No edit summary |
No edit summary |
||
(6 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
== Overview == | == Overview == | ||
[https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/kriterienkatalog-c5_node.html '''For more info:''' Cloud computing <abbr>C5</abbr> criteria catalogue] | |||
Current phase of the internal audit: Initial audit | Current phase of the internal audit: Initial audit | ||
Line 5: | Line 9: | ||
Partially implemented C5 guidelines: 66% | Partially implemented C5 guidelines: 66% | ||
== List of guidelines == | == List of guidelines == | ||
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_Archiv/C5_Archiv_node.html | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|+C5 Internal audit status | |+C5 Internal audit status | ||
!ID | |||
!Guideline | |||
!Comment | |||
!Audit state | |||
|- | |- | ||
|C5-01-OIS-01 | |C5-01-OIS-01 | ||
| | |Information Security Management System (OIS-01) | ||
|ISMS is in effect, but not all requirements of C5 are implemented | |ISMS is in effect, but not all requirements of C5 are implemented | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-01-OIS-02 | |C5-01-OIS-02 | ||
| | |Information Security Policy (OIS-02) | ||
|Security policy is available, but needs improvement | |Security policy is available, but needs improvement | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-01-OIS-03 | |C5-01-OIS-03 | ||
| | |Interfaces and Dependencies (OIS-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-01-OIS-04 | |C5-01-OIS-04 | ||
| | |Segregation of Duties (OIS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-01-OIS-05 | |C5-01-OIS-05 | ||
| | |Contact with Relevant Government Agencies and Interest Groups (OIS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-01-OIS-06 | |C5-01-OIS-06 | ||
| | |Risk Management Policy (OIS-06) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-01-OIS-07 | |C5-01-OIS-07 | ||
| | |Application of the Risk Management Policy (OIS-07) | ||
|The process is | |The process is described and will be introduced. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-03-SA-01 | |C5-03-SA-01 | ||
| | |Documentation, communication and provision of policies and instructions (SA-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-03-SA-02 | |C5-03-SA-02 | ||
| | |Review and approval of policies and instructions (SA-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-03-SA-03 | |C5-03-SA-03 | ||
| | |Deviations from existing policies and instructions (SA-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-04-HR-01 | |C5-04-HR-01 | ||
| | |Security check of the background information (HR-01) | ||
| | |Trust is built on a personal basis, as the company is small. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-04-HR-02 | |C5-04-HR-02 | ||
| | |Employment agreements (HR-02) | ||
| | |Employees are contractually bound to data protection and privacy. Security is implicitly addressed. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-04-HR-03 | |C5-04-HR-03 | ||
| | |Security training and awareness-raising programme (HR-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-04-HR-04 | |C5-04-HR-04 | ||
| | |Disciplinary measures (HR-04) | ||
|There is no specific mention of security issues. However, standard disciplinary measures apply. | |There is no specific mention of security issues. However, standard disciplinary measures apply. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-04-HR-05 | |C5-04-HR-05 | ||
| | |Termination of the employment relationship or changes to the responsibilities (HR-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-01 | |C5-05-AM-01 | ||
| | |Asset inventory (AM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-02 | |C5-05-AM-02 | ||
| | |Assignment of persons responsible for assets (AM-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-03 | |C5-05-AM-03 | ||
| | |Instruction manuals for assets (AM-03) | ||
| | |The handling of certain assets is documented in the internal knowledge base. The next step is to systematise this. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-05-AM-04 | |C5-05-AM-04 | ||
| | |Handing in and returning assets (AM-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-05 | |C5-05-AM-05 | ||
| | |Classification of information (AM-05) | ||
| | |Services are classified, but there is no classification scheme for data. | ||
|Partially implemented | All customer data is treated confidentially. | ||
| style="" class="col-orange-bg" |Partially implemented | |||
|- | |- | ||
|C5-05-AM-06 | |C5-05-AM-06 | ||
| | |Labelling of information and handling of assets (AM-06) | ||
| | |Information is currently not labelled.By default, all customer data is treated confidentially. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-05-AM-07 | |C5-05-AM-07 | ||
| | |Management of data media (AM-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-08 | |C5-05-AM-08 | ||
