that is subordinate to the operating authority or the security authority, where the latter is the most recommended considering that it has the appropriate staff, means and knowledge. 383. IT security audits have to consider all aspects (technical, physical, human and procedural) that affect, in anyway, the security of the systems that process classified or unclassified information. 384. IT security audits must analyze and assess the level of compliance or alignment of the software, hardware, facilities, documentation and personnel with the security measures established in the corresponding reference standards. 385. The usual process in an IT system audit is as follows 1. The audit team (usually a unit subordinate to the security authority) plans and proposes a schedule to the audited unit (CIS unit subordinate to the technical authority) and the operational authority (system owner. The audit team studies, tests and evaluates the proper controls, according to the information provided by the audited unit. The audit team performs the audit. The audit team prepares the audit report and distributes it to the audited unit so that the deficiencies can be corrected within a defined period. The audit team scales the report to the security authority, which, in turn, submits it to the operational authority.