No edit summary |
No edit summary |
||
| Line 9: | Line 9: | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|+C5 Internal audit status | |+C5 Internal audit status | ||
!ID | |||
!Guideline | |||
!Comment | |||
!Audit state | |||
|- | |- | ||
!C5-01-OIS-01 | |||
!ISM:Information Security Management System (OIS-01) | |||
!ISMS is in effect, but not all requirements of C5 are implemented | |||
!Partially implemented | |||
|- | |- | ||
|C5-01-OIS-02 | |C5-01-OIS-02 | ||
Revision as of 11:56, 29 April 2024
Overview
Current phase of the internal audit: Initial audit
Fully implemented C5 guidelines: 92%
Partially implemented C5 guidelines: 66%
List of guidelines
| ID | Guideline | Comment | Audit state |
|---|---|---|---|
| C5-01-OIS-01 | ISM:Information Security Management System (OIS-01) | ISMS is in effect, but not all requirements of C5 are implemented | Partially implemented |
| C5-01-OIS-02 | ISM:Information Security Policy (OIS-02) | Security policy is available, but needs improvement | Partially implemented |
| C5-01-OIS-03 | ISM:Interfaces and Dependencies (OIS-03) | Fully implemented | |
| C5-01-OIS-04 | ISM:Segregation of Duties (OIS-04) | Fully implemented | |
| C5-01-OIS-05 | ISM:Contact with Relevant Government Agencies and Interest Groups (OIS-05) | Fully implemented | |
| C5-01-OIS-06 | ISM:Risk Management Policy (OIS-06) | Fully implemented | |
| C5-01-OIS-07 | ISM:Application of the Risk Management Policy (OIS-07) | The process is described, but not well established | Partially implemented |
| C5-03-SA-01 | ISM:Documentation, communication and provision of policies and instructions (SA-01) | Fully implemented | |
| C5-03-SA-02 | ISM:Review and approval of policies and instructions (SA-02) | Fully implemented | |
| C5-03-SA-03 | ISM:Deviations from existing policies and instructions (SA-03) | Fully implemented | |
| C5-04-HR-01 | ISM:Security check of the background information (HR-01) | Given the small size of the company, trust is established on a personal basis | Inactive |
| C5-04-HR-02 | ISM:Employment agreements (HR-02) | We do bind our employees contractually to data protection and privacy. Security is only mentioned implicitly here. | Partially implemented |
| C5-04-HR-03 | ISM:Security training and awareness-raising programme (HR-03) | Fully implemented | |
| C5-04-HR-04 | ISM:Disciplinary measures (HR-04) | There is no specific mention of security issues. However, standard disciplinary measures apply. | Partially implemented |
| C5-04-HR-05 | ISM:Termination of the employment relationship or changes to the responsibilities (HR-05) | Fully implemented | |
| C5-05-AM-01 | ISM:Asset inventory (AM-01) | Fully implemented | |
| C5-05-AM-02 | ISM:Assignment of persons responsible for assets (AM-02) | Fully implemented | |
| C5-05-AM-03 | ISM:Instruction manuals for assets (AM-03) | In our internal wiki, we document the handling of specific assets. However, there is no systematic approach | Partially implemented |
| C5-05-AM-04 | ISM:Handing in and returning assets (AM-04) | Fully implemented | |
| C5-05-AM-05 | ISM:Classification of information (AM-05) | We classify services, but there is no classification scheme for data. All customer data is treated as sensitive. | Partially implemented |
| C5-05-AM-06 | ISM:Labelling of information and handling of assets (AM-06) | We currently do not label information. As a standard, all customer data is treated as sensitive. | Inactive |
| C5-05-AM-07 | ISM:Management of data media (AM-07) | Fully implemented | |
| C5-05-AM-08 | ISM:Transfer and removal of assets (AM-08) | Fully implemented | |