| | |Transfer and removal of assets (AM-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-06-PS-01 | |C5-06-PS-01 | ||
| | |Perimeter protection (PS-01) | ||
| | |The data centre locations where the company's cloud data is located all meet the ISO 27001 standard and have corresponding perimeter protection. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-06-PS-02 | |C5-06-PS-02 | ||
| | |Physical site access control (PS-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-06-PS-03 | |C5-06-PS-03 | ||
| | |Protection against threats from outside and from the environment (PS-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-06-PS-04 | |C5-06-PS-04 | ||
| | |Protection against interruptions caused by power failures and other such risks (PS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-06-PS-05 | |C5-06-PS-05 | ||
| | |Maintenance of infrastructure and devices (PS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-01 | |C5-07-OPS-01 | ||
|Planning (OPS-01) | |Planning (OPS-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-02 | |C5-07-OPS-02 | ||
|Monitoring (OPS-02) | |Monitoring (OPS-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-03 | |C5-07-OPS-03 | ||
|Controlling of Resources (OPS-03) | |Controlling of Resources (OPS-03) | ||
|Here, it is required to make resource data available to the customer for their planning. This is currently out of scope. | |Here, it is required to make resource data available to the customer for their planning. This is currently out of scope. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-04 | |C5-07-OPS-04 | ||
|Concept (OPS-04) | |Concept (OPS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-05 | |C5-07-OPS-05 | ||
|Implementation (OPS-05) | |Implementation (OPS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-06 | |C5-07-OPS-06 | ||
|Concept (OPS-06) | |Concept (OPS-06) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-07 | |C5-07-OPS-07 | ||
|Monitoring (OPS-07) | |Monitoring (OPS-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-08 | |C5-07-OPS-08 | ||
|Regular Testing (OPS-08) | |Regular Testing (OPS-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-09 | |C5-07-OPS-09 | ||
|Storage (OPS-09) | |Storage (OPS-09) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-10 | |C5-07-OPS-10 | ||
|Concept (OPS-10) | |Concept (OPS-10) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-11 | |C5-07-OPS-11 | ||
|Metadata Management Concept (OPS-11) | |Metadata Management Concept (OPS-11) | ||
|Is currently covered in OPS-10 | |Is currently covered in OPS-10 | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-12 | |C5-07-OPS-12 | ||
|Access, Storage and Deletion (OPS-12) | |Access, Storage and Deletion (OPS-12) | ||
|Is currently covered by OPS-10 | |Is currently covered by OPS-10 | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-13 | |C5-07-OPS-13 | ||
|Identification of Events (OPS-13) | |Identification of Events (OPS-13) | ||
|Is currently covered by OPS-10 | |Is currently covered by OPS-10 | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-14 | |C5-07-OPS-14 | ||
|Storage of the Logging Data (OPS-14) | |Storage of the Logging Data (OPS-14) | ||
|Log data is stored centrally on a logging server. | |Log data is stored centrally on a logging server. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-07-OPS-15 | |C5-07-OPS-15 | ||
|Accountability (OPS-15) | |Accountability (OPS-15) | ||
|Application logs are available. Access logs are stored without IP address | |Application logs are available. Access logs are stored without IP address | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-07-OPS-16 | |C5-07-OPS-16 | ||
|Configuration (OPS-16) | |Configuration (OPS-16) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-17 | |C5-07-OPS-17 | ||
|Availability of the Monitoring Software (OPS-17) | |Availability of the Monitoring Software (OPS-17) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-18 | |C5-07-OPS-18 | ||
|Concept (OPS-18) | |Concept (OPS-18) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-19 | |C5-07-OPS-19 | ||
|Penetration Tests (OPS-19) | |Penetration Tests (OPS-19) | ||
| | |Penetration tests are occasionally carried out as part of customer projects. No major problems were identified here. | ||
|Inactive | Hallo Welt! does not (yet) carry out internal penetration tests itself. | ||
| style="" class="col-grey-light-bg" |Inactive | |||
|- | |- | ||
|C5-07-OPS-20 | |C5-07-OPS-20 | ||
|Measurements, Analyses and Assessment of Procedures (OPS-20) | |Measurements, Analyses and Assessment of Procedures (OPS-20) | ||
|There is no regular process for this yet. | |There is no regular process for this yet. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-07-OPS-21 | |C5-07-OPS-21 | ||
| | |Involvement of Cloud Customers in the Event of Incidents (OPS-21) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-22 | |C5-07-OPS-22 | ||
| | |Testing and Documentation of Known Vulnerabilities (OPS-22) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-23 | |C5-07-OPS-23 | ||
