Info:Trust and Safety/Cloud - security and reliability/C5 Internal audit status: Difference between revisions

Revision as of 15:30, 29 April 2024

Overview

For more info: Cloud computing C5 criteria catalogue

Current phase of the internal audit: Initial audit

Fully implemented C5 guidelines: 92%

Partially implemented C5 guidelines: 66%

List of guidelines

C5 Internal audit status
ID	Guideline	Comment	Audit state
C5-01-OIS-01	ISM:Information Security Management System (OIS-01)	ISMS is in effect, but not all requirements of C5 are implemented	Partially implemented
C5-01-OIS-02	ISM:Information Security Policy (OIS-02)	Security policy is available, but needs improvement	Partially implemented
C5-01-OIS-03	ISM:Interfaces and Dependencies (OIS-03)		Fully implemented
C5-01-OIS-04	ISM:Segregation of Duties (OIS-04)		Fully implemented
C5-01-OIS-05	ISM:Contact with Relevant Government Agencies and Interest Groups (OIS-05)		Fully implemented
C5-01-OIS-06	ISM:Risk Management Policy (OIS-06)		Fully implemented
C5-01-OIS-07	ISM:Application of the Risk Management Policy (OIS-07)	The process is described, but not well established	Partially implemented
C5-03-SA-01	ISM:Documentation, communication and provision of policies and instructions (SA-01)		Fully implemented
C5-03-SA-02	ISM:Review and approval of policies and instructions (SA-02)		Fully implemented
C5-03-SA-03	ISM:Deviations from existing policies and instructions (SA-03)		Fully implemented
C5-04-HR-01	ISM:Security check of the background information (HR-01)	Given the small size of the company, trust is established on a personal basis	Inactive
C5-04-HR-02	ISM:Employment agreements (HR-02)	We do bind our employees contractually to data protection and privacy. Security is only mentioned implicitly here.	Partially implemented
C5-04-HR-03	ISM:Security training and awareness-raising programme (HR-03)		Fully implemented
C5-04-HR-04	ISM:Disciplinary measures (HR-04)	There is no specific mention of security issues. However, standard disciplinary measures apply.	Partially implemented
C5-04-HR-05	ISM:Termination of the employment relationship or changes to the responsibilities (HR-05)		Fully implemented
C5-05-AM-01	ISM:Asset inventory (AM-01)		Fully implemented
C5-05-AM-02	ISM:Assignment of persons responsible for assets (AM-02)		Fully implemented
C5-05-AM-03	ISM:Instruction manuals for assets (AM-03)	In our internal wiki, we document the handling of specific assets. However, there is no systematic approach	Partially implemented
C5-05-AM-04	ISM:Handing in and returning assets (AM-04)		Fully implemented
C5-05-AM-05	ISM:Classification of information (AM-05)	We classify services, but there is no classification scheme for data. All customer data is treated as sensitive.	Partially implemented
C5-05-AM-06	ISM:Labelling of information and handling of assets (AM-06)	We currently do not label information. As a standard, all customer data is treated as sensitive.	Inactive
C5-05-AM-07	ISM:Management of data media (AM-07)		Fully implemented
C5-05-AM-08	ISM:Transfer and removal of assets (AM-08)		Fully implemented
C5-06-PS-01	ISM:Perimeter protection (PS-01)	Data center locations, where our cloud data is located, do all comply with ISO 27001 and do have according perimeter protection.	Partially implemented
C5-06-PS-02	ISM:Physical site access control (PS-02)		Fully implemented
C5-06-PS-03	ISM:Protection against threats from outside and from the environment (PS-03)		Fully implemented
C5-06-PS-04	ISM:Protection against interruptions caused by power failures and other such risks (PS-04)		Fully implemented
C5-06-PS-05	ISM:Maintenance of infrastructure and devices (PS-05)		Fully implemented
C5-07-OPS-01	Planning (OPS-01)		Fully implemented
C5-07-OPS-02	Monitoring (OPS-02)		Fully implemented
C5-07-OPS-03	Controlling of Resources (OPS-03)	Here, it is required to make resource data available to the customer for their planning. This is currently out of scope.	Inactive
C5-07-OPS-04	Concept (OPS-04)		Fully implemented
C5-07-OPS-05	Implementation (OPS-05)		Fully implemented
C5-07-OPS-06	Concept (OPS-06)		Fully implemented
C5-07-OPS-07	Monitoring (OPS-07)		Fully implemented
C5-07-OPS-08	Regular Testing (OPS-08)		Fully implemented
C5-07-OPS-09	Storage (OPS-09)		Fully implemented
C5-07-OPS-10	Concept (OPS-10)		Fully implemented
C5-07-OPS-11	Metadata Management Concept (OPS-11)	Is currently covered in OPS-10	Inactive
C5-07-OPS-12	Access, Storage and Deletion (OPS-12)	Is currently covered by OPS-10	Inactive