| C5-06-PS-01 | ISM:Perimeter protection (PS-01) | Data center locations, where our cloud data is located, do all comply with ISO 27001 and do have according perimeter protection. | Partially implemented |
| C5-06-PS-02 | ISM:Physical site access control (PS-02) | Fully implemented | |
| C5-06-PS-03 | ISM:Protection against threats from outside and from the environment (PS-03) | Fully implemented | |
| C5-06-PS-04 | ISM:Protection against interruptions caused by power failures and other such risks (PS-04) | Fully implemented | |
| C5-06-PS-05 | ISM:Maintenance of infrastructure and devices (PS-05) | Fully implemented | |
| C5-07-OPS-01 | Planning (OPS-01) | Fully implemented | |
| C5-07-OPS-02 | Monitoring (OPS-02) | Fully implemented | |
| C5-07-OPS-03 | Controlling of Resources (OPS-03) | Here, it is required to make resource data available to the customer for their planning. This is currently out of scope. | Inactive |
| C5-07-OPS-04 | Concept (OPS-04) | Fully implemented | |
| C5-07-OPS-05 | Implementation (OPS-05) | Fully implemented | |
| C5-07-OPS-06 | Concept (OPS-06) | Fully implemented | |
| C5-07-OPS-07 | Monitoring (OPS-07) | Fully implemented | |
| C5-07-OPS-08 | Regular Testing (OPS-08) | Fully implemented | |
| C5-07-OPS-09 | Storage (OPS-09) | Fully implemented | |
| C5-07-OPS-10 | Concept (OPS-10) | Fully implemented | |
| C5-07-OPS-11 | Metadata Management Concept (OPS-11) | Is currently covered in OPS-10 | Inactive |
| C5-07-OPS-12 | Access, Storage and Deletion (OPS-12) | Is currently covered by OPS-10 | Inactive |
| C5-07-OPS-13 | Identification of Events (OPS-13) | Is currently covered by OPS-10 | Inactive |
| C5-07-OPS-14 | Storage of the Logging Data (OPS-14) | Log data is stored centrally on a logging server. | Partially implemented |
| C5-07-OPS-15 | Accountability (OPS-15) | Application logs are available. Access logs are stored without IP address | Partially implemented |
| C5-07-OPS-16 | Configuration (OPS-16) | Fully implemented | |
| C5-07-OPS-17 | Availability of the Monitoring Software (OPS-17) | Fully implemented | |
| C5-07-OPS-18 | Concept (OPS-18) | Fully implemented | |
| C5-07-OPS-19 | Penetration Tests (OPS-19) | We currently do not perform any external or internal penetration tests. However, some of our customers did. No major issues were found. | Inactive |
| C5-07-OPS-20 | Measurements, Analyses and Assessment of Procedures (OPS-20) | There is no regular process for this yet. | Partially implemented |
| C5-07-OPS-21 | ISM:Involvement of Cloud Customers in the Event of Incidents (OPS-21) | Fully implemented | |
| C5-07-OPS-22 | ISM:Testing and Documentation of Known Vulnerabilities (OPS-22) | Fully implemented | |
| C5-07-OPS-23 | System Hardening (OPS-23) | We adhere to industry standards. There is currently no documentation per system. | Partially implemented |
| C5-07-OPS-24 | ISM:Separation of Datasets in the Cloud Infrastructure (OPS-24) | Fully implemented | |
| C5-08-IDM-01 | ISM:Policy for user accounts and access rights (IDM-01) | Fully implemented | |
| C5-08-IDM-02 | ISM:Granting and change of user accounts and access rights (IDM-02) | Fully implemented | |
| C5-08-IDM-03 | ISM:Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03) | Some of our systems implement this. The rest is managed automatically. | Partially implemented |
| C5-08-IDM-04 | ISM:Withdraw or adjust access rights as the task area changes (IDM-04) | Fully implemented | |
| C5-08-IDM-05 | ISM:Regular review of access rights (IDM-05) | This is currently only done for the most critical systems | Partially implemented |
| C5-08-IDM-06 | ISM:Privileged access rights (IDM-06) | Mostly implemented, but we do not revoke privileges on a limited time basis | Partially implemented |