|System Hardening (OPS-23) | |System Hardening (OPS-23) | ||
| | |Hallo Welt! is based on industry standards. | ||
|Partially implemented | There is currently no documentation for each system. | ||
| style="" class="col-orange-bg" |Partially implemented | |||
|- | |- | ||
|C5-07-OPS-24 | |C5-07-OPS-24 | ||
| | |Separation of Datasets in the Cloud Infrastructure (OPS-24) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-01 | |C5-08-IDM-01 | ||
| | |Policy for user accounts and access rights (IDM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-02 | |C5-08-IDM-02 | ||
| | |Granting and change of user accounts and access rights (IDM-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-03 | |C5-08-IDM-03 | ||
| | |Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03) | ||
|Some of our systems implement this. The rest is managed automatically. | |Some of our systems implement this. The rest is managed automatically. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-08-IDM-04 | |C5-08-IDM-04 | ||
| | |Withdraw or adjust access rights as the task area changes (IDM-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-05 | |C5-08-IDM-05 | ||
| | |Regular review of access rights (IDM-05) | ||
|This is currently only done for the most critical systems | |This is currently only done for the most critical systems | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-08-IDM-06 | |C5-08-IDM-06 | ||
| | |Privileged access rights (IDM-06) | ||
| | |Largely implemented. However, privileges are not withdrawn for a limited period of time. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-08-IDM-07 | |C5-08-IDM-07 | ||
| | |Access to cloud customer data (IDM-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-08 | |C5-08-IDM-08 | ||
| | |Confidentiality of authentication information (IDM-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-09 | |C5-08-IDM-09 | ||
| | |Authentication Mechanisms (IDM-09) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-09-CRY-01 | |C5-09-CRY-01 | ||
| | |Policy for the use of encryption procedures and key management (CRY-01) | ||
|There are some guidelines, but no approved policy yet. | |There are some guidelines, but no approved policy yet. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-09-CRY-02 | |C5-09-CRY-02 | ||
| | |Encryption of data for transmission (transport encryption) (CRY-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-09-CRY-03 | |C5-09-CRY-03 | ||
| | |Encryption of sensitive data for storage (CRY-03) | ||
|Customer data is encrypted at rest. Backups are encrypted | |Customer data is encrypted at rest. Backups are encrypted | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-09-CRY-04 | |C5-09-CRY-04 | ||
| | |Secure key management (CRY-04) | ||
|There is no centralized key management. Guidelines exist. | |There is no centralized key management. Guidelines exist. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-10-COS-01 | |C5-10-COS-01 | ||
| | |Technical safeguards (COS-01) | ||
| | |Hallo Welt! does not operate an intrusion detection system. However, network patterns are monitored and notifications are sent in the event of major irregularities, such as DDOS attacks. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-10-COS-02 | |C5-10-COS-02 | ||
| | |Security requirements for connections in the Cloud Service Provider’s network (COS-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-10-COS-03 | |C5-10-COS-03 | ||
| | |Monitoring of connections in the Cloud Service Provider’s network (COS-03) | ||
|All access to the cloud network is logged. | |All access to the cloud network is logged. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-10-COS-04 | |C5-10-COS-04 | ||
| | |Cross-network access (COS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-10-COS-05 | |C5-10-COS-05 | ||
| | |Networks for administration (COS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-10-COS-06 | |C5-10-COS-06 | ||
| | |Segregation of data traffic in jointly used network environments (COS-06) | ||
|Internal traffic segregated, but not encrypted. | |Internal traffic segregated, but not encrypted. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-10-COS-07 | |C5-10-COS-07 | ||
| | |Documentation of the network topology (COS-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-10-COS-08 | |C5-10-COS-08 | ||
| | |Policies for data transmission (COS-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-11-PI-01 | |C5-11-PI-01 | ||
| | |Documentation and safety of input and output interfaces (PI-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-11-PI-02 | |C5-11-PI-02 | ||
| | |Contractual agreements for the provision of data (PI-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-11-PI-03 | |C5-11-PI-03 | ||
| | |Secure deletion of data (PI-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-01 | |C5-12-DEV-01 | ||
