Info:Trust and Safety/Cloud - security and reliability/C5 Internal audit status: Difference between revisions

Latest revision as of 14:21, 2 May 2024

Overview

For more info: Cloud computing C5 criteria catalogue

Current phase of the internal audit: Initial audit

Fully implemented C5 guidelines: 92%

Partially implemented C5 guidelines: 66%

List of guidelines

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_Archiv/C5_Archiv_node.html

C5 Internal audit status
ID	Guideline	Comment	Audit state
C5-01-OIS-01	Information Security Management System (OIS-01)	ISMS is in effect, but not all requirements of C5 are implemented	Partially implemented
C5-01-OIS-02	Information Security Policy (OIS-02)	Security policy is available, but needs improvement	Partially implemented
C5-01-OIS-03	Interfaces and Dependencies (OIS-03)		Fully implemented
C5-01-OIS-04	Segregation of Duties (OIS-04)		Fully implemented
C5-01-OIS-05	Contact with Relevant Government Agencies and Interest Groups (OIS-05)		Fully implemented
C5-01-OIS-06	Risk Management Policy (OIS-06)		Fully implemented
C5-01-OIS-07	Application of the Risk Management Policy (OIS-07)	The process is described and will be introduced.	Partially implemented
C5-03-SA-01	Documentation, communication and provision of policies and instructions (SA-01)		Fully implemented
C5-03-SA-02	Review and approval of policies and instructions (SA-02)		Fully implemented
C5-03-SA-03	Deviations from existing policies and instructions (SA-03)		Fully implemented
C5-04-HR-01	Security check of the background information (HR-01)	Trust is built on a personal basis, as the company is small.	Inactive
C5-04-HR-02	Employment agreements (HR-02)	Employees are contractually bound to data protection and privacy. Security is implicitly addressed.	Partially implemented
C5-04-HR-03	Security training and awareness-raising programme (HR-03)		Fully implemented
C5-04-HR-04	Disciplinary measures (HR-04)	There is no specific mention of security issues. However, standard disciplinary measures apply.	Partially implemented
C5-04-HR-05	Termination of the employment relationship or changes to the responsibilities (HR-05)		Fully implemented
C5-05-AM-01	Asset inventory (AM-01)		Fully implemented
C5-05-AM-02	Assignment of persons responsible for assets (AM-02)		Fully implemented
C5-05-AM-03	Instruction manuals for assets (AM-03)	The handling of certain assets is documented in the internal knowledge base. The next step is to systematise this.	Partially implemented
C5-05-AM-04	Handing in and returning assets (AM-04)		Fully implemented
C5-05-AM-05	Classification of information (AM-05)	Services are classified, but there is no classification scheme for data. All customer data is treated confidentially.	Partially implemented
C5-05-AM-06	Labelling of information and handling of assets (AM-06)	Information is currently not labelled.By default, all customer data is treated confidentially.	Inactive
C5-05-AM-07	Management of data media (AM-07)		Fully implemented
C5-05-AM-08	Transfer and removal of assets (AM-08)		Fully implemented
C5-06-PS-01	Perimeter protection (PS-01)	The data centre locations where the company's cloud data is located all meet the ISO 27001 standard and have corresponding perimeter protection.	Partially implemented
C5-06-PS-02	Physical site access control (PS-02)		Fully implemented
C5-06-PS-03	Protection against threats from outside and from the environment (PS-03)		Fully implemented
C5-06-PS-04	Protection against interruptions caused by power failures and other such risks (PS-04)		Fully implemented
C5-06-PS-05	Maintenance of infrastructure and devices (PS-05)		Fully implemented
C5-07-OPS-01	Planning (OPS-01)		Fully implemented
C5-07-OPS-02	Monitoring (OPS-02)		Fully implemented
C5-07-OPS-03	Controlling of Resources (OPS-03)	Here, it is required to make resource data available to the customer for their planning. This is currently out of scope.	Inactive
C5-07-OPS-04	Concept (OPS-04)		Fully implemented
C5-07-OPS-05	Implementation (OPS-05)		Fully implemented
C5-07-OPS-06	Concept (OPS-06)		Fully implemented
C5-07-OPS-07	Monitoring (OPS-07)		Fully implemented
C5-07-OPS-08	Regular Testing (OPS-08)		Fully implemented
C5-07-OPS-09	Storage (OPS-09)		Fully implemented
C5-07-OPS-10	Concept (OPS-10)		Fully implemented
C5-07-OPS-11	Metadata Management Concept (OPS-11)	Is currently covered in OPS-10	Inactive
C5-07-OPS-12	Access, Storage and Deletion (OPS-12)	Is currently covered by OPS-10	Inactive