| C5-08-IDM-07 | ISM:Access to cloud customer data (IDM-07) | Fully implemented | |
| C5-08-IDM-08 | ISM:Confidentiality of authentication information (IDM-08) | Fully implemented | |
| C5-08-IDM-09 | ISM:Authentication Mechanisms (IDM-09) | Fully implemented | |
| C5-09-CRY-01 | ISM:Policy for the use of encryption procedures and key management (CRY-01) | There are some guidelines, but no approved policy yet. | Partially implemented |
| C5-09-CRY-02 | ISM:Encryption of data for transmission (transport encryption) (CRY-02) | Fully implemented | |
| C5-09-CRY-03 | ISM:Encryption of sensitive data for storage (CRY-03) | Customer data is encrypted at rest. Backups are encrypted | Partially implemented |
| C5-09-CRY-04 | ISM:Secure key management (CRY-04) | There is no centralized key management. Guidelines exist. | Partially implemented |
| C5-10-COS-01 | ISM:Technical safeguards (COS-01) | We do not run any intrusion detection system. However, we monitor network patterns and will be informed on major irregularities, like DDOS attacks. | Inactive |
| C5-10-COS-02 | ISM:Security requirements for connections in the Cloud Service Provider’s network (COS-02) | Fully implemented | |
| C5-10-COS-03 | ISM:Monitoring of connections in the Cloud Service Provider’s network (COS-03) | All access to the cloud network is logged. | Partially implemented |
| C5-10-COS-04 | ISM:Cross-network access (COS-04) | Fully implemented | |
| C5-10-COS-05 | ISM:Networks for administration (COS-05) | Fully implemented | |
| C5-10-COS-06 | ISM:Segregation of data traffic in jointly used network environments (COS-06) | Internal traffic segregated, but not encrypted. | Partially implemented |
| C5-10-COS-07 | ISM:Documentation of the network topology (COS-07) | Fully implemented | |
| C5-10-COS-08 | ISM:Policies for data transmission (COS-08) | Fully implemented | |
| C5-11-PI-01 | ISM:Documentation and safety of input and output interfaces (PI-01) | Fully implemented | |
| C5-11-PI-02 | ISM:Contractual agreements for the provision of data (PI-02) | Fully implemented | |
| C5-11-PI-03 | ISM:Secure deletion of data (PI-03) | Fully implemented | |
| C5-12-DEV-01 | ISM:Policies for the development and procurement of information systems (DEV-01) | We apply the coding guidelines which are followed in the Wikimedia ecosystem | Partially implemented |
| C5-12-DEV-02 | ISM:Outsourcing of the development (DEV-02) | Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code. | Partially implemented |
| C5-12-DEV-03 | ISM:Policies for changes to information systems (DEV-03) | Fully implemented | |
| C5-12-DEV-04 | ISM:Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04) | Training is done on the job and on an annual basis in combination with GDPR compliance training | Partially implemented |
| C5-12-DEV-05 | ISM:Risk assessment, categorisation and prioritisation of changes (DEV-05) | Any changes are assessed within the team. A formal risk assessment is not applied yet. | Partially implemented |
| C5-12-DEV-06 | ISM:Testing changes (DEV-06) | Fully implemented | |
| C5-12-DEV-07 | ISM:Logging of changes (DEV-07) | Fully implemented | |
| C5-12-DEV-08 | ISM:Version Control (DEV-08) | Fully implemented | |
| C5-12-DEV-09 | ISM:Approvals for provision in the production environment (DEV-09) | Fully implemented | |
| C5-12-DEV-10 | ISM:Separation of environments (DEV-10) | Fully implemented | |
| C5-13-SSO-01 | ISM:Policies and instructions for controlling and monitoring third parties (SSO-01) | Fully implemented | |
| C5-13-SSO-02 | ISM:Risk assessment of service providers and suppliers (SSO-02) | Fully implemented | |