| | |Policies for the development and procurement of information systems (DEV-01) | ||
| | |Hallo Welt! applies the coding guidelines that apply in the Wikimedia ecosystem. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-12-DEV-02 | |C5-12-DEV-02 | ||
| | |Outsourcing of the development (DEV-02) | ||
|Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code. | |Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-12-DEV-03 | |C5-12-DEV-03 | ||
| | |Policies for changes to information systems (DEV-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-04 | |C5-12-DEV-04 | ||
| | |Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04) | ||
|Training is done on the job and on an annual basis in combination with GDPR compliance training | |Training is done on the job and on an annual basis in combination with GDPR compliance training | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-12-DEV-05 | |C5-12-DEV-05 | ||
| | |Risk assessment, categorisation and prioritisation of changes (DEV-05) | ||
|Any changes are assessed within the team. A formal risk assessment is not applied yet. | |Any changes are assessed within the team. A formal risk assessment is not applied yet. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-12-DEV-06 | |C5-12-DEV-06 | ||
| | |Testing changes (DEV-06) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-07 | |C5-12-DEV-07 | ||
| | |Logging of changes (DEV-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-08 | |C5-12-DEV-08 | ||
| | |Version Control (DEV-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-09 | |C5-12-DEV-09 | ||
| | |Approvals for provision in the production environment (DEV-09) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-10 | |C5-12-DEV-10 | ||
| | |Separation of environments (DEV-10) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-01 | |C5-13-SSO-01 | ||
| | |Policies and instructions for controlling and monitoring third parties (SSO-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-02 | |C5-13-SSO-02 | ||
| | |Risk assessment of service providers and suppliers (SSO-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-03 | |C5-13-SSO-03 | ||
| | |Directory of service providers and suppliers (SSO-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-04 | |C5-13-SSO-04 | ||
| | |Monitoring of compliance with requirements (SSO-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-05 | |C5-13-SSO-05 | ||
| | |Exit strategy for the receipt of benefit (SSO-05) | ||
|There is no documented exit strategy. | |There is no documented exit strategy. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-14-SIM-01 | |C5-14-SIM-01 | ||
| | |Policy for security incident management (SIM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-14-SIM-02 | |C5-14-SIM-02 | ||
| | |Processing of security incidents (SIM-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-14-SIM-03 | |C5-14-SIM-03 | ||
| | |Documentation and reporting of security incidents (SIM-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-14-SIM-04 | |C5-14-SIM-04 | ||
| | |Duty of the users to report security incidents to a central body (SIM-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-14-SIM-05 | |C5-14-SIM-05 | ||
| | |Evaluation and learning process (SIM-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-15-BCM-01 | |C5-15-BCM-01 | ||
| | |Top management responsibility (BCM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-15-BCM-02 | |C5-15-BCM-02 | ||
| | |Business impact analysis policies and instructions (BCM-02) | ||
|Risk analysis was done and is documented. There is no formal policy. | |Risk analysis was done and is documented. There is no formal policy. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-15-BCM-03 | |C5-15-BCM-03 | ||
| | |Planning business continuity (BCM-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-15-BCM-04 | |C5-15-BCM-04 | ||
| | |Verification, updating and testing of the business continuity (BCM-04) | ||
|Disaster recovery tests are conducted at implementation time. There is no regular schedule yet. | |Disaster recovery tests are conducted at implementation time. There is no regular schedule yet. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-16-COM-01 | |C5-16-COM-01 | ||
| | |Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-16-COM-02 | |C5-16-COM-02 | ||
| | |Policy for planning and conducting audits (COM-02) | ||
| | |The ISMS is audited annually. There is no formal guideline. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-16-COM-03 | |C5-16-COM-03 | ||
| | |Internal audits of the ISMS (COM-03) | ||
|There is no formal process of the internal audit yet | |There is no formal process of the internal audit yet | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-16-COM-04 | |C5-16-COM-04 | ||
| | |Information on information security performance and management assessment of the ISMS (COM-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-17-INQ-01 | |C5-17-INQ-01 | ||
