forked from intuitem/ciso-assistant-community
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbsi-c5-2020.yaml
2856 lines (2695 loc) · 179 KB
/
bsi-c5-2020.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
urn: urn:intuitem:risk:library:bsi-c5-2020
locale: en
ref_id: BSI-C5-2020
name: BSI C5 Library
description: Cloud Computing Compliance Criteria Catalogue (C5)
copyright: BSI
version: 1
provider: BSI
packager: intuitem
objects:
framework:
urn: urn:intuitem:risk:framework:bsi-c5-2020
ref_id: BSI-C5-2020
name: BSI C5 Library
description: Cloud Computing Compliance Criteria Catalogue (C5)
min_score: 0
max_score: 100
requirement_nodes:
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2
assessable: false
depth: 1
name: Organisation of Information Security (OIS)
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-01
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2
ref_id: OIS-01
name: Information Security Management System (ISMS)
description: "The Cloud Service Provider operates an information security management\
\ system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS covers\
\ the Cloud Service Provider's organisational units, locations and procedures\
\ for providing the cloud service.\nThe measures for setting up, implementing,\
\ maintaining and continuously improving the ISMS are documented. \nThe documentation\
\ includes:\n\n\u2022 Scope of the ISMS (Section 4.3 of ISO/IEC 27001);\n\n\
\u2022 Declaration of applicability (Section 6.1.3), and\n\n\u2022 Results\
\ of the last management review (Section 9.3)."
annotation: 'The Information Security Management System (ISMS) has a valid certification
according to ISO/IEC 27001 or ISO 27001 based on IT-Grundschutz.
The basic criterion can also be fulfilled without valid certification of the
ISMS according to ISO/IEC 27001 or ISO 27001 based on IT-Grundschutz, if the
submitted documentation meets the requirements of ISO/IEC 27001.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-02
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2
ref_id: OIS-02
name: Information Security Policy
description: "The top management of the Cloud Service Provider has adopted an\
\ information security policy and communicated it to internal and external\
\ employees as well as cloud customers.\nThe policy describes:\n\n\u2022 the\
\ importance of information security, based on the requirements of cloud customers\
\ in relation to information security;\n\n\u2022 the security objectives and\
\ the desired security level, based on the business goals and tasks of the\
\ Cloud Service Provider;\n\n\u2022 the most important aspects of the security\
\ strategy to achieve the security objectives set; and\n\n\u2022 the organisational\
\ structure for information security in the ISMS application area."
annotation: The top management is a natural person or group of persons who make
the final decision for the institution and is responsible for that decision.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-03
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2
ref_id: OIS-03
name: Interfaces and Dependencies
description: "Interfaces and dependencies between cloud service delivery activities\
\ performed by the Cloud Service Provider and activities performed by third\
\ parties are documented and communicated. This includes dealing with the\
\ following events:\n\n\u2022 Vulnerabilities;\n\n\u2022 Security incidents;\
\ and\n\n\u2022 Malfunctions.\n\nThe type and scope of the documentation is\
\ geared towards the information requirements of the subject matter experts\
\ of the affected organisations in order to carry out the activities appropriately\
\ (e.g. definition of roles and responsibilities in guidelines, description\
\ of cooperation obligations in service descriptions and contracts).\n\nThe\
\ communication of changes to the interfaces and dependencies takes place\
\ in a timely manner so that the affected organisations and third parties\
\ can react appropriately with organisational and technical measures before\
\ the changes take effect."
annotation: 'The Cloud Service Provider can define and document the interfaces
and dependencies described in the basic criterion in guidelines and instructions.
For example, Cloud customers'' obligations to cooperate should be described
in service descriptions and contracts.
Third parties in the sense of this basic criterion are, e.g. cloud customers
and sub-service providers.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-04
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2
ref_id: OIS-04
name: Segregation of Duties
description: "Conflicting tasks and responsibilities are separated based on\
\ an OIS-06 risk assessment to reduce the risk of unauthorised or unintended\
\ changes or misuse of cloud customer data processed, stored or transmitted\
\ in the cloud service.\n\nThe risk assessment covers the following areas,\
\ insofar as these are applicable to the provision of the Cloud Service and\
\ are in the area of responsibility of the Cloud Service Provider:\n\n\u2022\
\ Administration of rights profiles, approval and assignment of access and\
\ access authorisations (cf. IDM-01);\n\n\u2022 Development, testing and release\
\ of changes (cf. DEV-01); and\n\n\u2022 Operation of the system components.\n\
\nIf separation cannot be established for organisational or technical reasons,\
\ measures are in place to monitor the activities in order to detect unauthorised\
\ or unintended changes as well as misuse and to take appropriate actions."
annotation: Identified events that may constitute unauthorised or unintentional
changes to or misuse of cloud customer data may, for example, be treated as
a security incident, cf. SIM-01.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-05
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2
ref_id: OIS-05
name: Contact with Relevant Government Agencies and Interest Groups
description: The Cloud Service Provider leverages relevant authorities and interest
groups in order to stay informed about current threats and vulnerabilities.