C5-07-OPS-13	Identification of Events (OPS-13)	Is currently covered by OPS-10	Inactive
C5-07-OPS-14	Storage of the Logging Data (OPS-14)	Log data is stored centrally on a logging server.	Partially implemented
C5-07-OPS-15	Accountability (OPS-15)	Application logs are available. Access logs are stored without IP address	Partially implemented
C5-07-OPS-16	Configuration (OPS-16)		Fully implemented
C5-07-OPS-17	Availability of the Monitoring Software (OPS-17)		Fully implemented
C5-07-OPS-18	Concept (OPS-18)		Fully implemented
C5-07-OPS-19	Penetration Tests (OPS-19)	Penetration tests are occasionally carried out as part of customer projects. No major problems were identified here. Hallo Welt! does not (yet) carry out internal penetration tests itself.	Inactive
C5-07-OPS-20	Measurements, Analyses and Assessment of Procedures (OPS-20)	There is no regular process for this yet.	Partially implemented
C5-07-OPS-21	Involvement of Cloud Customers in the Event of Incidents (OPS-21)		Fully implemented
C5-07-OPS-22	Testing and Documentation of Known Vulnerabilities (OPS-22)		Fully implemented
C5-07-OPS-23	System Hardening (OPS-23)	Hallo Welt! is based on industry standards. There is currently no documentation for each system.	Partially implemented
C5-07-OPS-24	Separation of Datasets in the Cloud Infrastructure (OPS-24)		Fully implemented
C5-08-IDM-01	Policy for user accounts and access rights (IDM-01)		Fully implemented
C5-08-IDM-02	Granting and change of user accounts and access rights (IDM-02)		Fully implemented
C5-08-IDM-03	Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03)	Some of our systems implement this. The rest is managed automatically.	Partially implemented
C5-08-IDM-04	Withdraw or adjust access rights as the task area changes (IDM-04)		Fully implemented
C5-08-IDM-05	Regular review of access rights (IDM-05)	This is currently only done for the most critical systems	Partially implemented
C5-08-IDM-06	Privileged access rights (IDM-06)	Largely implemented. However, privileges are not withdrawn for a limited period of time.	Partially implemented
C5-08-IDM-07	Access to cloud customer data (IDM-07)		Fully implemented
C5-08-IDM-08	Confidentiality of authentication information (IDM-08)		Fully implemented
C5-08-IDM-09	Authentication Mechanisms (IDM-09)		Fully implemented
C5-09-CRY-01	Policy for the use of encryption procedures and key management (CRY-01)	There are some guidelines, but no approved policy yet.	Partially implemented
C5-09-CRY-02	Encryption of data for transmission (transport encryption) (CRY-02)		Fully implemented
C5-09-CRY-03	Encryption of sensitive data for storage (CRY-03)	Customer data is encrypted at rest. Backups are encrypted	Partially implemented
C5-09-CRY-04	Secure key management (CRY-04)	There is no centralized key management. Guidelines exist.	Partially implemented
C5-10-COS-01	Technical safeguards (COS-01)	Hallo Welt! does not operate an intrusion detection system. However, network patterns are monitored and notifications are sent in the event of major irregularities, such as DDOS attacks.	Inactive
C5-10-COS-02	Security requirements for connections in the Cloud Service Provider’s network (COS-02)		Fully implemented
C5-10-COS-03	Monitoring of connections in the Cloud Service Provider’s network (COS-03)	All access to the cloud network is logged.	Partially implemented
C5-10-COS-04	Cross-network access (COS-04)		Fully implemented
C5-10-COS-05	Networks for administration (COS-05)		Fully implemented
C5-10-COS-06	Segregation of data traffic in jointly used network environments (COS-06)	Internal traffic segregated, but not encrypted.	Partially implemented
C5-10-COS-07	Documentation of the network topology (COS-07)		Fully implemented
C5-10-COS-08	Policies for data transmission (COS-08)		Fully implemented
C5-11-PI-01	Documentation and safety of input and output interfaces (PI-01)		Fully implemented
C5-11-PI-02	Contractual agreements for the provision of data (PI-02)		Fully implemented
C5-11-PI-03	Secure deletion of data (PI-03)		Fully implemented
C5-12-DEV-01	Policies for the development and procurement of information systems (DEV-01)	Hallo Welt! applies the coding guidelines that apply in the Wikimedia ecosystem.	Partially implemented
C5-12-DEV-02	Outsourcing of the development (DEV-02)	Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code.	Partially implemented