| | |Legal Assessment of Investigative Inquiries (INQ-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-17-INQ-02 | |C5-17-INQ-02 | ||
| | |Informing Cloud Customers about Investigation Requests (INQ-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-17-INQ-03 | |C5-17-INQ-03 | ||
| | |Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-17-INQ-04 | |C5-17-INQ-04 | ||
| | |Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-01 | |C5-18-PSS-01 | ||
| | |Guidelines and Recommendations for Cloud Customers (PSS-01) | ||
| | |This information is maintained as part of our product documentation. However, it cannot be found in a centralised location. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-18-PSS-02 | |C5-18-PSS-02 | ||
| | |Identification of Vulnerabilities of the Cloud Service (PSS-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-03 | |C5-18-PSS-03 | ||
| | |Online Register of Known Vulnerabilities (PSS-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-04 | |C5-18-PSS-04 | ||
| | |Error handling and Logging Mechanisms (PSS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-05 | |C5-18-PSS-05 | ||
| | |Authentication Mechanisms (PSS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-06 | |C5-18-PSS-06 | ||
| | |Session Management (PSS-06) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-07 | |C5-18-PSS-07 | ||
| | |Confidentiality of Authentication Information (PSS-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-08 | |C5-18-PSS-08 | ||
| | |Roles and Rights Concept (PSS-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-09 | |C5-18-PSS-09 | ||
| | |Authorisation Mechanisms (PSS-09) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-10 | |C5-18-PSS-10 | ||
| | |Software Defined Networking (PSS-10) | ||
| | |Hallo Welt! does not provide the customer with SDN. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-18-PSS-11 | |C5-18-PSS-11 | ||
| | |Images for Virtual Machines and Containers (PSS-11) | ||
| | |Hallo Welt! does not provide the customer with VMs and containers in the cloud. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-18-PSS-12 | |C5-18-PSS-12 | ||
| | |Locations of Data Processing and Storage (PSS-12) | ||
| | |Hallo Welt! does not provide a choice of data locations to the cloud customers. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|} | |} |
Latest revision as of 14:21, 2 May 2024
1. Overview
For more info: Cloud computing C5 criteria catalogue
Current phase of the internal audit: Initial audit
Fully implemented C5 guidelines: 92%
Partially implemented C5 guidelines: 66%
2. List of guidelines
ID | Guideline | Comment | Audit state |
---|---|---|---|
C5-01-OIS-01 | Information Security Management System (OIS-01) | ISMS is in effect, but not all requirements of C5 are implemented | Partially implemented |
C5-01-OIS-02 | Information Security Policy (OIS-02) | Security policy is available, but needs improvement | Partially implemented |
C5-01-OIS-03 | Interfaces and Dependencies (OIS-03) | Fully implemented | |
C5-01-OIS-04 | Segregation of Duties (OIS-04) | Fully implemented | |
C5-01-OIS-05 | Contact with Relevant Government Agencies and Interest Groups (OIS-05) | Fully implemented | |
C5-01-OIS-06 | Risk Management Policy (OIS-06) | Fully implemented | |
C5-01-OIS-07 | Application of the Risk Management Policy (OIS-07) | The process is described and will be introduced. | Partially implemented |
C5-03-SA-01 | Documentation, communication and provision of policies and instructions (SA-01) | Fully implemented | |
C5-03-SA-02 | Review and approval of policies and instructions (SA-02) | Fully implemented | |
C5-03-SA-03 | Deviations from existing policies and instructions (SA-03) | Fully implemented | |
C5-04-HR-01 | Security check of the background information (HR-01) | Trust is built on a personal basis, as the company is small. | Inactive |
C5-04-HR-02 | Employment agreements (HR-02) | Employees are contractually bound to data protection and privacy. Security is implicitly addressed. | Partially implemented |
C5-04-HR-03 | Security training and awareness-raising programme (HR-03) | Fully implemented | |
C5-04-HR-04 | Disciplinary measures (HR-04) | There is no specific mention of security issues. However, standard disciplinary measures apply. | Partially implemented |
C5-04-HR-05 | Termination of the employment relationship or changes to the responsibilities (HR-05) | Fully implemented | |
C5-05-AM-01 | Asset inventory (AM-01) | Fully implemented | |
C5-05-AM-02 | Assignment of persons responsible for assets (AM-02) | Fully implemented | |
C5-05-AM-03 | Instruction manuals for assets (AM-03) | The handling of certain assets is documented in the internal knowledge base. The next step is to systematise this. | Partially implemented |
C5-05-AM-04 | Handing in and returning assets (AM-04) | Fully implemented | |
C5-05-AM-05 | Classification of information (AM-05) | Services are classified, but there is no classification scheme for data.