The information flows into the procedures for handling risks (cf. OIS-06)
and vulnerabilities (cf. OPS-19).
annotation: "If the cloud service is used by public sector organisations in\
\ Germany, the Cloud Service Provider leverages contacts with the National\
\ IT Situation Centre and the CERT Association of the BSI.\nRelevant contacts\
\ are for example:\n\n\u2022 Federal Office for Information Security (BSI);\n\
\n\u2022 OWASP Foundation; and\n\n\u2022 CERT networks DFN-CERT, TF-CSIRT\
\ etc.\n\nPublic sector organisations in Germany are e.g. authorities and\
\ ministries."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-06
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2
ref_id: OIS-06
name: Risk Management Policy
description: "Policies and instructions for risk management procedures are documented,\
\ communicated and provided in accordance with SP-01 for the following aspects:\n\
\n\u2022 Identification of risks associated with the loss of confidentiality,\
\ integrity, availability and authenticity of information within the scope\
\ of the ISMS and assigning risk owners;\n\n\u2022 Analysis of the probability\
\ and impact of occurrence and determination of the level of risk;\n\n\u2022\
\ Evaluation of the risk analysis based on defined criteria for risk acceptance\
\ and prioritisation of handling;\n\n\u2022 Handling of risks through measures,\
\ including approval of authorisation and acceptance of residual risks by\
\ risk owners; and\n\n\u2022 Documentation of the activities implemented to\
\ enable consistent, valid and comparable results."
annotation: The risk level can be determined by qualitative, semi-quantitative
and quantitative methods (cf. ISO 31010) based on the likelihood and impacts.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-07
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2
ref_id: OIS-07
name: Application of the Risk Management Policy
description: "The Cloud Service Provider executes the process for handling risks\
\ as needed or at least once a year. The following aspects are taken into\
\ account when identifying risks, insofar as they are applicable to the cloud\
\ service provided and are within the area of responsibility of the Cloud\
\ Service Provider:\n\n\u2022 Processing, storage or transmission of data\
\ of cloud customers with different protection needs;\n\n\u2022 Occurrence\
\ of vulnerabilities and malfunctions in technical protective measures for\
\ separating shared resources;\n\n\u2022 Attacks via access points, including\
\ interfaces accessible from public networks;\n\n\u2022 Conflicting tasks\
\ and areas of responsibility that cannot be separated for organisational\
\ or technical reasons; and\n\n\u2022 Dependencies on subservice organisations.\n\
\nThe analysis, evaluation and treatment of risks, including the approval\
\ of actions and acceptance of residual risks, is reviewed for adequacy at\
\ least annually by the risk owners."
annotation: "This criterion applies only to risks that reside within the area\
\ of responsibility of the cloud service provider. Risks that arise for the\
\ cloud customer when using the cloud service are not covered by this criterion.\
\ When outsourcing activities for the provision of cloud services to subservice\
\ organisations, the responsibility for these risks remains with the Cloud\
\ Service Provider. Requirements for measures to manage these risks can be\
\ found in the criteria area \u201CControl and Monitoring of Service Providers\
\ and Suppliers (SSO)\u201D.\n\nShared resources are e.g. networks, RAM or\
\ storage."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:node10
assessable: false
depth: 1
name: Security Policies and Instructions (SP)
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:sp-01
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node10
ref_id: SP-01
name: Documentation, communication and provision of policies and instructions
description: "Policies and instructions (incl. concepts and guidelines) are\
\ derived from the information security policy and are documented according\
\ to a uniform structure. They are communicated and made available to all\
\ internal and external employees of the Cloud Service Provider in an appropriate\
\ manner.\n\nThe policies and instructions are version controlled and approved\
\ by the top management of the Cloud Service Provider or an authorised body.\n\
\nThe policies and instructions describe at least the following aspects:\n\
\n\u2022 Objectives;\n\n\u2022 Scope;\n\n\u2022 Roles and responsibilities,\
\ including staff qualification requirements and the establishment of substitution\
\ rules;\n\n\u2022 Roles and dependencies on other organisations (especially\
\ cloud customers and subservice organisations);\n\n\u2022 Steps for the execution\
\ of the security strategy; and\n\n\u2022 Applicable legal and regulatory\
\ requirements."
annotation: "The appropriateness of the demand-oriented communication and provision\
\ must be assessed against the size and complexity of the Cloud Service Provider's\
\ organisation and the type of cloud service offered. Possible criteria are:\n\
\n\u2022 Integration of guidelines and instructions in the onboarding of new\
\ employees\n\n\u2022 Training and information campaigns when adopting new\
\ or revising existing policies and instructions\n\n\u2022 Form of provision\n\
\nPolicies and instructions are required for the following basic criteria\
\ in which the content is specified in more detail:\n\n\u2022 Risk management\
\ policy (OIS-06)\n\n\u2022 Acceptable use and handling of assets policy (AM-02)\n\
\n\u2022 Security requirements for premises and buildings (PS-01)\n\n\u2022\
\ Physical site access control (PS-04)\n\n\u2022 Concept for protection against\
\ malware (OPS-04)\n\n\u2022 Concept for data protection and recovery (OPS-06)\n\
\n\u2022 Concept for logging and monitoring (OPS-10)\n\n\u2022 Concept for\
\ meta data handling (OPS-11)\n\n\u2022 Concept for handling of vulnerabilities,\
\ malfunctions and errors (OPS-18)\n\n\u2022 Policy for system and data access\
\ authorisations (IDM-01)\n\n\u2022 Policy for the use of encryption procedures\
\ and key management (CRY-01)\n\n\u2022 Policies for data transmission (COS-08)\n\
\n\u2022 Policies for the development/procurement of information systems (DEV-01)\n\
\n\u2022 Policies for changes to information systems (DEV-03)\n\n\u2022 Policies\
\ and instructions for controlling and monitoring third parties (SSO-01)\n\
\n\u2022 Policy for security incident management (SIM-01)\n\n\u2022 Business\
\ impact analysis policies and procedures (BCM-02)\n\n\u2022 Policy for planning\
\ and conducting audits (COM-02)"
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:sp-02
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node10
ref_id: SP-02
name: Review and Approval of Policies and Instructions
description: "Information security policies and instructions are reviewed at\
\ least annually for adequacy by the Cloud Service Provider's subject matter\
\ experts.\n\nThe review shall consider at least the following aspects:\n\n\
\u2022 Organisational and technical changes in the procedures for providing\
\ the cloud service; and\n\n\u2022 Legal and regulatory changes in the Cloud\
\ Service Provider's environment.\n\nRevised policies and instructions are\
\ approved before they become effective."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:sp-03
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node10
ref_id: SP-03
name: Exceptions from Existing Policies and Instructions
description: Exceptions to the policies and instructions for information security
as well as respective controls go through the OIS-06 risk management process,
including approval of these exceptions and acceptance of the associated risks
by the risk owners. The approvals of exceptions are documented, limited in
time and are reviewed for appropriateness at least annually by the risk owners.