| C5-13-SSO-03 | ISM:Directory of service providers and suppliers (SSO-03) | Fully implemented | |
| C5-13-SSO-04 | ISM:Monitoring of compliance with requirements (SSO-04) | Fully implemented | |
| C5-13-SSO-05 | ISM:Exit strategy for the receipt of benefit (SSO-05) | There is no documented exit strategy. | Inactive |
| C5-14-SIM-01 | ISM:Policy for security incident management (SIM-01) | Fully implemented | |
| C5-14-SIM-02 | ISM:Processing of security incidents (SIM-02) | Fully implemented | |
| C5-14-SIM-03 | ISM:Documentation and reporting of security incidents (SIM-03) | Fully implemented | |
| C5-14-SIM-04 | ISM:Duty of the users to report security incidents to a central body (SIM-04) | Fully implemented | |
| C5-14-SIM-05 | ISM:Evaluation and learning process (SIM-05) | Fully implemented | |
| C5-15-BCM-01 | ISM:Top management responsibility (BCM-01) | Fully implemented | |
| C5-15-BCM-02 | ISM:Business impact analysis policies and instructions (BCM-02) | Risk analysis was done and is documented. There is no formal policy. | Inactive |
| C5-15-BCM-03 | ISM:Planning business continuity (BCM-03) | Fully implemented | |
| C5-15-BCM-04 | ISM:Verification, updating and testing of the business continuity (BCM-04) | Disaster recovery tests are conducted at implementation time. There is no regular schedule yet. | Partially implemented |
| C5-16-COM-01 | ISM:Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01) | Fully implemented | |
| C5-16-COM-02 | ISM:Policy for planning and conducting audits (COM-02) | We conduct annual audits of the ISMS. There is no formal policy. | Inactive |
| C5-16-COM-03 | ISM:Internal audits of the ISMS (COM-03) | There is no formal process of the internal audit yet | Partially implemented |
| C5-16-COM-04 | ISM:Information on information security performance and management assessment of the ISMS (COM-04) | Fully implemented | |
| C5-17-INQ-01 | ISM:Legal Assessment of Investigative Inquiries (INQ-01) | Fully implemented | |
| C5-17-INQ-02 | ISM:Informing Cloud Customers about Investigation Requests (INQ-02) | Fully implemented | |
| C5-17-INQ-03 | ISM:Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03) | Fully implemented | |
| C5-17-INQ-04 | ISM:Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04) | Fully implemented | |
| C5-18-PSS-01 | ISM:Guidelines and Recommendations for Cloud Customers (PSS-01) | We maintain this information in our product documentation. However it cannot be found in one central place. | Partially implemented |
| C5-18-PSS-02 | ISM:Identification of Vulnerabilities of the Cloud Service (PSS-02) | Fully implemented | |
| C5-18-PSS-03 | ISM:Online Register of Known Vulnerabilities (PSS-03) | Fully implemented | |
| C5-18-PSS-04 | ISM:Error handling and Logging Mechanisms (PSS-04) | Fully implemented | |
| C5-18-PSS-05 | ISM:Authentication Mechanisms (PSS-05) | Fully implemented | |
| C5-18-PSS-06 | ISM:Session Management (PSS-06) | Fully implemented | |
| C5-18-PSS-07 | ISM:Confidentiality of Authentication Information (PSS-07) | Fully implemented | |
| C5-18-PSS-08 | ISM:Roles and Rights Concept (PSS-08) | Fully implemented | |
| C5-18-PSS-09 | ISM:Authorisation Mechanisms (PSS-09) | Fully implemented | |
| C5-18-PSS-10 | ISM:Software Defined Networking (PSS-10) | We do not provide SDN to the customer | Inactive |
| C5-18-PSS-11 | ISM:Images for Virtual Machines and Containers (PSS-11) | We do not proved VMs and containers to the customer in the cloud | Inactive |
| C5-18-PSS-12 | ISM:Locations of Data Processing and Storage (PSS-12) | We do not provide a choice of data locations to the cloud customers | Inactive |
Discussions