All customer data is treated confidentially. |
Partially implemented |
C5-05-AM-06 | Labelling of information and handling of assets (AM-06) | Information is currently not labelled.By default, all customer data is treated confidentially. | Inactive |
C5-05-AM-07 | Management of data media (AM-07) | Fully implemented | |
C5-05-AM-08 | Transfer and removal of assets (AM-08) | Fully implemented | |
C5-06-PS-01 | Perimeter protection (PS-01) | The data centre locations where the company's cloud data is located all meet the ISO 27001 standard and have corresponding perimeter protection. | Partially implemented |
C5-06-PS-02 | Physical site access control (PS-02) | Fully implemented | |
C5-06-PS-03 | Protection against threats from outside and from the environment (PS-03) | Fully implemented | |
C5-06-PS-04 | Protection against interruptions caused by power failures and other such risks (PS-04) | Fully implemented | |
C5-06-PS-05 | Maintenance of infrastructure and devices (PS-05) | Fully implemented | |
C5-07-OPS-01 | Planning (OPS-01) | Fully implemented | |
C5-07-OPS-02 | Monitoring (OPS-02) | Fully implemented | |
C5-07-OPS-03 | Controlling of Resources (OPS-03) | Here, it is required to make resource data available to the customer for their planning. This is currently out of scope. | Inactive |
C5-07-OPS-04 | Concept (OPS-04) | Fully implemented | |
C5-07-OPS-05 | Implementation (OPS-05) | Fully implemented | |
C5-07-OPS-06 | Concept (OPS-06) | Fully implemented | |
C5-07-OPS-07 | Monitoring (OPS-07) | Fully implemented | |
C5-07-OPS-08 | Regular Testing (OPS-08) | Fully implemented | |
C5-07-OPS-09 | Storage (OPS-09) | Fully implemented | |
C5-07-OPS-10 | Concept (OPS-10) | Fully implemented | |
C5-07-OPS-11 | Metadata Management Concept (OPS-11) | Is currently covered in OPS-10 | Inactive |
C5-07-OPS-12 | Access, Storage and Deletion (OPS-12) | Is currently covered by OPS-10 | Inactive |
C5-07-OPS-13 | Identification of Events (OPS-13) | Is currently covered by OPS-10 | Inactive |
C5-07-OPS-14 | Storage of the Logging Data (OPS-14) | Log data is stored centrally on a logging server. | Partially implemented |
C5-07-OPS-15 | Accountability (OPS-15) | Application logs are available. Access logs are stored without IP address | Partially implemented |
C5-07-OPS-16 | Configuration (OPS-16) | Fully implemented | |
C5-07-OPS-17 | Availability of the Monitoring Software (OPS-17) | Fully implemented | |
C5-07-OPS-18 | Concept (OPS-18) | Fully implemented | |
C5-07-OPS-19 | Penetration Tests (OPS-19) | Penetration tests are occasionally carried out as part of customer projects. No major problems were identified here.
Hallo Welt! does not (yet) carry out internal penetration tests itself. |
Inactive |
C5-07-OPS-20 | Measurements, Analyses and Assessment of Procedures (OPS-20) | There is no regular process for this yet. | Partially implemented |
C5-07-OPS-21 | Involvement of Cloud Customers in the Event of Incidents (OPS-21) | Fully implemented | |
C5-07-OPS-22 | Testing and Documentation of Known Vulnerabilities (OPS-22) | Fully implemented | |
C5-07-OPS-23 | System Hardening (OPS-23) | Hallo Welt! is based on industry standards.