annotation: "About the Criterion\nExceptions in the sense of the basic criterion\
\ can have organisational or technical causes, such as\n\n\u2022 An organisational\
\ unit should deviate from the intended processes and procedures in order\
\ to meet the requirements of a cloud customer; and\n\n\u2022 A system component\
\ lacks technical properties to configure it according to the applicable requirements.\n\
\nCloud customers can use appropriate controls to ensure that they obtain\
\ information from the Cloud Service Provider about deviations from information\
\ security policies and instructions in order to assess and appropriately\
\ manage the associated risks to their own information security."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14
assessable: false
depth: 1
name: Personnel (HR)
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-01
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14
ref_id: HR-01
name: Verification of qualification and trustworthiness
description: "The competency and integrity of all internal and external employees\
\ of the Cloud Service Provider with access to cloud customer data or system\
\ components under the Cloud Service Provider's responsibility who are responsible\
\ to provide the cloud service in the production environment shall be verified\
\ prior to commencement of employment in accordance with local legislation\
\ and regulation by the Cloud Service Provider.\n\nTo the extent permitted\
\ by law, the review will cover the following areas:\n\n\u2022 Verification\
\ of the person through identity card;\n\n\u2022 Verification of the CV;\n\
\n\u2022 Verification of academic titles and degrees;\n\n\u2022 Request of\
\ a police clearance certificate for applicants;\n\n\u2022 Certificate of\
\ good conduct or national equivalent; and\n\n\u2022 Evaluation of the risk\
\ to be blackmailed."
annotation: 'External employees in the sense of the criteria are those who perform
activities in accordance with the processes and procedures of the Cloud Service
Provider. Employees of sub-service providers who perform activities according
to the sub-service own processes and procedures are not covered by this criterion.
The verification of qualification and trustworthiness can be supported by
a specialised service provider. Depending on national legislation, national
equivalents of the German certificate of good conduct may also be permitted.
The assessment of the extent to which a potential employee can be blackmailed
can be carried out, for example, by checking his creditworthiness.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-02
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14
ref_id: HR-02
name: Employment terms and conditions
description: 'The Cloud Service Provider''s internal and external employees
are required by the employment terms and conditions to comply with applicable
policies and instructions relating to information security.
The information security policy, and the policies and instructions based on
it, are to be acknowledged by the internal and external personnel in a documented
form before access is granted to any cloud customer data or system components
under the responsibility of the Cloud Service Provider used to provide the
cloud service in the production environment.'
annotation: The Cloud Service Provider ensures that the policies and instructions
reflect applicable legal and regulatory requirements in accordance with SP-01.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-03
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14
ref_id: HR-03
name: Security training and awareness programme
description: "The Cloud Service Provider operates a target group-oriented security\
\ awareness and training program, which is completed by all internal and external\
\ employees of the Cloud Service Provider on a regular basis. The program\
\ is regularly updated based on changes to policies and instructions and the\
\ current threat situation and includes the following aspects:\n\n\u2022 Handling\
\ system components used to provide the cloud service in the production environment\
\ in accordance with applicable policies and procedures;\n\n\u2022 Handling\
\ cloud customer data in accordance with applicable policies and instructions\
\ and applicable legal and regulatory requirements;\n\n\u2022 Information\
\ about the current threat situation; and\n\n\u2022 Correct behaviour in the\
\ event of security incidents."
annotation: The learning outcomes achieved through the awareness and training
programme are measured and evaluated in a target group-oriented manner. The
measurements cover quantitative and qualitative aspects. The results are used
to improve the awareness and training programme.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-04
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14
ref_id: HR-04
name: Disciplinary measures
description: "In the event of violations of policies and instructions or applicable\
\ legal and regulatory requirements, actions are taken in accordance with\
\ a defined policy that includes the following aspects:\n\n\u2022 Verifying\
\ whether a violation has occurred; and\n\n\u2022 Consideration of the nature\
\ and severity of the violation and its impact.\n\nThe internal and external\
\ employees of the Cloud Service Provider are informed about possible disciplinary\
\ measures.\n\nThe use of disciplinary measures is appropriately documented."
annotation: The Cloud Service Provider ensures that the policies and instructions
reflect applicable legal and regulatory requirements in accordance with SP-01.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-05
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14
ref_id: HR-05
name: Responsibilities in the event of termination or change of employment
description: Internal and external employees have been informed about which
responsibilities, arising from employment terms and conditions relating to
information security, will remain in place when their employment is terminated
or changed and for how long.