C5-07-OPS-13	Identification of Events (OPS-13)	Is currently covered by OPS-10	Inactive
C5-07-OPS-14	Storage of the Logging Data (OPS-14)	Log data is stored centrally on a logging server.	Partially implemented
C5-07-OPS-15	Accountability (OPS-15)	Application logs are available. Access logs are stored without IP address	Partially implemented
C5-07-OPS-16	Configuration (OPS-16)		Fully implemented
C5-07-OPS-17	Availability of the Monitoring Software (OPS-17)		Fully implemented
C5-07-OPS-18	Concept (OPS-18)		Fully implemented
C5-07-OPS-19	Penetration Tests (OPS-19)	We currently do not perform any external or internal penetration tests. However, some of our customers did. No major issues were found.	Inactive
C5-07-OPS-20	Measurements, Analyses and Assessment of Procedures (OPS-20)	There is no regular process for this yet.	Partially implemented
C5-07-OPS-21	ISM:Involvement of Cloud Customers in the Event of Incidents (OPS-21)		Fully implemented
C5-07-OPS-22	ISM:Testing and Documentation of Known Vulnerabilities (OPS-22)		Fully implemented
C5-07-OPS-23	System Hardening (OPS-23)	We adhere to industry standards. There is currently no documentation per system.	Partially implemented
C5-07-OPS-24	ISM:Separation of Datasets in the Cloud Infrastructure (OPS-24)		Fully implemented
C5-08-IDM-01	ISM:Policy for user accounts and access rights (IDM-01)		Fully implemented
C5-08-IDM-02	ISM:Granting and change of user accounts and access rights (IDM-02)		Fully implemented
C5-08-IDM-03	ISM:Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03)	Some of our systems implement this. The rest is managed automatically.	Partially implemented
C5-08-IDM-04	ISM:Withdraw or adjust access rights as the task area changes (IDM-04)		Fully implemented
C5-08-IDM-05	ISM:Regular review of access rights (IDM-05)	This is currently only done for the most critical systems	Partially implemented
C5-08-IDM-06	ISM:Privileged access rights (IDM-06)	Mostly implemented, but we do not revoke privileges on a limited time basis	Partially implemented
C5-08-IDM-07	ISM:Access to cloud customer data (IDM-07)		Fully implemented
C5-08-IDM-08	ISM:Confidentiality of authentication information (IDM-08)		Fully implemented
C5-08-IDM-09	ISM:Authentication Mechanisms (IDM-09)		Fully implemented
C5-09-CRY-01	ISM:Policy for the use of encryption procedures and key management (CRY-01)	There are some guidelines, but no approved policy yet.	Partially implemented
C5-09-CRY-02	ISM:Encryption of data for transmission (transport encryption) (CRY-02)		Fully implemented
C5-09-CRY-03	ISM:Encryption of sensitive data for storage (CRY-03)	Customer data is encrypted at rest. Backups are encrypted	Partially implemented
C5-09-CRY-04	ISM:Secure key management (CRY-04)	There is no centralized key management. Guidelines exist.	Partially implemented
C5-10-COS-01	ISM:Technical safeguards (COS-01)	We do not run any intrusion detection system. However, we monitor network patterns and will be informed on major irregularities, like DDOS attacks.	Inactive
C5-10-COS-02	ISM:Security requirements for connections in the Cloud Service Provider’s network (COS-02)		Fully implemented
C5-10-COS-03	ISM:Monitoring of connections in the Cloud Service Provider’s network (COS-03)	All access to the cloud network is logged.	Partially implemented
C5-10-COS-04	ISM:Cross-network access (COS-04)		Fully implemented
C5-10-COS-05	ISM:Networks for administration (COS-05)		Fully implemented
C5-10-COS-06	ISM:Segregation of data traffic in jointly used network environments (COS-06)	Internal traffic segregated, but not encrypted.	Partially implemented
C5-10-COS-07	ISM:Documentation of the network topology (COS-07)		Fully implemented
C5-10-COS-08	ISM:Policies for data transmission (COS-08)		Fully implemented
C5-11-PI-01	ISM:Documentation and safety of input and output interfaces (PI-01)		Fully implemented
C5-11-PI-02	ISM:Contractual agreements for the provision of data (PI-02)		Fully implemented
C5-11-PI-03	ISM:Secure deletion of data (PI-03)		Fully implemented
C5-12-DEV-01	ISM:Policies for the development and procurement of information systems (DEV-01)	We apply the coding guidelines which are followed in the Wikimedia ecosystem	Partially implemented
C5-12-DEV-02	ISM:Outsourcing of the development (DEV-02)	Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code.	Partially implemented
C5-12-DEV-03	ISM:Policies for changes to information systems (DEV-03)		Fully implemented