There is currently no documentation for each system. |
Partially implemented |
C5-07-OPS-24 | Separation of Datasets in the Cloud Infrastructure (OPS-24) | Fully implemented | |
C5-08-IDM-01 | Policy for user accounts and access rights (IDM-01) | Fully implemented | |
C5-08-IDM-02 | Granting and change of user accounts and access rights (IDM-02) | Fully implemented | |
C5-08-IDM-03 | Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03) | Some of our systems implement this. The rest is managed automatically. | Partially implemented |
C5-08-IDM-04 | Withdraw or adjust access rights as the task area changes (IDM-04) | Fully implemented | |
C5-08-IDM-05 | Regular review of access rights (IDM-05) | This is currently only done for the most critical systems | Partially implemented |
C5-08-IDM-06 | Privileged access rights (IDM-06) | Largely implemented. However, privileges are not withdrawn for a limited period of time. | Partially implemented |
C5-08-IDM-07 | Access to cloud customer data (IDM-07) | Fully implemented | |
C5-08-IDM-08 | Confidentiality of authentication information (IDM-08) | Fully implemented | |
C5-08-IDM-09 | Authentication Mechanisms (IDM-09) | Fully implemented | |
C5-09-CRY-01 | Policy for the use of encryption procedures and key management (CRY-01) | There are some guidelines, but no approved policy yet. | Partially implemented |
C5-09-CRY-02 | Encryption of data for transmission (transport encryption) (CRY-02) | Fully implemented | |
C5-09-CRY-03 | Encryption of sensitive data for storage (CRY-03) | Customer data is encrypted at rest. Backups are encrypted | Partially implemented |
C5-09-CRY-04 | Secure key management (CRY-04) | There is no centralized key management. Guidelines exist. | Partially implemented |
C5-10-COS-01 | Technical safeguards (COS-01) | Hallo Welt! does not operate an intrusion detection system. However, network patterns are monitored and notifications are sent in the event of major irregularities, such as DDOS attacks. | Inactive |
C5-10-COS-02 | Security requirements for connections in the Cloud Service Provider’s network (COS-02) | Fully implemented | |
C5-10-COS-03 | Monitoring of connections in the Cloud Service Provider’s network (COS-03) | All access to the cloud network is logged. | Partially implemented |
C5-10-COS-04 | Cross-network access (COS-04) | Fully implemented | |
C5-10-COS-05 | Networks for administration (COS-05) | Fully implemented | |
C5-10-COS-06 | Segregation of data traffic in jointly used network environments (COS-06) | Internal traffic segregated, but not encrypted. | Partially implemented |
C5-10-COS-07 | Documentation of the network topology (COS-07) | Fully implemented | |
C5-10-COS-08 | Policies for data transmission (COS-08) | Fully implemented | |
C5-11-PI-01 | Documentation and safety of input and output interfaces (PI-01) | Fully implemented | |
C5-11-PI-02 | Contractual agreements for the provision of data (PI-02) | Fully implemented | |
C5-11-PI-03 | Secure deletion of data (PI-03) | Fully implemented | |
C5-12-DEV-01 | Policies for the development and procurement of information systems (DEV-01) | Hallo Welt! applies the coding guidelines that apply in the Wikimedia ecosystem. | Partially implemented |
C5-12-DEV-02 | Outsourcing of the development (DEV-02) | Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code. | Partially implemented |
C5-12-DEV-03 | Policies for changes to information systems (DEV-03) | Fully implemented | |
C5-12-DEV-04 | Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04) | Training is done on the job and on an annual basis in combination with GDPR compliance training | Partially implemented |
C5-12-DEV-05 | Risk assessment, categorisation and prioritisation of changes (DEV-05) | Any changes are assessed within the team. A formal risk assessment is not applied yet. | Partially implemented |
C5-12-DEV-06 | Testing changes (DEV-06) | Fully implemented | |
C5-12-DEV-07 | Logging of changes (DEV-07) | Fully implemented | |