annotation: The Cloud Service Provider ensures that the policies and instructions
reflect applicable legal and regulatory requirements in accordance with SP-01.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-06
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14
ref_id: HR-06
name: Confidentiality agreements
description: "The non-disclosure or confidentiality agreements to be agreed\
\ with internal employees, external service providers and suppliers of the\
\ Cloud Service Provider are based on the requirements identified by the Cloud\
\ Service Provider for the protection of confidential information and operational\
\ details. \n\nThe agreements are to be accepted by external service providers\
\ and suppliers when the contract is agreed. The agreements must be accepted\
\ by internal employees of the Cloud Service Provider before authorisation\
\ to access data of cloud customers is granted.\n\nThe requirements must be\
\ documented and reviewed at regular intervals (at least annually). If the\
\ review shows that the requirements need to be adapted, the non-disclosure\
\ or confidentiality agreements are updated.\n\nThe Cloud Service Provider\
\ must inform the internal employees, external service providers and suppliers\
\ and obtain confirmation of the updated confidentiality or non-disclosure\
\ agreement."
annotation: "In a confidentiality agreement it should be described:\n\n\u2022\
\ Which information must be kept confidential;\n\n\u2022 The period for which\
\ this confidentiality agreement applies;\n\n\u2022 What actions must be taken\
\ upon termination of this agreement, e.g. destruction or return of data medium;\n\
\n\u2022 How the ownership of information is regulated;\n\n\u2022 What rules\
\ apply to the use and disclosure of confidential information to other partners,\
\ if necessary; and\n\n\u2022 The consequences of a breach of the agreement.\n\
\nConfidentiality or non-disclosure agreements can be signed by means of an\
\ electronic signature, insofar as this is legally binding."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21
assessable: false
depth: 1
name: Asset Management (AM)
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-01
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21
ref_id: AM-01
name: Asset Inventory
description: 'The Cloud Service Provider has established procedures for inventorying
assets.
The inventory is performed automatically and/or by the people or teams responsible
for the assets to ensure complete, accurate, valid and consistent inventory
throughout the asset lifecycle.
Assets are recorded with the information needed to apply the Risk Management
Procedure (Cf. OIS-07), including the measures taken to manage these risks
throughout the asset lifecycle. Changes to this information are logged.'
annotation: "Logging and monitoring applications take into account the information\
\ collected on the assets in order to identify the impact on cloud services\
\ and functions in case of events that could lead to a breach of protection\
\ objectives, and to support information provided to affected cloud customers\
\ in accordance with contractual agreements.\nAssets within the meaning of\
\ this criteria area are the objects required for the information security\
\ of the cloud service during the creation, processing, storage, transmission,\
\ deletion or destruction of information in the Cloud Service Provider's area\
\ of responsibility, e.g. firewalls, load balancers, web servers, application\
\ servers and database servers.\n\nThese objects consist of hardware and software\
\ objects:\nHardware objects are\n\n\u2022 Physical and virtual infrastructure\
\ resources (e.g. servers, storage systems, network components); and\n\n\u2022\
\ As well as end devices if the Cloud Service Provider has determined in a\
\ risk assessment that these could endanger the information security of the\
\ cloud service in the event of loss or unauthorised access (e.g. mobile devices\
\ used as security tokens for authentication).\n\nSoftware objects are e.g.\
\ hypervisors, containers, operating systems, databases, microservices and\
\ programming interfaces (APIs).\n\nThe lifecycle of an asset includes:\n\n\
\u2022 Acquisition;\n\n\u2022 Commissioning;\n\n\u2022 Maintenance;\n\n\u2022\
\ Decommissioning; and\n\n\u2022 Disposal."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-02
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21
ref_id: AM-02
name: Acceptable Use and Safe Handling of Assets Policy
description: "Policies and instructions for acceptable use and safe handling\
\ of assets are documented, communicated and provided in accordance with SP-01\
\ and address the following aspects of the asset lifecycle as applicable to\
\ the asset:\n\n\u2022 Approval procedures for acquisition, commissioning,\
\ maintenance, decommissioning, and disposal by authorised personnel or system\
\ components;\n\n\u2022 Inventory;\n\n\u2022 Classification and labelling\
\ based on the need for protection of the information and measures for the\
\ level of protection identified;\n\n\u2022 Secure configuration of mechanisms\
\ for error handling, logging, encryption, authentication and authorisation;\n\
\n\u2022 Requirements for versions of software and images as well as application\
\ of patches;\n\n\u2022 Handling of software for which support and security\
\ patches are not available anymore;\n\n\u2022 Restriction of software installations\
\ or use of services;\n\n\u2022 Protection against malware;\n\n\u2022 Remote\
\ deactivation, deletion or blocking;\n\n\u2022 Physical delivery and transport;\n\
\n\u2022 dealing with incidents and vulnerabilities; and\n\n\u2022 Complete\
\ and irrevocable deletion of the data upon decommissioning."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-03
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21
ref_id: AM-03
name: Commissioning of Hardware
description: The Cloud Service Provider has an approval process for the use
of hardware to be commissioned, which is used to provide the cloud service
in the production environment, in which the risks arising from the commissioning
are identified, analysed and mitigated. Approval is granted after verification
of the secure configuration of the mechanisms for error handling, logging,
encryption, authentication and authorisation according to the intended use
and based on the applicable policies.
annotation: 'The basic criterion applies only to physical hardware objects,
such as servers, storage systems, and network components.
Virtual hardware and software objects are considered in the criteria areas
(OPS) and (DEV).
The approval process typically considers both the basic approval to use the
hardware and the final approval of the configured assets.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-04
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21
ref_id: AM-04
name: Decommissioning of Hardware
description: 'The decommissioning of hardware used to operate system components
supporting the cloud service production environment under the responsibility
of the Cloud Service Provider requires approval based on the applicable policies.
The decommissioning includes the complete and permanent deletion of the data
or proper destruction of the media.'
annotation: The deletion of data or physical destruction of data mediums can
take place, for example, according to DIN 66399 or BSI IT-Grundschutz module
CON.6.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-05
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21
ref_id: AM-05
name: Commitment to Permissible Use, Safe Handling and Return of Assets
description: 'The Cloud Service Provider''s internal and external employees
are provably committed to the policies and instructions for acceptable use
and safe handling of assets before they can be used if the Cloud Service Provider
has determined in a risk assessment that loss or unauthorised access could
compromise the information security of the Cloud Service.