C5-12-DEV-03	Policies for changes to information systems (DEV-03)		Fully implemented
C5-12-DEV-04	Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04)	Training is done on the job and on an annual basis in combination with GDPR compliance training	Partially implemented
C5-12-DEV-05	Risk assessment, categorisation and prioritisation of changes (DEV-05)	Any changes are assessed within the team. A formal risk assessment is not applied yet.	Partially implemented
C5-12-DEV-06	Testing changes (DEV-06)		Fully implemented
C5-12-DEV-07	Logging of changes (DEV-07)		Fully implemented
C5-12-DEV-08	Version Control (DEV-08)		Fully implemented
C5-12-DEV-09	Approvals for provision in the production environment (DEV-09)		Fully implemented
C5-12-DEV-10	Separation of environments (DEV-10)		Fully implemented
C5-13-SSO-01	Policies and instructions for controlling and monitoring third parties (SSO-01)		Fully implemented
C5-13-SSO-02	Risk assessment of service providers and suppliers (SSO-02)		Fully implemented
C5-13-SSO-03	Directory of service providers and suppliers (SSO-03)		Fully implemented
C5-13-SSO-04	Monitoring of compliance with requirements (SSO-04)		Fully implemented
C5-13-SSO-05	Exit strategy for the receipt of benefit (SSO-05)	There is no documented exit strategy.	Inactive
C5-14-SIM-01	Policy for security incident management (SIM-01)		Fully implemented
C5-14-SIM-02	Processing of security incidents (SIM-02)		Fully implemented
C5-14-SIM-03	Documentation and reporting of security incidents (SIM-03)		Fully implemented
C5-14-SIM-04	Duty of the users to report security incidents to a central body (SIM-04)		Fully implemented
C5-14-SIM-05	Evaluation and learning process (SIM-05)		Fully implemented
C5-15-BCM-01	Top management responsibility (BCM-01)		Fully implemented
C5-15-BCM-02	Business impact analysis policies and instructions (BCM-02)	Risk analysis was done and is documented. There is no formal policy.	Inactive
C5-15-BCM-03	Planning business continuity (BCM-03)		Fully implemented
C5-15-BCM-04	Verification, updating and testing of the business continuity (BCM-04)	Disaster recovery tests are conducted at implementation time. There is no regular schedule yet.	Partially implemented
C5-16-COM-01	Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01)		Fully implemented
C5-16-COM-02	Policy for planning and conducting audits (COM-02)	The ISMS is audited annually. There is no formal guideline.	Inactive
C5-16-COM-03	Internal audits of the ISMS (COM-03)	There is no formal process of the internal audit yet	Partially implemented
C5-16-COM-04	Information on information security performance and management assessment of the ISMS (COM-04)		Fully implemented
C5-17-INQ-01	Legal Assessment of Investigative Inquiries (INQ-01)		Fully implemented
C5-17-INQ-02	Informing Cloud Customers about Investigation Requests (INQ-02)		Fully implemented
C5-17-INQ-03	Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03)		Fully implemented
C5-17-INQ-04	Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04)		Fully implemented
C5-18-PSS-01	Guidelines and Recommendations for Cloud Customers (PSS-01)	This information is maintained as part of our product documentation. However, it cannot be found in a centralised location.	Partially implemented
C5-18-PSS-02	Identification of Vulnerabilities of the Cloud Service (PSS-02)		Fully implemented
C5-18-PSS-03	Online Register of Known Vulnerabilities (PSS-03)		Fully implemented
C5-18-PSS-04	Error handling and Logging Mechanisms (PSS-04)		Fully implemented
C5-18-PSS-05	Authentication Mechanisms (PSS-05)		Fully implemented
C5-18-PSS-06	Session Management (PSS-06)		Fully implemented
C5-18-PSS-07	Confidentiality of Authentication Information (PSS-07)		Fully implemented
C5-18-PSS-08	Roles and Rights Concept (PSS-08)		Fully implemented
C5-18-PSS-09	Authorisation Mechanisms (PSS-09)		Fully implemented
C5-18-PSS-10	Software Defined Networking (PSS-10)	Hallo Welt! does not provide the customer with SDN.	Inactive
C5-18-PSS-11	Images for Virtual Machines and Containers (PSS-11)	Hallo Welt! does not provide the customer with VMs and containers in the cloud.	Inactive
C5-18-PSS-12	Locations of Data Processing and Storage (PSS-12)	Hallo Welt! does not provide a choice of data locations to the cloud customers.	Inactive

Info:Trust and Safety/Cloud - security and reliability/C5 Internal audit status: Difference between revisions

Latest revision as of 14:21, 2 May 2024

Overview

List of guidelines

Discussions