C5-12-DEV-04	ISM:Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04)	Training is done on the job and on an annual basis in combination with GDPR compliance training	Partially implemented
C5-12-DEV-05	ISM:Risk assessment, categorisation and prioritisation of changes (DEV-05)	Any changes are assessed within the team. A formal risk assessment is not applied yet.	Partially implemented
C5-12-DEV-06	ISM:Testing changes (DEV-06)		Fully implemented
C5-12-DEV-07	ISM:Logging of changes (DEV-07)		Fully implemented
C5-12-DEV-08	ISM:Version Control (DEV-08)		Fully implemented
C5-12-DEV-09	ISM:Approvals for provision in the production environment (DEV-09)		Fully implemented
C5-12-DEV-10	ISM:Separation of environments (DEV-10)		Fully implemented
C5-13-SSO-01	ISM:Policies and instructions for controlling and monitoring third parties (SSO-01)		Fully implemented
C5-13-SSO-02	ISM:Risk assessment of service providers and suppliers (SSO-02)		Fully implemented
C5-13-SSO-03	ISM:Directory of service providers and suppliers (SSO-03)		Fully implemented
C5-13-SSO-04	ISM:Monitoring of compliance with requirements (SSO-04)		Fully implemented
C5-13-SSO-05	ISM:Exit strategy for the receipt of benefit (SSO-05)	There is no documented exit strategy.	Inactive
C5-14-SIM-01	ISM:Policy for security incident management (SIM-01)		Fully implemented
C5-14-SIM-02	ISM:Processing of security incidents (SIM-02)		Fully implemented
C5-14-SIM-03	ISM:Documentation and reporting of security incidents (SIM-03)		Fully implemented
C5-14-SIM-04	ISM:Duty of the users to report security incidents to a central body (SIM-04)		Fully implemented
C5-14-SIM-05	ISM:Evaluation and learning process (SIM-05)		Fully implemented
C5-15-BCM-01	ISM:Top management responsibility (BCM-01)		Fully implemented
C5-15-BCM-02	ISM:Business impact analysis policies and instructions (BCM-02)	Risk analysis was done and is documented. There is no formal policy.	Inactive
C5-15-BCM-03	ISM:Planning business continuity (BCM-03)		Fully implemented
C5-15-BCM-04	ISM:Verification, updating and testing of the business continuity (BCM-04)	Disaster recovery tests are conducted at implementation time. There is no regular schedule yet.	Partially implemented
C5-16-COM-01	ISM:Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01)		Fully implemented
C5-16-COM-02	ISM:Policy for planning and conducting audits (COM-02)	We conduct annual audits of the ISMS. There is no formal policy.	Inactive
C5-16-COM-03	ISM:Internal audits of the ISMS (COM-03)	There is no formal process of the internal audit yet	Partially implemented
C5-16-COM-04	ISM:Information on information security performance and management assessment of the ISMS (COM-04)		Fully implemented
C5-17-INQ-01	ISM:Legal Assessment of Investigative Inquiries (INQ-01)		Fully implemented
C5-17-INQ-02	ISM:Informing Cloud Customers about Investigation Requests (INQ-02)		Fully implemented
C5-17-INQ-03	ISM:Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03)		Fully implemented
C5-17-INQ-04	ISM:Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04)		Fully implemented
C5-18-PSS-01	ISM:Guidelines and Recommendations for Cloud Customers (PSS-01)	We maintain this information in our product documentation. However it cannot be found in one central place.	Partially implemented
C5-18-PSS-02	ISM:Identification of Vulnerabilities of the Cloud Service (PSS-02)		Fully implemented
C5-18-PSS-03	ISM:Online Register of Known Vulnerabilities (PSS-03)		Fully implemented
C5-18-PSS-04	ISM:Error handling and Logging Mechanisms (PSS-04)		Fully implemented
C5-18-PSS-05	ISM:Authentication Mechanisms (PSS-05)		Fully implemented
C5-18-PSS-06	ISM:Session Management (PSS-06)		Fully implemented
C5-18-PSS-07	ISM:Confidentiality of Authentication Information (PSS-07)		Fully implemented
C5-18-PSS-08	ISM:Roles and Rights Concept (PSS-08)		Fully implemented
C5-18-PSS-09	ISM:Authorisation Mechanisms (PSS-09)		Fully implemented
C5-18-PSS-10	ISM:Software Defined Networking (PSS-10)	We do not provide SDN to the customer	Inactive
C5-18-PSS-11	ISM:Images for Virtual Machines and Containers (PSS-11)	We do not proved VMs and containers to the customer in the cloud	Inactive
C5-18-PSS-12	ISM:Locations of Data Processing and Storage (PSS-12)	We do not provide a choice of data locations to the cloud customers	Inactive

Info:Trust and Safety/Cloud - security and reliability/C5 Internal audit status: Difference between revisions

Revision as of 15:30, 29 April 2024

Overview

List of guidelines

Discussions