Any assets handed over are provably returned upon termination of employment.'
annotation: 'Physical assets of internal and external employees are managed
centrally.
Central management enables software, data, and policy distribution, as well
as remote deactivation, deletion, or locking.
The basic criterion essentially concerns mobile devices (e.g. notebooks, tablets,
smartphones, etc.), where confidential information is stored on them which
can be used in the event of unauthorised access to obtain privileged access
to the cloud service (e.g. if these are used as security tokens for authentication).'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-06
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21
ref_id: AM-06
name: Asset Classification and Labelling
description: 'Assets are classified and, if possible, labelled. Classification
and labelling of an asset reflect the protection needs of the information
it processes, stores, or transmits.
The need for protection is determined by the individuals or groups responsible
for the assets of the Cloud Service Provider according to a uniform schema.
The schema provides levels of protection for the confidentiality, integrity,
availability, and authenticity protection objectives.'
annotation: 'Logging and monitoring applications take the asset protection needs
into account in order to inform the responsible stakeholder of events that
could lead to a violation of the protection goals, so that the necessary measures
are taken with an appropriate priority. Actions for events on assets with
a higher level of protection take precedence over events on assets with a
lower need for protection.
If the Cloud Service Provider does not make a differentiated classification
of the assets, all assets are to be assigned to the highest defined protection
requirement.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28
assessable: false
depth: 1
name: Physical Security (PS)
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-01
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28
ref_id: PS-01
name: Physical Security and Environmental Control Requirements
description: "Security requirements for premises and buildings related to the\
\ cloud service provided, are based on the security objectives of the information\
\ security policy, identified protection requirements for the cloud service\
\ and the assessment of risks to physical and environmental security. The\
\ security requirements are documented, communicated and provided in a policy\
\ or concept according to SP-01.\n\nThe security requirements for data centres\
\ are based on criteria which comply with established rules of technology.\
\ They are suitable for addressing the following risks in accordance with\
\ the applicable legal and contractual requirements:\n\n\u2022 Faults in planning;\n\
\n\u2022 Unauthorised access;\n\n\u2022 Insufficient surveillance;\n\n\u2022\
\ Insufficient air-conditioning;\n\n\u2022 Fire and smoke; \n\n\u2022 Water;\n\
\n\u2022 Power failure; and\n\n\u2022 Air ventilation and filtration.\n\n\
If the Cloud Service Provider uses premises or buildings operated by third\
\ parties to provide the Cloud Service, the document describes which security\
\ requirements the Cloud Service Provider places on these third parties. \n\
\nThe appropriate and effective verification of implementation is carried\
\ out in accordance with the criteria for controlling and monitoring subcontractors\
\ (cf. SSO-01, SSO-02)."
annotation: 'The security requirements include time constraints for self-sufficient
operation in the event of exceptional events (e.g. prolonged power outage,
heat waves, low water in cold river water supply) and maximum tolerable utility
downtime.
The time limits for self-sufficient operation provide for at least 48 hours
in the event of a failure of the external power supply.
For a self-sufficient operation during a heat period, the highest outside
temperatures measured to date within a radius of at least 50 km around the
locations of the premises and buildings have been determined with a safety
margin of 3 K. The security requirements stipulate that the permissible operating
and environmental parameters of the cooling supply must also be observed on
at least five consecutive days with these outside temperatures including the
safety margin (cf. PS-06 Protection against failure of the supply facilities).
If water is taken from a river for air conditioning, it is determined at which
water levels and water temperatures the air conditioning can be maintained
for how long.
The maximum tolerable downtimes of utility facilities are suitable for meeting
the availability requirements contained in the service level agreement.
Premises and buildings related to the cloud service provided include data
centres and server rooms housing system components used to process cloud customer
data and the technical utilities required to operate these system components
(e.g. power supply, refrigeration, fire-fighting, telecommunications, security,
etc.). Backup or redundancy computer centres.
Premises and buildings operated by third parties are e.g. server housing,
colocation, IaaS.
Premises and buildings in which no data from cloud customers is processed
or stored (e.g. offices of the Cloud Service Provider, server rooms with system
components for internal development and test systems) are not subject to this
criteria area.
The recognised rules of technology are defined in relevant standards, e.g.
EN 50600 (facilities and infrastructures of data centres).
Incorrect planning can endanger the operational safety and availability of
the premises or buildings. This can result from an incorrect assessment of
elementary hazards at the site (e.g. air traffic, earthquakes, floods, hazardous
substances) as well as an incorrect conception of the bandwidth or energy
supply.