C5-12-DEV-08 | Version Control (DEV-08) | Fully implemented | |
C5-12-DEV-09 | Approvals for provision in the production environment (DEV-09) | Fully implemented | |
C5-12-DEV-10 | Separation of environments (DEV-10) | Fully implemented | |
C5-13-SSO-01 | Policies and instructions for controlling and monitoring third parties (SSO-01) | Fully implemented | |
C5-13-SSO-02 | Risk assessment of service providers and suppliers (SSO-02) | Fully implemented | |
C5-13-SSO-03 | Directory of service providers and suppliers (SSO-03) | Fully implemented | |
C5-13-SSO-04 | Monitoring of compliance with requirements (SSO-04) | Fully implemented | |
C5-13-SSO-05 | Exit strategy for the receipt of benefit (SSO-05) | There is no documented exit strategy. | Inactive |
C5-14-SIM-01 | Policy for security incident management (SIM-01) | Fully implemented | |
C5-14-SIM-02 | Processing of security incidents (SIM-02) | Fully implemented | |
C5-14-SIM-03 | Documentation and reporting of security incidents (SIM-03) | Fully implemented | |
C5-14-SIM-04 | Duty of the users to report security incidents to a central body (SIM-04) | Fully implemented | |
C5-14-SIM-05 | Evaluation and learning process (SIM-05) | Fully implemented | |
C5-15-BCM-01 | Top management responsibility (BCM-01) | Fully implemented | |
C5-15-BCM-02 | Business impact analysis policies and instructions (BCM-02) | Risk analysis was done and is documented. There is no formal policy. | Inactive |
C5-15-BCM-03 | Planning business continuity (BCM-03) | Fully implemented | |
C5-15-BCM-04 | Verification, updating and testing of the business continuity (BCM-04) | Disaster recovery tests are conducted at implementation time. There is no regular schedule yet. | Partially implemented |
C5-16-COM-01 | Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01) | Fully implemented | |
C5-16-COM-02 | Policy for planning and conducting audits (COM-02) | The ISMS is audited annually. There is no formal guideline. | Inactive |
C5-16-COM-03 | Internal audits of the ISMS (COM-03) | There is no formal process of the internal audit yet | Partially implemented |
C5-16-COM-04 | Information on information security performance and management assessment of the ISMS (COM-04) | Fully implemented | |
C5-17-INQ-01 | Legal Assessment of Investigative Inquiries (INQ-01) | Fully implemented | |
C5-17-INQ-02 | Informing Cloud Customers about Investigation Requests (INQ-02) | Fully implemented | |
C5-17-INQ-03 | Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03) | Fully implemented | |
C5-17-INQ-04 | Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04) | Fully implemented | |
C5-18-PSS-01 | Guidelines and Recommendations for Cloud Customers (PSS-01) | This information is maintained as part of our product documentation. However, it cannot be found in a centralised location. | Partially implemented |
C5-18-PSS-02 | Identification of Vulnerabilities of the Cloud Service (PSS-02) | Fully implemented | |
C5-18-PSS-03 | Online Register of Known Vulnerabilities (PSS-03) | Fully implemented | |
C5-18-PSS-04 | Error handling and Logging Mechanisms (PSS-04) | Fully implemented | |
C5-18-PSS-05 | Authentication Mechanisms (PSS-05) | Fully implemented | |
C5-18-PSS-06 | Session Management (PSS-06) | Fully implemented | |
C5-18-PSS-07 | Confidentiality of Authentication Information (PSS-07) | Fully implemented | |
C5-18-PSS-08 | Roles and Rights Concept (PSS-08) | Fully implemented | |
C5-18-PSS-09 | Authorisation Mechanisms (PSS-09) | Fully implemented | |
C5-18-PSS-10 | Software Defined Networking (PSS-10) | Hallo Welt! does not provide the customer with SDN. | Inactive |
C5-18-PSS-11 | Images for Virtual Machines and Containers (PSS-11) | Hallo Welt! does not provide the customer with VMs and containers in the cloud. | Inactive |
C5-18-PSS-12 | Locations of Data Processing and Storage (PSS-12) | Hallo Welt! does not provide a choice of data locations to the cloud customers. | Inactive |