Time specifications for self-sustaining operation as well as maximum tolerable
downtimes of utility facilities are typically collected during the business
impact analysis (cf. BCM-02, BCM-03).'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-02
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28
ref_id: PS-02
name: Redundancy model
description: 'The cloud service is provided from two locations that are redundant
to each other. The locations meet the security requirements of the Cloud Service
Provider (cf. PS-01 Security Concept) and are located in an adequate distance
to each other to achieve operational redundancy. Operational redundancy is
designed in a way that ensures that the availability requirements specified
in the service level agreement are met. The functionality of the redundancy
is checked at least annually by suitable tests and exercises (cf. BCM-04 -
Verification, updating and testing of business continuity). '
annotation: "The cloud service is provided from more than two locations that\
\ provide each other with redundancy. The locations are sufficiently far apart\
\ to achieve georedundancy. If two locations fail at the same time, at least\
\ one third location is still available to prevent a total service failure.\
\ The georedundancy is designed in a way that ensures that the availability\
\ requirements specified in the service level agreement are met.. The functionality\
\ of the redundancy is checked at least annually by suitable tests and exercises\
\ (cf. BCM-04 - Verification, updating and testing of business continuity).\n\
Operational redundancy of the sites to each other in the sense of the basic\
\ requirement is given, if based on the assessment of elementary risks at\
\ the site corresponding distances of the premises and buildings to these\
\ risks are maintained. Very extensive events which, due to their extent,\
\ could affect several sites of the same redundancy group simultaneously or\
\ in a timely manner (e.g. floods, earthquakes) are not considered.\n\nA georedundancy\
\ of the sites to each other in the sense of the optional, more far-reaching\
\ requirement is given if a very extensive event at a site under no circumstances\
\ affects several sites of the same redundancy group simultaneously or promptly.\
\ The BSI publication \"Kriterien f\xFCr die Standortwahl h\xF6chstverf\xFC\
gbarer und georedundanter Rechenzentren\" provides assistance in this regard.\
\ \n\nThere are cloud providers who no longer address the issue of reliability\
\ of the cloud service on a physical level through redundancy from two independent\
\ locations, but through resilience. The cloud service is provided simultaneously\
\ from more than two locations. The underlying distributed data centre architecture\
\ ensures that the failure of a location or components of a location does\
\ not violate the defined availability criteria of the cloud service. Such\
\ an architecture can represent an alternative fulfilment (cf. Chapter 4.4.7)\
\ of the criterion. The tests and exercises on functionality required in the\
\ criterion also apply analogously to resilient architectures."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-03
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28
ref_id: PS-03
name: Perimeter Protection
description: "The structural shell of premises and buildings related to the\
\ cloud service provided are physically solid and protected by adequate security\
\ measures that meet the security requirements of the Cloud Service Provider\
\ (cf. PS-01 Security Concept).\n\nThe security measures are designed to detect\
\ and prevent unauthorised access so that the information security of the\
\ cloud service is not compromised.\n\nThe outer doors, windows and other\
\ construction elements exhibit an appropriate security level and withstand\
\ a burglary attempt for at least 10 minutes. \n\nThe surrounding wall constructions\
\ as well as the locking mechanisms meet the associated requirements."
annotation: 'The security measures installed at the site include permanently
present security personnel (at least 2 individuals), video surveillance and
anti-burglary systems.
Security measures for detecting unauthorised access can be security personnel,
video surveillance or burglar alarm systems.
The resistance class RC4 according to DIN EN 1627 stipulates that doors, windows
and other components must withstand a break-in attempt for at least 10 minutes.
The US standard SD-STD-01.01 Rev.G. is an international equivalent to this
standard.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-04
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28
ref_id: PS-04
name: Physical site access control
description: "At access points to premises and buildings related to the cloud\
\ service provided, physical access controls are set up in accordance with\
\ the Cloud Service Provider's security requirements (cf. PS-01 Security Concept)\
\ to prevent unauthorised access.\n\nAccess controls are supported by an access\
\ control system.\n\nThe requirements for the access control system are documented,\
\ communicated and provided in a policy or concept in accordance with SP-01\
\ and include the following aspects:\n\n\u2022 Specified procedure for the\
\ granting and revoking of access authorisations (cf. IDM-02) based on the\
\ principle of least authorisation (\"least-privilege-principle\") and as\
\ necessary for the performance of tasks (\"need-to-know-principle\");\n\n\
\u2022 Automatic revocation of access authorisations if they have not been\
\ used for a period of 2 month;\n\n\u2022 Automatic withdrawal of access authorisations\
\ if they have not been used for a period of 6 months;\n\n\u2022 Two-factor\
\ authentication for access to areas hosting system components that process\
\ cloud customer information;\n\n\u2022 Visitors and external personnel are\
\ tracked individually by the access control during their work in the premises\
\ and buildings, identified as such (e.g. by visible wearing of a visitor\
\ pass) and supervised during their stay; and\n\n\u2022 Existence and nature\
\ of access logging that enables the Cloud Service Provider, in the sense\
\ of an effectiveness audit, to check whether only defined personnel have\
\ entered the premises and buildings related to the cloud service provided."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-05
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28
ref_id: PS-05
name: Protection from fire and smoke
description: "Premises and buildings related to the cloud service provided are\
\ protected from fire and smoke by structural, technical and organisational\
\ measures that meet the security requirements of the Cloud Service Provider\
\ (cf. PS-01 Security Concept) and include the following aspects: \n\na) Structural\
\ Measures:\n\nEstablishment of fire sections with a fire resistance duration\
\ of at least 90 minutes for all structural parts.\n\nb) Technical Measures:\n\
\n\u2022 Early fire detection with automatic voltage release. The monitored\
\ areas are sufficiently fragmented to ensure that the prevention of the spread\
\ of incipient fires is proportionate to the maintenance of the availability\
\ of the cloud service provided;\n\n\u2022 Extinguishing system or oxygen\
\ reduction; and\n\n\u2022 Fire alarm system with reporting to the local fire\
\ department.\n\nc) Organisational Measures\n\n\u2022 Regular fire protection\
\ inspections to check compliance with fire protection requirements; and\n\
\n\u2022 Regular fire protection exercises."
annotation: "The environmental parameters are monitored. When the permitted\
\ control range is exceeded, alarm messages are generated and forwarded to\
\ the Cloud Service Provider\u2019s subject matter experts\nThe monitoring\
\ of the environmental parameters is addressed in PS-01. When exceeding the\
\ allowed control range, alarm messages are generated and forwarded to the\
\ responsible Cloud Service Provider.\nStructural parts are walls, ceilings,\
\ floors, doors, ventilation flaps, etc."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-06
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28
ref_id: PS-06
name: Protection against interruptions caused by power failures and other such
risks
description: "Measures to prevent the failure of the technical supply facilities\
\ required for the operation of system components with which information from\
\ cloud customers is processed, are documented and set up in accordance with\
\ the security requirements of the Cloud Service Provider (cf. PS-01 Security\
\ Concept) with respect to the following aspects:\n\na) Operational redundancy\
\ (N+1) in power and cooling supply\n\nb) Use of appropriately sized uninterruptible\
\ power supplies (UPS) and emergency power systems (NEA), designed to ensure\
\ that all data remains undamaged in the event of a power failure. The functionality\
\ of UPS and NEA is checked at least annually by suitable tests and exercises\
\ (cf. BCM-04 - Verification, updating and testing of business continuity).\n\
\nc) Maintenance (servicing, inspection, repair) of the utilities in accordance\
\ with the manufacturer's recommendations. \n\nd) Protection of power supply\
\ and telecommunications lines against interruption, interference, damage\
\ and eavesdropping. The protection is checked regularly, but at least every\
\ two years, as well as in case of suspected manipulation by qualified personnel\
\ regarding the following aspects:\n\n\u2022 Traces of violent attempts to\
\ open closed distributors;\n\n\u2022 Up-to-datedness of the documentation\
\ in the distribution list;\n\n\u2022 Conformity of the actual wiring and\
\ patching with the documentation;\n\n\u2022 The short-circuits and earthing\
\ of unneeded cables are intact; and\n\n\u2022 Impermissible installations\
\ and modifications."
annotation: 'Uninterruptible Power Supplies (UPS) and Emergency Power Supplies
(NPS) are designed to meet the availability requirements defined in the Service
Level Agreement.
The cooling supply is designed in such a way that the permissible operating
and environmental parameters are also ensured on at least five consecutive
days with the highest outside temperatures measured to date within a radius
of at least 50 km around the locations of the premises and buildings, with
a safety margin of 3 K (in relation to the outside temperature). The Cloud
Service Provider has previously determined the highest outdoor temperatures
measured to date (cf. PS-01 Security Concept).
The connection to the telecommunications network is designed with sufficient
redundancy so that the failure of a telecommunications network does not impair
the security or performance of the Cloud Service Provider.
Measures to prevent the failure of the technical supply facilities are e.g.
power supply, cooling, fire-fighting technology, telecommunications, security
technology, etc.
Cloud Service Providers can ensure that all data remains undamaged in the
event of a power failure by shutting down servers following a defined procedure.
Power supply and telecommunications lines can be protected against interruption,
interference, damage and eavesdropping by e.g. underground supply via different
supply routes.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-07
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28
ref_id: PS-07
name: Surveillance of operational and environmental parameters
description: The operating parameters of the technical utilities (cf. PS-06)
and the environmental parameters of the premises and buildings related to
the cloud service provided are monitored and controlled in accordance with
the security requirements of the Cloud Service Provider (cf. PS-01 Security
Concept). When the permitted control range is exceeded, the responsible departments
of the Cloud-Provider are automatically informed in order to promptly initiate
the necessary measures for return to the control range.
annotation: Operating parameters and environmental parameters of the premises
and buildings are, e.g. air temperature and humidity, leakage.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
assessable: false
depth: 1
name: Operations (OPS)
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-01
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
ref_id: OPS-01
name: Capacity Management - Planning
description: "The planning of capacities and resources (personnel and IT resources)\
\ follows an established procedure in order to avoid possible capacity bottlenecks.\
\ The procedures include forecasting future capacity requirements in order\
\ to identify usage trends and manage system overload. \n\nCloud Service Providers\
\ take appropriate measures to ensure that they continue to meet the requirements\
\ agreed with cloud customers for the provision of the cloud service in the\
\ event of capacity bottlenecks or outages regarding personnel and IT resources,\
\ in particular those relating to the dedicated use of system components,\
\ in accordance with the respective agreements."
annotation: 'The forecasts are considered in accordance with the service level
agreement for planning and preparing the provisioning.
For economic reasons, Cloud Service Providers typically strive for a high
utilisation of IT resources (CPU, RAM, storage space, network). In multi-tenant
environments, existing resources must still be shared between cloud users
(clients) in such a way that service level agreements are adhered to. In this
respect, proper planning and monitoring of IT resources is critical to the
availability and competitiveness of the cloud service. If the procedures are
not documented or are subject to a higher degree of confidentiality as a trade
secret of the Cloud Service Provider, the Cloud Service Provider must be able
to explain the procedures at least orally within the scope of this audit.
Cloud customers must use appropriate controls to ensure that the capacity
and resource requirements to be covered by the Cloud Service Provider are
planned and reflected in the SLA with the Cloud Service Provider. The requirements
can also be reviewed regularly through appropriate controls and the SLA can
be adjusted accordingly.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-02
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
ref_id: OPS-02
name: Capacity Management - Monitoring
description: Technical and organisational safeguards for the monitoring and
provisioning and de-provisioning of cloud services are defined. Thus, the
Cloud Service Provider ensures that resources are provided and/or services
are rendered according to the contractual agreements and that compliance with
the service level agreements is ensured.
annotation: "To monitor capacity and availability, the relevant information\
\ is available to the cloud customer in a self-service portal.\nTechnical\
\ and organisational measures typically include:\n\n\u2022 Use of monitoring\
\ tools with alarm function when defined threshold values are exceeded;\n\n\
\u2022 Process for correlating events and interface to incident management;\n\
\n\u2022 Continuous monitoring of the systems by qualified personnel; and\n\
\n\u2022 Redundancies in the IT systems."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-03
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
ref_id: OPS-03
name: Capacity Management - Controlling of Resources
description: Depending on the capabilities of the respective service model,
the cloud customer can control and monitor the allocation of the system resources
assigned to the customer for administration/use in order to avoid overcrowding
of resources and to achieve sufficient performance.
annotation: "Resources according to the possibilities of the service model are\
\ for example\n\n\u2022 Computing capacity;\n\n\u2022 Storage capacity;\n\n\
\u2022 Configuration of network properties;\n\n\u2022 Application Programming\
\ Interfaces (APIs); and\n\n\u2022 Databases."
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-04
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
ref_id: OPS-04
name: Protection Against Malware - Concept
description: "Policies and instructions with specifications for protection against\
\ malware are documented, communicated, and provided in accordance with SP-01\
\ with respect to the following aspects:\n\n\u2022 Use of system-specific\
\ protection mechanisms;\n\n\u2022 Operating protection programs on system\
\ components under the responsibility of the Cloud Service Provider that are\
\ used to provide the cloud service in the production environment; and\n\n\
\u2022 Operation of protection programs for employees' terminal equipment."
annotation: 'The Cloud Service Provider creates regular reports on the checks
performed, which are reviewed and analysed by authorised bodies or committees.
Policies and instructions describe the technical measures taken to securely
configure and monitor the management console (both the customer''s self-service
and the service provider''s cloud administration) to protect it from malware.
Updates are applied at the highest frequency that the vendor(s) contractually
offer(s).
Protection programs for employee devices can be, for example, server-based
protection programs that scan files in attachments on the server or filter
network traffic.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-05
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
ref_id: OPS-05
name: Protection Against Malware - Implementation
description: System components under the Cloud Service Provider's responsibility
that are used to deploy the cloud service in the production environment are
configured with malware protection according to the policies and instructions.
If protection programs are set up with signature and behaviour-based malware
detection and removal, these protection programs are updated at least daily.
annotation: 'The configuration of the protection mechanisms is monitored automatically.
Deviations from the specifications are automatically reported to the responsible
authorities so that they can be immediately assessed and the necessary measures
taken.
Protection against malicious programs can be implemented by operating system-specific
protection mechanisms or explicit protection programs (e.g. for signature-
and behaviour-based detection and removal of malicious programs).'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-06
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
ref_id: OPS-06
name: Data Protection and Recovery - Concept
description: "Policies and instructions for data backup and recovery are documented,\
\ communicated and provided in accordance with SP-01 regarding the following\
\ aspects.\n\n\u2022 The extent and frequency of data backups and the duration\
\ of data retention are consistent with the contractual agreements with the\
\ cloud customers and the Cloud Service Provider's operational continuity\
\ requirements for Recovery Time Objective (RTO) and Recovery Point Objective\
\ (RPO);\n\n\u2022 Data is backed up in encrypted, state-of-the-art form;\
\ \n\n\u2022 Access to the backed-up data and the execution of restores is\
\ performed only by authorised persons; and\n\n\u2022 Tests of recovery procedures\
\ (cf. OPS-08)."
annotation: The data backup concept specifies which type of data backup is to
be carried out (e.g. type, manner, duration) and specifies which data must
also be backed up in special cases (e.g. pure use of compute nodes without
data storage). When backing up data, a distinction must be made between backups
and snapshots of virtual machines. Snapshots do not replace backups, but can
be part of the backup strategy to achieve Recovery Point Objectives (RPO)
if they are additionally stored outside the original data location. The business
requirements of the Cloud Service Provider for the scope, frequency and duration
of the data backup result from the business impact analysis (cf. BCM-03) for
development and operational processes of the cloud service. If different data
backup and recovery procedures exist for data under the responsibility of
the cloud customer and the Cloud Service Provider, both variants must be included
in a test according to this criteria catalogue. For procedures to secure the
data of the Cloud Service Provider, only the adequacy and implementation of
the controls must be proven, but not their effectiveness. For procedures to
secure the data of cloud customers, proof of effectiveness must also be provided.
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-07
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
ref_id: OPS-07
name: Data Backup and Recovery - Monitoring
description: The execution of data backups is monitored by technical and organisational
measures. Malfunctions are investigated by qualified staff and rectified promptly
to ensure compliance with contractual obligations to cloud customers or the
Cloud Service Provider's business requirements regarding the scope and frequency
of data backup and the duration of storage.
annotation: 'The relevant logs or summarised results are available to the cloud
customer in a self-service portal for monitoring the data backup.
If the data backup is not part of the contract concluded between the Cloud
Service Provider and the cloud customer, this criterion is not applicable.
The Cloud Service Provider must present this situation transparently in the
system description.'
- urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-08
assessable: true
depth: 2
parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36
ref_id: OPS-08
name: Data Backup and Recovery - Regular Testing
description: 'Restore procedures are tested regularly, at least annually. The
tests allow an assessment to be made as to whether the contractual agreements
as well as the specifications for the maximum tolerable downtime (Recovery
Time Objective, RTO) and the maximum permissible data loss (Recovery Point
Objective, RPO) are adhered to (cf. BCM-02).
Deviations from the specifications are reported to the responsible personnel
or system components so that these can promptly assess the deviations and
initiate the necessary actions.'
annotation: 'At the customer''s request, the Cloud Service Provider inform the
cloud customer of the results of the recovery tests. Recovery tests are embedded
in the Cloud Service Provider''s emergency management.
If the data backup is not part of the contract concluded between the Cloud
Service Provider and the cloud customer, this criterion is not applicable.
The Cloud Service Provider must present this situation transparently in the